Merge pull request #147 from bashclub/dev

Release
Update PHP version from 8.3 to 8.4
2026-06-21 07:46:19 +02:00 · 2026-04-09 18:04:02 +02:00 · 2026-03-02 15:46:36 +01:00 · 2026-02-22 11:55:05 +00:00 · 2026-02-21 20:15:06 +00:00 · 2026-01-28 19:40:21 +00:00
95 changed files with 7481 additions and 718 deletions
@@ -1,2 +1,5 @@
 *__pycache__*
-.vscode/*
+.vscode/*
+conf/*
+!conf/README.md
+!conf/zamba.conf.example
@@ -1,12 +0,0 @@
-**** Zamba LXC Toolbox v0.1 ****
- `locales` are now configured noninteractive #21
- timezone is now configured with `pct set` command in `install.sh` #22
- changed command sequence in `install.sh` - select container first, then start the installation
- improved / updated documentation
- replaced `just-lxc` container by `debian-priv` and `debian-unpriv` container
- (un)privileged now defined as constant based on created service #6
- improved log messages in `install.sh`
- `mailpiler`: website is now also `default_host`, removed nginx default site, dns entry is still required
- changed `mailpiler` version to 1.3.11
- changed `element-web` version to 1.7.25
- `LXC_AUTHORIZED_KEY` variable now defines an `authorized_keys` file, by default the configuration of you proxmox host will be inherited (`~/.ssh/authorized_keys`)
@@ -5,15 +5,32 @@ Zamba LXC Toolbox is a collection of scripts to easily install Debian LXC contai
 The main feature is `Zamba`, the fusion of ZFS and Samba in three different flavours (standalone, active directory dc or active directory member), preconfigured to access ZFS snapshots by "Windows Previous Versions" to easily recover encrypted by ransomware files, accidently deleted files or just to revert changes.
 The package also provides LXC container installers for `mailpiler`, `matrix-synapse` + `element-web` and more services will follow in future releases.
 ### Requirements
-Proxmox VE Server with at least one configured ZFS Pool.
+Proxmox VE Server (>=6.30) with at least one configured ZFS Pool.
 ### Included services:
- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support (previous versions)
- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support (previous versions)
+- `bookstack` => Bookstack wiki software [bookstackapp.com](https://www.bookstackapp.com/)
+- `checkmk` => Check_MK 2.0 Monitoring Server [checkmk.com](https://checkmk.com/)
+- `debian-priv` => Debian privileged container with basic toolset
+- `debian-unpriv` => Debian unprivileged container with basic toolset
+- `ecodms` => Fullfeatured DMS [ecodms.de](https://www.ecodms.de)
+- `gitea` => Lightweight and fast self-hosted git service [gitea.io](https://gitea.io)
+- `kimai` => Kimai Time-Tracking [kimai.org](https://www.kimai.org/)
+- `kopano-core` => Kopano Core Groupware [kopano.io](https://kopano.io/)
 - `mailpiler` => mailpiler mail archive [mailpiler.org](https://www.mailpiler.org/)
 - `matrix` => Matrix Synapse Homeserver [matrix.org](https://matrix.org/docs/projects/server/synapse) with Element Web [Element on github](https://github.com/vector-im/element-web)
- `debian-unpriv` => Debian unprivileged container with basic toolset
- `debian-unpriv` => Debian privileged container with basic toolset
+- `nextcloud` => Nextcloud Server [nextcloud.com](https://nextcloud.com/) with fail2ban und redis configuration
+- `omada` => TP-Link Omada SDN Controller [www.tp-link.com](https://www.tp-link.com/de/omada-sdn/)
+- `onlyoffice` => OnlyOffice [onlyoffice.com](https://onlyoffice.com)
+- `open3a` => Open3a web based accounting software [open3a.de](https://open3a.de)
+- `proxmox-pbs` => Proxmox Backup Server [proxmox.com](https://proxmox.com/en/proxmox-backup-server)
+- `unifi` => Unifi Controller [ui.com](https://ui.com)
+- `urbackup` => UrBackup Server [urbackup.org](https://urbackup.org)
+- `vaultwarden` => Bitwarder compatible Passwordmanager [github.com/dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden)
+- `zabbix` => Zabbix Monitoring server [zabbix.com](https://www.zabbix.com)
+- `zammad` => Zammad Helpdesk and Ticketing Software [zammad.org](https://zammad.org/)
+- `zmb-ad` => ZMB (Samba) Active Directory Domain Controller, DNS Backends `SAMBA_INTERNAL` and `BIND9_DLZ` are supported
+- `zmb-ad-join` => Additional Active Directory Domain Controller joining an existing Domain
+- `zmb-member` => ZMB (Samba) AD member with ZFS volume snapshot support
+- `zmb-standalone` => ZMB (Samba) standalone server with ZFS volume snapshot support
 ## Usage
 Just ssh into your Proxmox machine and clone this git repository. Make sure you have installed `git`.
 ```bash
@@ -26,14 +43,32 @@ git clone https://github.com/bashclub/zamba-lxc-toolbox
 cd zamba-lxc-toolbox
 ```
 ### Configuration
-To fit your requirements, please edit the file `zamba.conf` with your favourite text editor (e.g. `vim` or `nano`).
-The required adjustments are in the LXC container section and in the section for the service you want to launch.
-For further information about the config variables, have a look at [zamba.conf.md](zamba.conf.md)
+Copy `zamba.conf.example` located in `conf` directory to a new file (default: `zamba.conf`) and adjust your desired settings.
+For further information about configuration variables, have a look at [conf/README.md](conf/README.md)
+```bash
+cp conf/zamba.conf.example conf/zamba.conf
+```
 ### Installation
-After configuring, you are able to launch the script interactively:
+After configuring, you are able to launch the script interactively (only works with `conf/zamba.conf`):
 ```bash
 bash install.sh
 ```
+### Advanced Usage
+You can set optional parameters (config file, service, container id):
+#### Example:
+```bash
+bash install.sh -i 280 -c conf/my-zmb-service.conf -s zmb-member
+```
+You can also view possible parameters with `install.sh -h`
+
 After container creation, you will be prompted to select the service to install and depending on the service there may be some more questions during installation.

 Once the script has finished, the container is installed and running and you can continue with the service specific configuration.
+
+# Authors
+
+### Markus Helmke
+[<img src="https://storage.ko-fi.com/cdn/brandasset/kofi_s_tag_dark.png" rel="Support me on Ko-Fi">](https://ko-fi.com/nettwarker)
+
+### Thorsten Spille
+[<img src="https://storage.ko-fi.com/cdn/brandasset/kofi_s_tag_dark.png" rel="Support me on Ko-Fi">](https://ko-fi.com/thorakel)
@@ -1,4 +1,5 @@
-# `zamba.conf` options reference
+# USE THIS FOLDER TO STORE YOUR OWN ZMB CONFIGS
+# Configuration options reference
 This is the reference of all config options you can set in `zamba.conf`
 <br>

@@ -39,24 +40,30 @@ LXC_SHAREFS_MOUNTPOINT="tank"
 ```
 ### LXC_MEM
 Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
+If a service needs more minimum memory, LXC_MEM will be overwritten.
 ```bash
-LXC_MEM="1024"
+LXC_MEM=1024
 ```
 ### LXC_SWAP
 Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
 ```bash
-LXC_SWAP="1024"
+LXC_SWAP=1024
 ```
 ### LXC_HOSTNAME
-Defines the hostname of your LXC container
+Defines the hostname of your LXC container (Default: Name of installed Service)
 ```bash
-LXC_SWAP="zamba"
+LXC_HOSTNAME="zamba"
 ```
 ### LXC_DOMAIN
 Defines the domain name / search domain of your LXC container
 ```bash
 LXC_DOMAIN="zmb.rocks"
 ```
+### LXC_DHCP
+Enable DHCP on LAN (eth0) - (Obtain an IP address automatically) [true/false]
+```bash
+LXC_DHCP=false
+```
 ### LXC_IP
 Defines the local IP address and subnet of your LXC container in CIDR format
 ```bash
@@ -87,7 +94,7 @@ LXC_VLAN="80"
 ### LXC_PWD
 Defines the `root` password of your LXC container. Please use 'single quotation marks' to avoid unexpected behaviour.
 ```bash
-LXC_PWD="S3cr3tp@ssw0rd"
+LXC_PWD="Start!123"
 ```
 ### LXC_AUTHORIZED_KEY
 Defines an authorized_keys file to push into the LXC container.
@@ -98,7 +105,7 @@ LXC_AUTHORIZED_KEY="/root/.ssh/authorized_keys"
 ### LXC_TOOLSET
 Define your (administrative) tools, you always want to have installed into your LXC container
 ```bash
-LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
+LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc"
 ```
 ### LXC_TIMEZONE
 Define the local timezone of your LXC container (default: Euroe/Berlin)
@@ -111,6 +118,13 @@ Define system language on LXC container (locales)
 LXC_LOCALE="de_DE.utf8"
 ```
 This parameter is not used yet, but will be integrated in future releases.
+
+### LXC_VIM_BG_DARK
+Set dark background for vim syntax highlighting (0 or 1)
+```bash
+LXC_VIM_BG_DARK=1
+```
+
 <br>

 ## Zamba Server Section
@@ -127,11 +141,6 @@ Defines the domain name in your Active Directory or Workgroup (AD DC, AD member,
 ```bash
 ZMB_DOMAIN="ZMB"
 ```
-### ZMB_DNS_BACKEND
-Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
-```bash
-ZMB_DNS_BACKEND="SAMBA_INTERNAL"
-```
 ### ZMB_ADMIN_USER
 Defines the name of your domain administrator account (AD DC, AD member, standalone)
 ```bash
@@ -140,14 +149,14 @@ ZMB_ADMIN_USER="Administrator"
 ### ZMB_ADMIN_PASS
 Defines the domain administrator's password (AD DC, AD member).
 ```bash
-ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
+ZMB_ADMIN_PASS='Start!123'
 ```
 Please use 'single quotation marks' to avoid unexpected behaviour.
 `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail.
-### ZMB_SHARE
-Defines the name of your Zamba share
+### ZMB_SHARES
+Defines the names of your Zamba shares
 ```bash
-ZMB_SHARE="share"
+ZMB_SHARES="share1,share2"
 ```
 <br>

@@ -163,22 +172,7 @@ PILER_FQDN="piler.zmb.rocks"
 ### PILER_SMARTHOST
 Defines the smarthost for piler mail archive
 ```bash
-PILER_SMARTHOST="10.10.80.20"
-```
-### PILER_VERSION
-Defines the version number of piler mail archive to install
-```bash
-PILER_VERSION="1.3.10"
-```
-### PILER_SPHINX_VERSION
-Defines the version of sphinx to install
-```bash
-PILER_SPHINX_VERSION="3.3.1"
-```
-### PILER_PHP_VERSION
-Defines the php version to install
-```bash
-PILER_PHP_VERSION="7.4"
+PILER_SMARTHOST="your.mailserver.tld"
 ```
 <br>

@@ -197,13 +191,139 @@ Define the FQDN for the Element Web virtual host
 ```bash
 MATRIX_ELEMENT_FQDN="element.zmb.rocks"
 ```
-### MATRIX_ELEMENT_VERSION
-Define the version of Element Web
+
+### MATRIX_ADMIN_USER
+Define the administrative user of matrix service
 ```bash
-MATRIX_ELEMENT_VERSION="v1.7.24"
+MATRIX_ADMIN_USER="admin"
 ```
-### MATRIX_JITSI_FQDN
-Define the FQDN for the Jitsi Meet virtual host
+
+### MATRIX_ADMIN_PASSWORD
+Define the admin password
 ```bash
-MATRIX_JITSI_FQDN="meet.zmb.rocks"
-```
+MATRIX_ADMIN_PASSWORD="Start!123"
+```
+
+## Nextcloud-Section
+
+### NEXTCLOUD_FQDN
+Define the FQDN of your Nextcloud server
+```bash
+NEXTCLOUD_FQDN="nc1.zmb.rocks"
+```
+
+### NEXTCLOUD_ADMIN_USR
+The initial admin-user which will be configured
+```bash
+NEXTCLOUD_ADMIN_USR="zmb-admin"
+```
+
+### NEXTCLOUD_ADMIN_PWD
+Build a strong password for this user. Username and password will shown at the end of the instalation. 
+```bash
+NEXTCLOUD_ADMIN_PWD="$(random_password)"
+```
+### NEXTCLOUD_DATA
+Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
+```bash
+NEXTCLOUD_DATA="nc_data"
+```
+### NEXTCLOUD_REVPROX
+Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
+```bash
+NEXTCLOUD_REVPROX="192.168.100.254"
+```
+
+## Check_MK-Section
+
+### CMK_INSTANCE
+Define the name of your checkmk instance
+```bash
+CMK_INSTANCE=zmbrocks
+```
+
+### CMK_ADMIN_PW
+Define the password of user 'cmkadmin'
+```bash
+CMK_ADMIN_PW='Start!123'
+```
+
+### CMK_EDITION
+checkmk edition (raw or free)
+- raw = completely free
+- free = limited version of the enterprise edition (25 hosts, 1 instance)
+```bash
+CMK_EDITION=raw
+```
+### Kopano-Section
+
+### KOPANO_FQDN
+Define the FQDN of your Nextcloud server
+```bash
+KOPANO_FQDN="kopano.zmb.rocks
+```
+
+
+### KOPANO_MAILGW=
+Define the host, to which mails will send.
+```bash
+KOPANO_MAILGW="192.168.100.254"
+```
+
+### KOPANO_REPKEY
+Kopano test- or subscription-key offerd from 
+https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+11
+```bash
+KOPANO_REPKEY="1234567890abcdefghijklmno"
+```
+
+### vaultwarden Section
+
+### VW_SMTP_HOST
+Hostname of your mailserver
+```bash
+VW_SMTP_HOST=mail.bashclub.org
+```
+
+### VW_SMTP_FROM
+email address to send from
+```bash
+VW_SMTP_FROM="vaultwarden@bashclub.org"
+```
+
+### VW_SMTP_FROM_NAME
+display name to send from
+```bash
+VW_SMTP_FROM_NAME="Vaultwarden Password Manager"
+```
+
+### VW_SMTP_PORT
+Smtp-port of your mailserver
+```bash
+VW_SMTP_PORT=587
+```
+
+### VW_SMTP_SSL
+Use ssl true/false
+```bash
+VW_SMTP_SSL=true
+```
+
+### VW_SMTP_EXPLICIT_TLS
+Use starttls true/false
+```bash
+VW_SMTP_EXPLICIT_TLS=false
+```
+
+### VW_SMTP_USERNAME
+Username of your mailbox
+```bash
+VW_SMTP_USERNAME=vaultwarden@bashclub.org
+```
+
+### VW_SMTP_PASSWORD
+Password of your mailbox
+```bash
+VW_SMTP_PASSWORD='<yourEmailPassword>'
+```
+
@@ -0,0 +1,217 @@
+#!/bin/bash
+
+# This ist the Zamba main configuration file.
+# Please adjust the settings to your needs before running the installer.
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+
+############### Linux Container Section ###############
+
+# Defines the Proxmox storage where your LXC container template are stored (default: local)
+LXC_TEMPLATE_STORAGE="local"
+
+# Defines the size in GB of the LXC container's root filesystem (default: 32)
+# Depending on your environment, you should consider increasing the size for use of `mailpiler` or `matrix`.
+LXC_ROOTFS_SIZE="32"
+# Defines the Proxmox storage where your LXC container's root filesystem will be generated (default: local-zfs)
+LXC_ROOTFS_STORAGE="local-zfs"
+
+# Defines the size in GB your LXC container's filesystem shared by Zamba (AD member & standalone) (default: 100)
+LXC_SHAREFS_SIZE="100"
+# Defines the Proxmox storage where your LXC container's filesystem shared by Zamba will be generated (default: local-zfs)
+LXC_SHAREFS_STORAGE="local-zfs"
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+# Moved to constants-service.conf, be careful if you override this value
+# LXC_SHAREFS_MOUNTPOINT="tank"
+
+# cpu core count (default: 0 = unlimited)
+LXC_THREADS=0
+
+# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
+LXC_MEM=1024
+
+# Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
+LXC_SWAP=1024
+
+# Defines the hostname of your LXC container
+LXC_HOSTNAME="${service}"
+
+# Defines the domain name / search domain of your LXC container
+LXC_DOMAIN="zmb.rocks"
+
+# Enable DHCP on LAN (eth0) - (Obtain an IP address automatically) [true/false]
+LXC_DHCP=false
+
+# Defines the local IP address and subnet of your LXC container in CIDR format
+LXC_IP="192.168.100.200/24"
+
+# Defines the default gateway IP address of your LXC container
+LXC_GW="192.168.100.254"
+
+# Defines the DNS server ip address of your LXC container
+# `zmb-ad` used this DNS server for installation, after installation and domain provisioning it will be used as forwarding DNS
+# For other services this should be your active directory domain controller (if present, else a DNS server of your choice)
+LXC_DNS="192.168.100.254"
+
+# Defines the network bridge to bind the network adapter of your LXC container
+LXC_BRIDGE="vmbr0"
+
+# Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty.
+LXC_VLAN=NONE
+
+# Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
+LXC_PWD='Start!123'
+
+# Defines an authorized_keys file to push into the LXC container.
+# By default the authorized_keys will be inherited from your proxmox host.
+LXC_AUTHORIZED_KEY=~/.ssh/authorized_keys
+
+# Define your (administrative) tools, you always want to have installed into your LXC container
+LXC_TOOLSET="vim htop net-tools dnsutils sysstat mc"
+
+# Define the local timezone of your LXC container (default: Euroe/Berlin)
+LXC_TIMEZONE="Europe/Berlin"
+
+# Define system language on LXC container (locales)
+# With this paramater you can generate additional locales, the default language will be inherited from proxmox host.
+# en_US.UTF-8  english
+# de_DE.UTF-8  german (default)
+LXC_LOCALE="de_DE.UTF-8"
+
+# Set dark background for vim syntax highlighting (0 or 1)
+LXC_VIM_BG_DARK=1
+
+# Default random password length
+LXC_RANDOMPWD=32
+
+# Move lxc to specific ressource pool
+LXC_RESSOURCE_POOL=""
+
+# Automatically add meta tags to lxc container
+LXC_AUTOTAG=1
+
+# Add meta tags to linux container
+LXC_TAGS="linux,debian,${service}"
+
+############### Zamba-Server-Section ###############
+
+# Defines the REALM for the Active Directory (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups)
+ZMB_REALM="ZMB.ROCKS"
+# Defines the domain name in your Active Directory or Workgroup (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
+ZMB_DOMAIN="ZMB"
+
+# Defines the name of your domain administrator account (Some environments are case sensitive, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
+ZMB_ADMIN_USER="administrator"
+
+# The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
+# `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
+ZMB_ADMIN_PASS='Start!123'
+
+# Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case)
+ZMB_DOMAIN_ADMINS="domain admins"
+
+# Defines the names of your Zamba shares in a comma separated list
+ZMB_SHARES="share1,share2"
+
+############### Mailpiler-Section ###############
+
+PILER_BRANCH=release
+
+############### Matrix-Section ###############
+
+# Define the FQDN of your Matrix server
+MATRIX_FQDN="matrix.zmb.rocks"
+
+# Define the FQDN for the Element Web virtual host
+MATRIX_ELEMENT_FQDN="element.zmb.rocks"
+
+# Define the administrative user of matrix service
+MATRIX_ADMIN_USER="admin"
+
+# Define the admin password
+MATRIX_ADMIN_PASSWORD='Start!123'
+
+############### Nextcloud-Section ###############
+
+# Define the FQDN of your Nextcloud server
+NEXTCLOUD_FQDN="nextcloud.zmb.rocks"
+
+# The initial admin-user which will be configured
+NEXTCLOUD_ADMIN_USR="zmb-admin"
+
+# Build a strong password for this user. Username and password will shown at the end of the installation. 
+# NEXTCLOUD_ADMIN_PWD='very_secure_password'
+
+# Defines the data directory, which will be createt under LXC_SHAREFS_MOUNTPOINT
+NEXTCLOUD_DATA="nc_data"
+
+# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban
+NEXTCLOUD_REVPROX="192.168.100.254"
+
+############### Check_MK-Section ###############
+
+# Define the name of your checkmk instance
+CMK_INSTANCE=zmbrocks
+
+# Define the password of user 'cmkadmin'
+CMK_ADMIN_PW='Start!123'
+
+# checkmk edition (raw or free)
+# raw = completely free
+# free = limited version of the enterprise edition (25 hosts, 1 instance)
+CMK_EDITION=raw
+
+############### vaultwarden Section ###############
+
+# Enable/disable signups (true/false)
+VW_SIGNUPS_ALLOWED=false
+
+# Hostname of your mailserver
+VW_SMTP_HOST=mail.bashclub.org
+
+# email address to send from
+VW_SMTP_FROM="vaultwarden@bashclub.org"
+
+# display name to send from
+VW_SMTP_FROM_NAME="Vaultwarden Password Manager"
+
+# port of your mailserver
+VW_SMTP_PORT=587
+
+# use ssl?
+VW_SMTP_SSL=true
+
+# use starttls?
+VW_SMTP_EXPLICIT_TLS=false
+
+# username of your mailbox
+VW_SMTP_USERNAME=vaultwarden@bashclub.org
+
+# password of your mailbox
+VW_SMTP_PASSWORD='<yourEmailPassword>'
+
+############### ansible-semaphore Section ###############
+
+SEMAPHORE_ADMIN=admin
+SEMAPHORE_ADMIN_DISPLAY_NAME="Semaphore Administrator"
+SEMAPHORE_ADMIN_EMAIL="admin@zmb.rocks"
+SEMAPHORE_ADMIN_PASSWORD='Start123'
+
+############### docker Section ###############
+
+# Install Portainer (=full), Protainer Agent (=agent) or none
+PORTAINER=none
+
+############### zabbix Section ###############
+
+# (Zabbix Proxy) Name:Port of the zabbix server
+ZBX_ADDR=zabbix.zmb.rocks:10051
+
+############### freescout Section ################
+FS_FIRSTNAME=Max
+FS_LASTNAME=Mustermann
+FS_EMAIL=mail@zmb.rocks
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
-sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc
@@ -1,4 +1,5 @@
 #!/bin/bash
+set -euo pipefail

 # This script will create and fire up a standard debian buster lxc container on your Proxmox VE.
 # On a Proxmox cluster, the script will create the container on the local node, where it's executed.
@@ -15,78 +16,123 @@
 # Please adjust th settings in 'zamba.conf' to your needs before running the script

 ############### ZAMBA INSTALL SCRIPT ###############
+prog="$(basename $0)"

-# Load configuration file
-source $PWD/zamba.conf
+usage() {
+	cat >&2 <<-EOF
+	usage: $prog [-h] [-d] [-i CTID] [-s SERVICE] [-c CFGFILE] [-p]
+	  installs a preconfigured lxc container on your proxmox server
+    -i CTID      provide a container id instead of auto detection
+    -s SERVICE   provide the service name and skip the selection dialog
+    -c CFGFILE   use a different config file than 'zamba.conf'
+    -p           preserve zamba.conf ans scripts inside container
+    -d           Debug mode inside LXC container
+    -h           displays this help text
+  ---------------------------------------------------------------------------
+    (C) 2021     zamba-lxc-toolbox by bashclub (https://github.com/bashclub)
+  ---------------------------------------------------------------------------

-LXC_MP="0"
-LXC_UNPRIVILEGED="1"
-LXC_NESTING="0"
+	EOF
+	exit $1
+}

-select opt in zmb-standalone zmb-ad zmb-member mailpiler matrix debian-unpriv debian-priv quit; do
+ctid=0
+service=ask
+config=$PWD/conf/zamba.conf
+debug=0
+preserve_install_scripts=0
+
+while getopts "hi:s:c:dp" opt; do
  case $opt in
-    debian-unpriv)
-      echo "Debian-only LXC container unprivileged mode selected"
-      break
-      ;;
-    debian-priv)
-      echo "Debian-only LXC container privileged mode selected"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    zmb-standalone)
-      echo "Configuring LXC container '$opt'!"
-      LXC_MP="1"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    zmb-member)
-      echo "Configuring LXC container '$opt'!"
-      LXC_MP="1"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    zmb-ad)
-      echo "Selected Zamba AD DC"
-      LXC_NESTING="1"
-      LXC_UNPRIVILEGED="0"
-      break
-      ;;
-    mailpiler)
-      echo "Configuring LXC container for '$opt'!"
-      LXC_NESTING="1"
-      break
-      ;;
-    matrix)
-      echo "Install Matrix chat server and element web service"
-      break
-      ;;
-    quit)
-      echo "Script aborted by user interaction."
-      exit 0
-      ;;
-    *)
-      echo "Invalid option! Exiting..."
-      exit 1
-      ;;
-    esac
+    h) usage 0 ;;
+    i) ctid=$OPTARG ;;
+    s) service=$OPTARG ;;
+    c) config=$OPTARG ;;
+    p) preserve_install_scripts=1 ;;
+    d) debug=1 ;;
+    *) usage 1 ;;
+  esac
 done
+shift $((OPTIND-1))

-# CHeck is the newest template available, else download it.
-DEB_LOC=$(pveam list $LXC_TEMPLATE_STORAGE | grep debian-10-standard | cut -d'_' -f2)
-DEB_REP=$(pveam available --section system | grep debian-10-standard | cut -d'_' -f2)
+OPTS=$(find src/ -maxdepth 1 -mindepth 1 -type d -exec basename -a {} + | sort -n)

-if [[ $DEB_LOC == $DEB_REP ]];
-then
-  echo "Newest Version of Debian 10 Standard $DEP_REP exists.";
+valid=0
+if [[ "$service" == "ask" ]]; then
+  select svc in $OPTS quit; do
+    if [[ "$svc" != "quit" ]]; then
+       for line in $OPTS; do
+        if [[ "$svc" == "$line" ]]; then
+          service=$svc
+          echo "Installation of $service selected."
+          valid=1
+          break
+        fi
+      done
+    else
+      echo "Selected 'quit' exiting without action..."
+      exit 0
+    fi
+    if [[ "$valid" == "1" ]]; then
+      break
+    fi
+  done
 else
-  echo "Will now download newest Debian 10 Standard $DEP_REP.";
-  pveam download $LXC_TEMPLATE_STORAGE debian-10-standard_$DEB_REP\_amd64.tar.gz
+  for line in $OPTS; do
+    if [[ "$service" == "$line" ]]; then
+      echo "Installation of $service selected."
+      valid=1
+      break
+    fi
+  done
 fi

-# Get next free LXC-number
-LXC_LST=$( lxc-ls | egrep -o '.{1,5}$' )
-LXC_CHK=$((LXC_LST+1));
+if [[ "$valid" != "1" ]]; then
+  echo "Invalid option, exiting..."
+  usage 1
+fi
+
+# Load configuration file
+echo "Loading config file '$config'..."
+if [ ! -e "$config" ]; then
+  echo "Configuration files does not exist"
+  exit 1
+fi
+
+source "src/functions.sh"
+
+source "$config"
+
+source "$PWD/src/$service/constants-service.conf"
+
+if [[ $service == "zmb-ad-restore" ]]; then
+  if find ./ | grep samba-backup*.tar.bz2 ; then
+    sambabackup=$(find $PWD/ | grep samba-backup*.tar.bz2 | tail -1)
+  else
+    echo "No samba backup found in $PWD. Please place a samba online backup into $PWD. Canceling..."
+    exit 1
+  fi
+fi
+
+if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
+  LXC_MEM=$LXC_MEM_MIN
+fi
+
+if [ $LXC_AUTOTAG -gt 0 ]; then
+  TAGS="--tags ${LXC_TAGS},${SERVICE_TAGS}"
+fi
+
+# Check is the newest template available, else download it.
+pveam update
+TMPL_NAME=$(pveam available --section system | grep $LXC_TEMPLATE_VERSION | tail -1 | cut -d' ' -f11)
+pveam download $LXC_TEMPLATE_STORAGE $TMPL_NAME
+
+if [ $ctid -gt 99 ]; then
+  LXC_CHK=$ctid
+else
+  # Get next free LXC-number
+  LXC_CHK=$(($(pct list | cut -d' ' -f1 | tail -1) + 1))
+fi

 if  [ $LXC_CHK -lt 100 ] || [ -f /etc/pve/qemu-server/$LXC_CHK.conf ]; then
  LXC_NBR=$(pvesh get /cluster/nextid);
@@ -95,47 +141,94 @@ else
 fi
 echo "Will now create LXC Container $LXC_NBR!";

+if [ $LXC_THREADS -gt 0 ]; then
+  LXC_CORES=--cores\ $LXC_THREADS
+fi
+
+
+if [[ $LXC_RESSOURCE_POOL != "" ]]; then
+  LXC_POOL=--pool\ $LXC_RESSOURCE_POOL
+fi
+
+
 # Create the container
-pct create $LXC_NBR -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/debian-10-standard_$DEB_REP\_amd64.tar.gz -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE;
+set +u
+pct create $LXC_NBR $TAGS $LXC_CORES $LXC_POOL --password $LXC_PWD -unprivileged $LXC_UNPRIVILEGED $LXC_TEMPLATE_STORAGE:vztmpl/$TMPL_NAME -rootfs $LXC_ROOTFS_STORAGE:$LXC_ROOTFS_SIZE,acl=1;
+set -u
 sleep 2;

-# Check vlan configuration
-if [[ $LXC_VLAN != "" ]];then
-  VLAN=",tag=$LXC_VLAN"
-else
- VLAN=""
+if [[ $SERVICE_TAGS == *"docker"* ]]; then
+  echo "lxc.apparmor.profile: unconfined" >> /etc/pve/lxc/${LXC_NBR}.conf
 fi
+
+# Check vlan configuration
+if [[ $LXC_VLAN != "NONE" ]];then VLAN=",tag=$LXC_VLAN"; else VLAN=""; fi
 # Reconfigure conatiner
-pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME \-nameserver $LXC_DNS -searchdomain $LXC_DOMAIN -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING -net0 name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN;
+pct set $LXC_NBR -memory $LXC_MEM -swap $LXC_SWAP -hostname $LXC_HOSTNAME -onboot 1 -timezone $LXC_TIMEZONE -features nesting=$LXC_NESTING,keyctl=$LXC_KEYCTL;
+if [ $LXC_DHCP == true ]; then
+ pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,ip=dhcp,type=veth$VLAN"
+else
+ pct set $LXC_NBR -net0 "name=eth0,bridge=$LXC_BRIDGE,firewall=1,gw=$LXC_GW,ip=$LXC_IP,type=veth$VLAN" -nameserver $LXC_DNS -searchdomain $LXC_DOMAIN
+fi
+
 sleep 2

 if [ $LXC_MP -gt 0 ]; then
-  pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,mp=/$LXC_SHAREFS_MOUNTPOINT
+  pct set $LXC_NBR -mp0 $LXC_SHAREFS_STORAGE:$LXC_SHAREFS_SIZE,backup=1,mp=/$LXC_SHAREFS_MOUNTPOINT
+  if [[ "$(pvesm status | grep $LXC_SHAREFS_STORAGE | cut -d ' ' -f6)" == "zfspool" ]]; then
+    pool=$(grep -A 4 $LXC_SHAREFS_STORAGE /etc/pve/storage.cfg | grep -m1 "pool " | cut -d ' ' -f2)
+    dataset=$(grep mp0 /etc/pve/lxc/$LXC_NBR.conf | cut -d ':' -f3 | cut -d',' -f1)
+    zfs set recordsize=$LXC_MP_RECORDSIZE $pool/$dataset
+  fi
 fi
+
 sleep 2;

 PS3="Select the Server-Function: "

 pct start $LXC_NBR;
 sleep 5;
-# Set the root password and key
-echo "Setting root password"
-echo -e "$LXC_PWD\n$LXC_PWD" | lxc-attach -n$LXC_NBR passwd;
-echo "Creating /root/.ssh"
-lxc-attach -n$LXC_NBR mkdir /root/.ssh;
-echo "Copying authorized_keys"
+# Set the root ssh key
+pct exec $LXC_NBR -- mkdir -p /root/.ssh
 pct push $LXC_NBR $LXC_AUTHORIZED_KEY /root/.ssh/authorized_keys
-echo "Copying sources.list"
-pct push $LXC_NBR ./sources.list /etc/apt/sources.list
-echo "Copying zamba.conf"
-pct push $LXC_NBR ./zamba.conf /root/zamba.conf
-echo "Copying install script"
-pct push $LXC_NBR ./$opt.sh /root/$opt.sh
-echo "Install '$opt'!"
-lxc-attach -n$LXC_NBR bash /root/$opt.sh
+pct push $LXC_NBR "$config" /root/zamba.conf
+for f in "$PWD/src/functions.sh" "$PWD/src/constants.conf" "$PWD/src/lxc-base.sh" "$PWD/src/$service/install-service.sh" "$PWD/src/$service/constants-service.conf"; do
+  pct push $LXC_NBR $f /root/$(basename $f)
+done

-if [[ $opt == "zmb-ad" ]]; then
-  pct stop $LXC_NBR
-  pct set $LXC_NBR \-nameserver $(echo $LXC_IP | cut -d'/' -f 1)
-  pct start $LXC_NBR
+if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
+  pct push $LXC_NBR scripts/zmb-ad_auto-map-root.sh /root/zmb-ad_auto-map-root.sh
+  pct push $LXC_NBR scripts/create-service-account /usr/bin/create-service-account
 fi
+
+pct exec $LXC_NBR -- sed -i "s,\${service},${service}," /root/zamba.conf
+pct exec $LXC_NBR -- echo "LXC_NBR=$LXC_NBR" /root/zamba.conf
+
+if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
+
+echo "Installing basic container setup..."
+pct exec $LXC_NBR -- su - root -c "bash $dbg /root/lxc-base.sh"
+echo "Install '$service'!"
+pct exec $LXC_NBR -- su - root -c "bash $dbg /root/install-service.sh"
+
+pct shutdown $LXC_NBR
+if [[ $service == "zmb-ad" ]]; then
+  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
+  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
+elif [[ $service == "zmb-ad-restore" ]]; then
+  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
+  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
+elif [[ $service == "zmb-ad-join" ]]; then
+  pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
+fi
+pct start $LXC_NBR
+if [[ $service == "zmb-ad" ]] || [[ $service == "zmb-ad-join" ]]; then
+  sleep 5
+  pct exec $LXC_NBR /usr/local/bin/smb-backup 7
+fi
+
+if [ $preserve_install_scripts -eq 0 ]; then
+  for f in constants.conf constants-service.conf functions.sh install-service.sh lxc-base.sh zamba.conf; do
+    pct exec $LXC_NBR -- bash -c "if [ -f /root/$f ] ; then rm -f /root/${f} ; fi"
+  done
+fi
@@ -1,187 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-HOSTNAME=$(hostname -f)
-
-echo "Ensure your Hostname is set to your Piler FQDN!"
-
-echo $HOSTNAME
-
-if 
-    [ "$HOSTNAME" != "$PILER_FQDN" ]
-then
-        echo "Hostname doesn't match PILER_FQDNain! Check install.sh, /etc/hosts, /etc/hostname." && exit
-else
-        echo "Hostname matches PILER_FQDNAIN, so starting installation."
-fi
-
-apt update && apt full-upgrade -y
-
-apt install -y $LXC_TOOLSET build-essential libwrap0-dev libpst-dev tnef libytnef0-dev unrtf catdoc libtre-dev tre-agrep poppler-utils libzip-dev unixodbc libpq5 software-properties-common libpoppler-dev openssl libssl-dev memcached telnet nginx mariadb-server default-libmysqlclient-dev python-mysqldb gcc libwrap0 libzip4 latex2rtf latex2html catdoc tnef zipcmp zipmerge ziptool libsodium23
-
-# install php
-wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
-echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
-
-apt update && apt install -y php$PILER_PHP_VERSION-{fpm,common,ldap,mysql,cli,opcache,phpdbg,gd,memcache,json,readline,zip}
-
-apt purge -y postfix
-
-cat > /etc/mysql/conf.d/mailpiler.conf <<EOF
-innodb_buffer_pool_size=256M
-innodb_flush_log_at_trx_commit=1
-innodb_log_buffer_size=64M
-innodb_log_file_size=16M
-query_cache_size=0
-query_cache_type=0
-query_cache_limit=2M
-EOF
-
-systemctl restart mariadb
-
-cd /tmp
-wget https://download.mailpiler.com/generic-local/sphinx-$PILER_SPHINX_VERSION-bin.tar.gz
-tar -xvzf sphinx-$PILER_SPHINX_VERSION-bin.tar.gz -C /
-
-groupadd piler
-useradd -g piler -m -s /bin/bash -d /var/piler piler
-usermod -L piler
-chmod 755 /var/piler
-
-wget https://bitbucket.org/jsuto/piler/downloads/piler-$PILER_VERSION.tar.gz
-tar -xvzf piler-$PILER_VERSION.tar.gz
-cd piler-$PILER_VERSION/
-./configure --localstatedir=/var --with-database=mysql --enable-tcpwrappers --enable-memcached
-make
-make install
-ldconfig
-
-cp util/postinstall.sh util/postinstall.sh.bak
-sed -i "s/   PILER_SMARTHOST=.*/   PILER_SMARTHOST="\"$PILER_SMARTHOST\""/" util/postinstall.sh
-sed -i 's/   WWWGROUP=.*/   WWWGROUP="www-data"/' util/postinstall.sh
-
-make postinstall
-
-cp /usr/local/etc/piler/piler.conf /usr/local/etc/piler/piler.conf.bak
-sed -i "s/hostid=.*/hostid=$PILER_FQDN/" /usr/local/etc/piler/piler.conf
-sed -i "s/update_counters_to_memcached=.*/update_counters_to_memcached=1/" /usr/local/etc/piler/piler.conf
-
-su piler -c "indexer --all --config /usr/local/etc/piler/sphinx.conf"
-
-/etc/init.d/rc.piler start
-/etc/init.d/rc.searchd start
-
-update-rc.d rc.piler defaults
-update-rc.d rc.searchd defaults
-
-mkdir -p /etc/nginx/ssl
-openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/piler.key -out /etc/nginx/ssl/piler.crt -subj "/CN=$PILER_FQDN" -addext "subjectAltName=DNS:$PILER_FQDN"
-
-cd /etc/nginx/sites-available
-cp /tmp/piler-$PILER_VERSION/contrib/webserver/piler-nginx.conf /etc/nginx/sites-available/
-ln -s /etc/nginx/sites-available/piler-nginx.conf /etc/nginx/sites-enabled/piler-nginx.conf
-
-sed -i "s|PILER_HOST|$PILER_FQDN default_host|g" /etc/nginx/sites-available/piler-nginx.conf
-sed -i "s|/var/run/php/php7.4-fpm.sock|/var/run/php/php$PILER_PHP_VERSION-fpm.sock|g" /etc/nginx/sites-available/piler-nginx.conf
-
-sed -i "/server_name.*/a \\
-        listen 443 ssl http2;\n\n\
-        ssl_certificate /etc/nginx/ssl/piler.crt;\n\
-        ssl_certificate_key /etc/nginx/ssl/piler.key;\n\n\
-        ssl_session_timeout 1d;\n\
-        ssl_session_cache shared:SSL:15m;\n\
-        ssl_session_tickets off;\n\n\
-        # modern configuration of Mozilla SSL configurator. Tweak to your needs.\n\
-        ssl_protocols TLSv1.2 TLSv1.3;\n\
-        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;\n\
-        ssl_prefer_server_ciphers off;\n\n\
-        add_header X-Frame-Options SAMEORIGIN;\n\
-        add_header X-Content-Type-Options nosniff;" /etc/nginx/sites-available/piler-nginx.conf
-
-sed -i "/^server {.*/i\
-server {\n\
-        listen 80;\n\
-        server_name $PILER_FQDN default_host;\n\
-        server_tokens off;\n\
-        # HTTP to HTTPS redirect.\n\
-        return 301 https://\$host\$request_uri;\n\
-}" /etc/nginx/sites-available/piler-nginx.conf
-
-cp /usr/local/etc/piler/config-site.php /usr/local/etc/piler/config-site.php.bak
-sed -i "s|\$config\['SITE_URL'\] = .*|\$config\['SITE_URL'\] = 'https://$PILER_FQDN/';|" /usr/local/etc/piler/config-site.php
-cat >> /usr/local/etc/piler/config-site.php <<EOF
-
-// CUSTOM
-\$config['PROVIDED_BY'] = '$PILER_FQDN';
-\$config['SUPPORT_LINK'] = 'https://$PILER_FQDN';
-\$config['COMPATIBILITY'] = '';
-
-// fancy features.
-\$config['ENABLE_INSTANT_SEARCH'] = 1;
-\$config['ENABLE_TABLE_RESIZE'] = 1;
-
-\$config['ENABLE_DELETE'] = 1;
-\$config['ENABLE_ON_THE_FLY_VERIFICATION'] = 1;
-
-// general settings.
-\$config['TIMEZONE'] = '$LXC_TIMEZONE';
-
-// authentication
-// Enable authentication against an imap server
-//\$config['ENABLE_IMAP_AUTH'] = 1;
-//\$config['RESTORE_OVER_IMAP'] = 1;
-//\$config['IMAP_RESTORE_FOLDER_INBOX'] = 'INBOX';
-//\$config['IMAP_RESTORE_FOLDER_SENT'] = 'Sent';
-//\$config['IMAP_HOST'] = '$PILER_SMARTHOST';
-//\$config['IMAP_PORT'] =  993;
-//\$config['IMAP_SSL'] = true;
-
-// authentication against an ldap directory (disabled by default)
-//\$config['ENABLE_LDAP_AUTH'] = 1;
-//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
-//\$config['LDAP_PORT'] = 389;
-//\$config['LDAP_HELPER_DN'] = 'cn=administrator,cn=users,dc=mydomain,dc=local';
-//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
-//\$config['LDAP_MAIL_ATTR'] = 'mail';
-//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
-//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
-//\$config['LDAP_BASE_DN'] = 'ou=Benutzer,dc=krs,dc=local';
-
-// authentication against an Uninvention based ldap directory 
-//\$config['ENABLE_LDAP_AUTH'] = 1;
-//\$config['LDAP_HOST'] = '$PILER_SMARTHOST';
-//\$config['LDAP_PORT'] = 7389;
-//\$config['LDAP_HELPER_DN'] = 'uid=ldap-search-user,cn=users,dc=mydomain,dc=local';
-//\$config['LDAP_HELPER_PASSWORD'] = 'myxxxxpasswd';
-//\$config['LDAP_AUDITOR_MEMBER_DN'] = '';
-//\$config['LDAP_ADMIN_MEMBER_DN'] = '';
-//\$config['LDAP_BASE_DN'] = 'cn=users,dc=mydomain,dc=local';
-//\$config['LDAP_MAIL_ATTR'] = 'mailPrimaryAddress';
-//\$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'person';
-//\$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'person';
-//\$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'mailAlternativeAddress';
-
-// special settings.
-\$config['MEMCACHED_ENABLED'] = 1;
-\$config['SPHINX_STRICT_SCHEMA'] = 1; // required for Sphinx $PILER_SPHINX_VERSION, see https://bitbucket.org/jsuto/piler/issues/1085/sphinx-331.
-EOF
-
-rm /etc/nginx/sites-enabled/default
-
-nginx -t && systemctl restart nginx
-
-apt autoremove -y
-apt clean -y
@@ -0,0 +1,6 @@
+repos ohne debian trixie support
+- manticore (fixed via bashclub repo)
+- 45drives
+- mongodb
+- influxdb
+- zammad
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+export LC_ALL=C
+ZAMBA_CONF="/root/zamba-lxc-toolbox/conf/zamba.conf"
+
+if [[ -f "$ZAMBA_CONF" ]]; then
+    # Prüfen, ob die Datei älter als 3 Tage ist
+    if find "$ZAMBA_CONF" -mtime +3 >/dev/null 2>&1; then
+        echo "⚠️ zamba.conf ist älter als 3 Tage – Datei wird gelöscht: $ZAMBA_CONF"
+        rm -f "$ZAMBA_CONF"
+        exit 0
+    else
+        echo "❌ Problem: zamba.conf ist vorhanden und jünger als 3 Tage: $ZAMBA_CONF"
+        exit 2
+    fi
+else
+    echo "✅ OK: zamba.conf ist nicht vorhanden"
+    exit 0
+fi
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+USER="$1"
+
+if [ -z "$USER" ]; then
+  echo "Usage: $0 <username>"
+  exit 1
+fi
+
+# Prüfen, ob ldbmodify verfügbar ist
+if ! command -v ldbmodify &> /dev/null; then
+  echo "Fehler: 'ldbmodify' ist nicht installiert. Bitte installiere 'ldb-tools' mit:"
+  echo "  sudo apt update && sudo apt install ldb-tools"
+  exit 10
+fi
+
+# Sicheres Passwort generieren (32 Zeichen, alphanumerisch + Sonderzeichen)
+PASSWORD=$(openssl rand -base64 24)
+
+# Benutzer anlegen mit generiertem Passwort
+samba-tool user create "$USER" "$PASSWORD"
+echo "✅ Benutzer $USER erfolgreich erstellt."
+
+# DN des Benutzers ermitteln
+DN=$(ldbsearch -H /var/lib/samba/private/sam.ldb "(sAMAccountName=$USER)" dn | awk '/^dn: / {print $2}')
+
+if [ -z "$DN" ]; then
+  echo "❌ Fehler: DN für $USER nicht gefunden." >&2
+  exit 3
+fi
+
+# userWorkstations=NONE setzen
+ldbmodify -H /var/lib/samba/private/sam.ldb <<EOF
+dn: $DN
+changetype: modify
+replace: userWorkstations
+userWorkstations: "NOWORKSTATION"
+EOF
+
+echo
+echo "------------------------------------------"
+echo "BENUTZER ERSTELLT:"
+echo "Username: $USER"
+echo "Passwort: $PASSWORD"
+echo "Distinguished Name:"
+echo "$DN"
+echo "------------------------------------------"
+echo "Bitte notiere Benutzername, Passwort und DN sicher."
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Konfiguration
+MAILCOW_PATH="/opt/mailcow-dockerized"
+SPOOL_DIR="/var/lib/check_mk_agent/spool"
+INTERVAL_SECONDS=87000  # z. B. alle 24 Stunden + Toleranz
+SPOOL_FILE="${SPOOL_DIR}/${INTERVAL_SECONDS}_mailcow_update"
+
+# Sicherstellen, dass das Spool-Verzeichnis existiert
+mkdir -p "$SPOOL_DIR"
+
+# Temporäre Datei vorbereiten
+TMP_FILE="$(mktemp)"
+
+# Header für Local Check
+echo "<<<local>>>" > "$TMP_FILE"
+
+# In das Mailcow-Verzeichnis wechseln
+if ! cd "$MAILCOW_PATH"; then
+  echo "2 Mailcow_Update - ERROR: Verzeichnis $MAILCOW_PATH nicht gefunden" >> "$TMP_FILE"
+  echo "3 Mailcow_Version - UNKNOWN: Verzeichnis nicht gefunden" >> "$TMP_FILE"
+  mv "$TMP_FILE" "$SPOOL_FILE"
+  exit 2
+fi
+
+# Aktuelle Uhrzeit für Log
+NOW="$(date '+%Y-%m-%d %H:%M:%S')"
+
+# Mailcow-Version auslesen
+GIT_TAG=$(git describe --tags --abbrev=0 2>/dev/null)
+GIT_COMMIT=$(git rev-parse --short HEAD 2>/dev/null)
+
+if [[ -n "$GIT_TAG" ]]; then
+  echo "0 Mailcow_Version - OK: Version $GIT_TAG ($GIT_COMMIT)" >> "$TMP_FILE"
+else
+  echo "0 Mailcow_Version - OK: Commit $GIT_COMMIT (kein Tag)" >> "$TMP_FILE"
+fi
+
+# Auf Updates prüfen
+UPDATE_CHECK=$(./update.sh --check 2>&1)
+if echo "$UPDATE_CHECK" | grep -q "No updates available"; then
+  echo "0 Mailcow_Update - OK: Kein Update verfügbar ($NOW)" >> "$TMP_FILE"
+  mv "$TMP_FILE" "$SPOOL_FILE"
+  exit 0
+fi
+
+# Erstes Update versuchen
+UPDATE_OUTPUT=$(./update.sh --force --skip-ping-check 2>&1)
+EXIT_CODE=$?
+
+# Sonderfall: Skript wurde geändert und muss erneut ausgeführt werden
+if echo "$UPDATE_OUTPUT" | grep -q "update.sh changed, please run this script again"; then
+  UPDATE_OUTPUT_2=$(./update.sh --force --skip-ping-check 2>&1)
+  EXIT_CODE=$?
+  UPDATE_OUTPUT="${UPDATE_OUTPUT}\n--- retry ---\n${UPDATE_OUTPUT_2}"
+fi
+
+if [ "$EXIT_CODE" -eq 0 ]; then
+  echo "0 Mailcow_Update - OK: Update erfolgreich durchgeführt ($NOW)" >> "$TMP_FILE"
+else
+  echo "2 Mailcow_Update - CRITICAL: Update fehlgeschlagen ($NOW)" >> "$TMP_FILE"
+  echo "$UPDATE_OUTPUT" >> "$TMP_FILE"
+fi
+
+# Ergebnis schreiben
+mv "$TMP_FILE" "$SPOOL_FILE"
+exit "$EXIT_CODE"
@@ -0,0 +1,159 @@
+#!/bin/bash
+
+DEBUG_LOG="/tmp/mailcow_debug.log"
+echo "" > "$DEBUG_LOG"
+
+debug() {
+    echo "[DEBUG] $1"
+    echo "[DEBUG] $1" >> "$DEBUG_LOG"
+}
+
+debug "Starte Mailcow Check Script"
+
+MAILCOW_PATH="/opt/mailcow-dockerized"
+SPOOL_DIR="/var/lib/check_mk_agent/spool"
+INTERVAL_SECONDS=87000
+SPOOL_FILE="${SPOOL_DIR}/${INTERVAL_SECONDS}_mailcow_update"
+CERT_DIR="${MAILCOW_PATH}/data/assets/ssl"
+
+mkdir -p "$SPOOL_DIR"
+TMP_FILE="$(mktemp)"
+
+debug "Spool-Datei: $SPOOL_FILE"
+debug "Temporäre Datei: $TMP_FILE"
+
+# KORREKTER Header für Checkmk Local Checks
+echo "<<<local>>>" > "$TMP_FILE"
+
+debug "Wechsle ins Mailcow-Verzeichnis: $MAILCOW_PATH"
+if ! cd "$MAILCOW_PATH"; then
+    echo "2 Mailcow_Update - ERROR: Verzeichnis $MAILCOW_PATH nicht gefunden" >> "$TMP_FILE"
+    echo "3 Mailcow_Version - UNKNOWN: Verzeichnis nicht gefunden" >> "$TMP_FILE"
+    mv "$TMP_FILE" "$SPOOL_FILE"
+    exit 2
+fi
+
+NOW="$(date '+%Y-%m-%d %H:%M:%S')"
+debug "Aktuelle Zeit: $NOW"
+
+debug "Lese Mailcow Git-Version aus..."
+GIT_TAG=$(git describe --tags --abbrev=0 2>/dev/null)
+GIT_COMMIT=$(git rev-parse --short HEAD 2>/dev/null)
+
+debug "GIT_TAG=$GIT_TAG"
+debug "GIT_COMMIT=$GIT_COMMIT"
+
+if [[ -n "$GIT_TAG" ]]; then
+    echo "0 Mailcow_Version - OK: Version $GIT_TAG ($GIT_COMMIT)" >> "$TMP_FILE"
+else
+    echo "0 Mailcow_Version - OK: Commit $GIT_COMMIT (kein Tag)" >> "$TMP_FILE"
+fi
+
+###############################################################################
+# UPDATE-CHECK
+###############################################################################
+
+debug "Führe update.sh --check aus..."
+UPDATE_CHECK=$(./update.sh --check 2>&1)
+RET=$?
+debug "Update Check Rückgabecode: $RET"
+
+EXIT_CODE=0
+
+if echo "$UPDATE_CHECK" | grep -q "No updates available"; then
+    debug "Kein Update verfügbar."
+    echo "0 Mailcow_Update - OK: Kein Update verfügbar ($NOW)" >> "$TMP_FILE"
+else
+    debug "Update verfügbar! Starte Update..."
+
+    UPDATE_OUTPUT=$(./update.sh --force --skip-ping-check 2>&1)
+    EXIT_CODE=$?
+
+    if [ "$EXIT_CODE" -eq 0 ]; then
+        debug "Update erfolgreich."
+        echo "0 Mailcow_Update - OK: Update erfolgreich durchgeführt ($NOW)" >> "$TMP_FILE"
+    else
+        debug "Update fehlgeschlagen."
+        echo "2 Mailcow_Update - CRITICAL: Update fehlgeschlagen ($NOW)" >> "$TMP_FILE"
+        echo "$UPDATE_OUTPUT" >> "$TMP_FILE"
+    fi
+fi
+
+###############################################################################
+# SSL-ZERTIFIKATE PRÜFEN (mit SANs)
+###############################################################################
+
+debug "Beginne SSL-Zertifikat-Scan unter: $CERT_DIR"
+debug "Ignoriere Verzeichnis: $CERT_DIR/backups"
+debug "Ignoriere Datei: $CERT_DIR/acme/account.pem"
+debug "Ignoriere Dateien: key.pem, dhparams.pem"
+
+if [ ! -d "$CERT_DIR" ]; then
+    echo "3 Mailcow_Certificates - UNKNOWN: SSL-Verzeichnis fehlt" >> "$TMP_FILE"
+else
+
+    while IFS= read -r -d '' CERT_FILE; do
+        debug "Prüfe Zertifikat: $CERT_FILE"
+
+        REL_PATH="${CERT_FILE#${CERT_DIR}/}"
+        CERT_NAME="${REL_PATH//\//_}"
+
+        # Ablaufdatum lesen
+        END_DATE_RAW=$(openssl x509 -enddate -noout -in "$CERT_FILE" 2>/dev/null | cut -d= -f2)
+
+        # SANs extrahieren
+        SANS=$(openssl x509 -noout -text -in "$CERT_FILE" \
+             | grep -A1 "Subject Alternative Name" \
+             | tail -n1 \
+             | sed 's/DNS://g' \
+             | sed 's/, /,/g' \
+             | xargs)
+
+        debug "SANs: $SANS"
+
+        if [ -z "$END_DATE_RAW" ]; then
+            echo "3 Mailcow_Cert_${CERT_NAME} - UNKNOWN: Kein Ablaufdatum ($CERT_FILE)" >> "$TMP_FILE"
+            continue
+        fi
+
+        END_EPOCH=$(date -d "$END_DATE_RAW" +%s 2>/dev/null)
+        NOW_EPOCH=$(date +%s)
+        SECONDS_LEFT=$((END_EPOCH - NOW_EPOCH))
+        DAYS_LEFT=$((SECONDS_LEFT / 86400))
+
+        debug "Noch $DAYS_LEFT Tage gültig"
+
+        if [ "$SECONDS_LEFT" -le 0 ]; then
+            STATE=2; STATE_TEXT="CRITICAL"; MSG="abgelaufen"
+        elif [ "$DAYS_LEFT" -le 14 ]; then
+            STATE=2; STATE_TEXT="CRITICAL"; MSG="läuft in <=14 Tagen ab"
+        elif [ "$DAYS_LEFT" -le 30 ]; then
+            STATE=1; STATE_TEXT="WARNING"; MSG="läuft bald ab"
+        else
+            STATE=0; STATE_TEXT="OK"; MSG="gültig"
+        fi
+
+        echo "${STATE} Mailcow_Cert_${CERT_NAME} - ${STATE_TEXT}: ${MSG}, Ablauf: ${END_DATE_RAW}, SANs: ${SANS}" >> "$TMP_FILE"
+
+    done < <(
+        find "$CERT_DIR" \
+          -path "${CERT_DIR}/backups" -prune -o \
+          -type f \
+          ! -path "$CERT_DIR/acme/account.pem" \
+          ! -name "key.pem" \
+          ! -name "dhparams.pem" \
+          \( -name "*.crt" -o -name "*.pem" -o -name "*.cert" \) \
+          -print0
+    )
+fi
+
+###############################################################################
+# SPEICHERN
+###############################################################################
+
+debug "Speichere Spool-Datei: $SPOOL_FILE"
+mv "$TMP_FILE" "$SPOOL_FILE"
+
+debug "Script fertig. Exit-Code: $EXIT_CODE"
+exit "$EXIT_CODE"
+
@@ -0,0 +1,44 @@
+server {
+    listen 80;
+    listen [::]:80;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name cloud.domain.tld;
+
+    ssl_certificate     /etc/ssl/mail/cert.pem;
+    ssl_certificate_key /etc/ssl/mail/key.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # HTTP → HTTPS
+    if ($scheme = http) {
+        return 301 https://$host$request_uri;
+    }
+
+    location / {
+        proxy_pass https://cloud.domain.tld;
+
+        # Hostname & Forwarded-Header sauber durchreichen
+        proxy_set_header Host 192.168.178.253;        # explizit der Upstream-Name
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;  # TLS endet hier
+        proxy_set_header X-Forwarded-Host $host;   # also cloud.domain.tld
+        proxy_set_header X-Forwarded-Port 443;
+        proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host";
+        proxy_set_header Referrer-Policy "no-referrer";
+
+        proxy_connect_timeout 600;
+        proxy_send_timeout 600;
+        proxy_read_timeout 600;
+        send_timeout 600;
+        client_max_body_size 10G;
+    }
+
+    # CalDAV/CardDAV Redirects
+    location /.well-known/carddav { return 301 https://$host/remote.php/dav; }
+    location /.well-known/caldav { return 301 https://$host/remote.php/dav; }
+}
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# Update Nextcloud
+# Place in /etc/cron.daily and make executable with: chmod +x /etc/cron.daily/nextcloud-update
+
+user=www-data
+phpversion=php8.4
+path=/var/www/nextcloud
+logfile="/var/log/nextcloud-update.log"
+
+ncc() {
+  sudo -u "$user" "$phpversion" "$path/occ" "$@"
+}
+
+updater() {
+  sudo -u "$user" "$phpversion" "$path/updater/updater.phar" "$@"
+}
+
+{
+  echo "===== $(date): Nextcloud Update Start ====="
+
+  updater --no-backup --no-interaction
+
+  subcommands=(
+    "db:add-missing-primary-keys"
+    "db:add-missing-indices"
+    "db:add-missing-columns"
+    "db:convert-filecache-bigint"
+    "files:scan-app-data"
+    "upgrade"
+  )
+
+  for cmd in "${subcommands[@]}"; do
+    echo "Running: occ $cmd"
+    ncc -n $cmd
+  done
+
+  # App Updates
+  echo "Updating apps..."
+  apps=$(ncc app:list | grep -Po 'Enabled:\s*\K.*' | tr -d ' ' | tr ',' '\n')
+  for app in $apps; do
+    echo "Updating app: $app"
+    ncc app:update "$app"
+  done
+
+  echo "===== $(date): Nextcloud Update Finished ====="
+} >> "$logfile" 2>&1
@@ -0,0 +1,103 @@
+#!/bin/bash
+
+set -e
+
+SMB_CONF="/etc/samba/smb.conf"
+USERMAP_FILE="/etc/samba/user.map"
+KEYTAB_PATH="/root/admin.keytab"
+SYSTEMD_SERVICE="/etc/systemd/system/kinit-admin.service"
+SYSTEMD_TIMER="/etc/systemd/system/kinit-admin.timer"
+BASH_PROFILE="/root/.bash_profile"
+
+# 1. Domain & Realm aus smb.conf auslesen
+DOMAIN_NAME=$(awk -F '=' '/^[[:space:]]*workgroup[[:space:]]*=/ {gsub(/ /, "", $2); print $2}' "$SMB_CONF")
+REALM_NAME=$(awk -F '=' '/^[[:space:]]*realm[[:space:]]*=/ {gsub(/ /, "", $2); print toupper($2)}' "$SMB_CONF")
+
+if [[ -z "$DOMAIN_NAME" || -z "$REALM_NAME" ]]; then
+    echo "[FEHLER] Konnte 'workgroup' oder 'realm' aus smb.conf nicht auslesen."
+    exit 1
+fi
+
+echo "[INFO] Domain: $DOMAIN_NAME"
+echo "[INFO] Realm: $REALM_NAME"
+
+# 2. user.map schreiben
+echo "!root = ${DOMAIN_NAME}\\Administrator" > "$USERMAP_FILE"
+echo "[OK] Benutzerzuordnung geschrieben in $USERMAP_FILE"
+
+# 3. smb.conf patchen
+if ! grep -q "^username map *= *$USERMAP_FILE" "$SMB_CONF"; then
+    sed -i "/^\[global\]/a username map = $USERMAP_FILE" "$SMB_CONF"
+    echo "[OK] smb.conf wurde um 'username map' ergänzt."
+else
+    echo "[INFO] 'username map' bereits gesetzt."
+fi
+
+# 4. Keytab erzeugen
+echo "[INFO] Erzeuge Keytab für Administrator..."
+samba-tool domain exportkeytab "$KEYTAB_PATH" --principal="administrator@$REALM_NAME"
+chmod 600 "$KEYTAB_PATH"
+echo "[OK] Keytab gespeichert unter $KEYTAB_PATH"
+
+# 5. systemd-Service + Timer für automatisches kinit
+echo "[INFO] Erstelle systemd-Service & Timer..."
+
+cat > "$SYSTEMD_SERVICE" <<EOF
+[Unit]
+Description=Kerberos Kinit für Administrator
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/kinit -kt $KEYTAB_PATH administrator@$REALM_NAME
+EOF
+
+cat > "$SYSTEMD_TIMER" <<EOF
+[Unit]
+Description=Kerberos Kinit für Administrator (Boot)
+
+[Timer]
+OnBootSec=10sec
+Unit=kinit-admin.service
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Aktivieren
+systemctl daemon-reexec
+systemctl daemon-reload
+systemctl enable --now kinit-admin.timer
+
+# 6. root-Login: .bash_profile anpassen
+echo "[INFO] Ergänze .bash_profile von root, um bei Login kinit auszuführen..."
+mkdir -p "$(dirname "$BASH_PROFILE")"
+touch "$BASH_PROFILE"
+
+# Block nur hinzufügen, wenn er nicht bereits vorhanden ist
+if ! grep -q "kinit -kt $KEYTAB_PATH administrator@$REALM_NAME" "$BASH_PROFILE"; then
+    cat >> "$BASH_PROFILE" <<EOF
+
+# Automatisches Kerberos-Ticket beim Login holen
+if ! klist -s; then
+    echo "[INFO] Kein gültiges Kerberos-Ticket – führe kinit aus..."
+    kinit -kt $KEYTAB_PATH administrator@$REALM_NAME && echo "[INFO] Kerberos-Ticket aktualisiert."
+fi
+EOF
+    echo "[OK] .bash_profile angepasst."
+else
+    echo "[INFO] .bash_profile enthält bereits kinit-Befehl."
+fi
+
+# 7. samba-ad-dc neu starten
+echo "[INFO] Starte samba-ad-dc neu..."
+systemctl restart samba-ad-dc
+
+# 8. Testausgaben
+echo "[INFO] getent passwd root:"
+getent passwd root || echo "[WARNUNG] Kein Eintrag für root"
+
+echo
+echo "[INFO] Test: samba-tool user list (falls kein Passwort kommt, war's erfolgreich):"
+samba-tool user list | head -n 5 || echo "[WARNUNG] Fehler bei samba-tool"
+
@@ -1,6 +0,0 @@
-deb http://ftp.de.debian.org/debian buster main contrib
-
-deb http://ftp.de.debian.org/debian buster-updates main contrib
-
-# security updates
-deb http://security.debian.org buster/updates main contrib
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# Defines the name from the SQL database
+SEMAPHORE_DB_NAME="semaphore"
+
+# Defines the name from the SQL user
+SEMAPHORE_DB_USR="semaphore"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+SEMAPHORE_DB_PWD="$(random_password)"
+
+# service dependent meta tags
+SERVICE_TAGS="postgresql,nginx"
@@ -0,0 +1,221 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+inst_nginx
+inst_postgresql
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq postgresql nginx git ssl-cert unzip zip ansible ansible-lint
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER semaphore WITH PASSWORD '${SEMAPHORE_DB_PWD}';"
+psql -c "CREATE DATABASE ${SEMAPHORE_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${SEMAPHORE_DB_USR};"
+echo "Postgres User ${SEMAPHORE_DB_USR} and database ${SEMAPHORE_DB_NAME} created."
+EOF
+
+curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install /opt/semaphore_linux_amd64.deb
+
+cat << EOF > /usr/local/bin/update-semaphore
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+echo "Checking github for new semaphore version"
+current_version=\$(curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep "tag_name" | cut -d '"' -f4)
+installed_version=\$(semaphore version)
+echo "Installed semaphore version is \$installed_version"
+if [ \$installed_version != \$current_version ]; then
+  echo "New semaphore version \$current_version available. Stopping semaphore.service"
+  systemctl stop semaphore.service
+  echo "Downloading semaphore version \$current_version..."
+  curl -s https://api.github.com/repos/semaphoreui/semaphore/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_amd64.deb$' | wget -i - -O /opt/semaphore_linux_amd64.deb
+  DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical dpkg -i /opt/semaphore_linux_amd64.deb
+  echo "Starting semaphore.service..."
+  systemctl start semaphore.service
+  echo "semaphore update finished!"
+else
+  echo "semaphore version is up-to-date!"
+fi
+EOF
+chmod +x /usr/local/bin/update-semaphore
+
+useradd -m -r -s /bin/bash semaphore
+sudo -s -u semaphore bash -c 'ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -N ""'
+
+cat << EOF > /etc/apt/apt.conf.d/80-semaphore-apt-hook
+DPkg::Post-Invoke {"/usr/local/bin/update-semaphore";};
+EOF
+chmod +x /etc/apt/apt.conf.d/80-semaphore-apt-hook
+
+cat << EOF > /etc/systemd/system/semaphore.service
+[Unit]
+Description=Semaphore Ansible
+Documentation=https://github.com/semaphoreui/semaphore
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+ExecReload=/bin/kill -HUP \$MAINPID
+ExecStart=/usr/bin/semaphore service --config=/etc/semaphore/config.json
+SyslogIdentifier=semaphore
+Restart=always
+User=semaphore
+Group=semaphore
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+mkdir -p /etc/semaphore
+
+cat << EOF > /etc/semaphore/config.json
+{
+ 	"mysql": {
+ 		"host": "",
+ 		"user": "",
+ 		"pass": "",
+ 		"name": "",
+ 		"options": null
+ 	},
+ 	"bolt": {
+ 		"host": "",
+ 		"user": "",
+ 		"pass": "",
+ 		"name": "",
+ 		"options": null
+ 	},
+ 	"postgres": {
+ 		"host": "127.0.0.1:5432",
+ 		"user": "${SEMAPHORE_DB_USR}",
+ 		"pass": "${SEMAPHORE_DB_PWD}",
+ 		"name": "${SEMAPHORE_DB_NAME}",
+ 		"options": {
+ 			"sslmode": "disable"
+ 		}
+ 	},
+ 	"dialect": "postgres",
+ 	"port": "",
+ 	"interface": "",
+ 	"tmp_path": "/tmp/semaphore",
+ 	"cookie_hash": "$(head -c32 /dev/urandom | base64)",
+ 	"cookie_encryption": "$(head -c32 /dev/urandom | base64)",
+ 	"access_key_encryption": "$(head -c32 /dev/urandom | base64)",
+ 	"email_sender": "",
+ 	"email_host": "",
+ 	"email_port": "",
+ 	"email_username": "",
+ 	"email_password": "",
+ 	"web_host": "",
+ 	"ldap_binddn": "",
+ 	"ldap_bindpassword": "",
+ 	"ldap_server": "",
+ 	"ldap_searchdn": "",
+ 	"ldap_searchfilter": "",
+ 	"ldap_mappings": {
+ 		"dn": "",
+ 		"mail": "",
+ 		"uid": "",
+ 		"cn": ""
+ 	},
+ 	"telegram_chat": "",
+ 	"telegram_token": "",
+ 	"slack_url": "",
+ 	"max_parallel_tasks": 0,
+ 	"email_alert": false,
+ 	"email_secure": false,
+ 	"telegram_alert": false,
+ 	"slack_alert": false,
+ 	"ldap_enable": false,
+ 	"ldap_needtls": false,
+ 	"ssh_config_path": "/home/semaphore/.ssh/",
+ 	"demo_mode": false,
+ 	"git_client": ""
+ }
+EOF
+
+if [ -f /etc/nginx/sites-enabled/default ]; then
+  unlink /etc/nginx/sites-enabled/default
+fi
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/semaphore.access.log;
+    error_log /var/log/nginx/semaphore.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    access_log /var/log/nginx/semaphore.access.log;
+    error_log  /var/log/nginx/semaphore.error.log;
+
+    client_max_body_size 50M;
+
+    location / {
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:3000;
+        proxy_read_timeout 90;
+    }
+}
+EOF
+
+echo "source <(semaphore completion bash)" >> /root/.bashrc
+semaphore user add --admin --login ${SEMAPHORE_ADMIN} --name ${SEMAPHORE_ADMIN_DISPLAY_NAME} --email ${SEMAPHORE_ADMIN_EMAIL} --password ${SEMAPHORE_ADMIN_PASSWORD} --config /etc/semaphore/config.json
+
+
+generate_dhparam
+
+systemctl daemon-reload
+systemctl enable --now semaphore.service
+systemctl restart nginx.service
+
+
+echo -e "\n######################################################################\n\n    Please note this user and password for the semaphore login:\n        '$SEMAPHORE_ADMIN' / '$SEMAPHORE_ADMIN_PASSWORD'\n                Enjoy your semaphore intallation.\n\n######################################################################"
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="docker"
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+inst_docker
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq pwgen
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################"
+
+}
+
+mkdir -p /opt/authentik
+wget -O /opt/authentik/docker-compose.yml https://goauthentik.io/docker-compose.yml
+cd /opt/authentik
+cat << EOF > .env
+PG_PASS=$(pwgen -s 40 1)
+AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)
+AUTHENTIK_DISABLE_UPDATE_CHECK=false
+AUTHENTIK_ERROR_REPORTING__ENABLED=false
+AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+AUTHENTIK_AVATARS=initials
+COMPOSE_PORT_HTTP=80
+COMPOSE_PORT_HTTPS=443
+AUTHENTIK_EMAIL__HOST=
+AUTHENTIK_EMAIL__PORT=
+AUTHENTIK_EMAIL__USERNAME=
+AUTHENTIK_EMAIL__PASSWORD=
+# Use StartTLS
+AUTHENTIK_EMAIL__USE_TLS=false
+# Use SSL
+AUTHENTIK_EMAIL__USE_SSL=false
+AUTHENTIK_EMAIL__TIMEOUT=10
+# Email address authentik will send from, should have a correct @domain
+AUTHENTIK_EMAIL__FROM=
+AUTHENTIK_REDIS__DB=1
+EOF
+
+docker compose pull
+docker compose up -d
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your authentik intallation.\n\n######################################################################\n\n    Setup your authentik instance by entering https://${myip}/if/flow/initial-setup/ into your browser.\n\n######################################################################" ;;
+esac
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/lib/cmk-push-agent"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# checkmk version
+CMK_VERSION=2.4.0p19
+# build number of the debian package (needs to start with underscore)
+CMK_BUILD=_0
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="apache2"
@@ -0,0 +1,88 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/testing $(lsb_release -cs) main" > /etc/apt/sources.list.d/bashclub.list
+apt update
+
+cd /tmp
+wget https://download.checkmk.com/checkmk/$CMK_VERSION/check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ./check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
+omd create --admin-password $CMK_ADMIN_PW $CMK_INSTANCE
+
+cat << EOF > /etc/apache2/sites-available/000-default.conf
+<VirtualHost *:80>
+	RewriteEngine On
+	RewriteCond %{HTTPS} !=on
+	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$CMK_INSTANCE [R,L]
+</VirtualHost>
+EOF
+
+cat << EOF > /etc/apache2/sites-available/default-ssl.conf
+<VirtualHost *:443>
+	RewriteEngine On
+	RewriteCond %{REQUEST_URI} !^/$CMK_INSTANCE
+	RewriteRule ^/(.*) https://%{HTTP_HOST}/$CMK_INSTANCE/\$1 [R=301,L]
+
+	ServerAdmin webmaster@localhost
+
+	DocumentRoot /var/www/html
+
+	ErrorLog \${APACHE_LOG_DIR}/error.log
+	CustomLog \${APACHE_LOG_DIR}/access.log combined
+
+	SSLEngine on
+
+	SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
+
+	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+	#SSLCACertificatePath /etc/ssl/certs/
+	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+	#SSLCARevocationPath /etc/apache2/ssl.crl/
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+	#SSLVerifyClient require
+	#SSLVerifyDepth  10
+
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(?:cgi|shtml|phtml|php)\$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+
+</VirtualHost>
+EOF
+
+a2enmod ssl
+a2enmod rewrite
+a2ensite default-ssl
+
+systemctl restart apache2.service
+
+omd start $CMK_INSTANCE
+
+# install matrix notification plugin
+
+wget -O /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py https://github.com/bashclub/check_mk_matrix_notifications/raw/master/matrix.py
+chmod +x /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
+chown $CMK_INSTANCE /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
+
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install cmk-push-server
+
+cmk-push-setup
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
@@ -0,0 +1,190 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+BOOKSTACK_DB_PWD=$(random_password)
+webroot=/var/www/bookstack/public
+
+inst_php cli,fpm,mysql,fpm,xml,mbstring,gd,tokenizer,curl,ldap,tidy,zip 8.5
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends zip unzip nginx-full mariadb-server mariadb-client redis-server
+curl -s https://api.github.com/repos/wkhtmltopdf/packaging/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'bookworm_amd64.deb$' | wget -O /opt/wkhtmltox.deb -i -
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends /opt/wkhtmltox.deb
+
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+server {
+
+    client_max_body_size 100M;
+    fastcgi_buffers 64 4K;
+    client_body_timeout 120s;
+
+    listen 443 http2 ssl default_server;
+    listen [::]:443 http2 ssl default_server;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root $webroot;
+
+    index index.php;
+
+    ssl_certificate /etc/nginx/ssl/open3a.crt;
+    ssl_certificate_key /etc/nginx/ssl/open3a.key;
+
+    access_log  /var/log/nginx/bookstack.access.log;
+    error_log   /var/log/nginx/bookstack.error.log;
+
+    location / {
+        try_files \$uri \$uri/ /index.php?\$query_string;
+    }
+
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/run/php/php${PHP_VERSION:0:3}-fpm.sock;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+        fastcgi_intercept_errors off;
+        fastcgi_buffer_size 16k;
+        fastcgi_buffers 4 16k;
+    }
+
+    location = /favicon.ico { access_log off; log_not_found off; }
+    location = /robots.txt  { access_log off; log_not_found off; }
+
+    location ~ /\.ht {
+        deny all;
+    }
+
+    fastcgi_hide_header X-Powered-By;
+    fastcgi_read_timeout 3600;
+    fastcgi_send_timeout 3600;
+    fastcgi_connect_timeout 3600;
+
+    add_header Permissions-Policy                   "interest-cohort=()";
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
+
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+}
+
+EOF
+
+mysql -uroot -e "CREATE USER 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
+CREATE DATABASE IF NOT EXISTS bookstack;
+GRANT ALL PRIVILEGES ON bookstack.* TO 'bookstack'@'localhost' IDENTIFIED BY '$BOOKSTACK_DB_PWD';
+FLUSH PRIVILEGES;"
+
+sed -i "s/post_max_size = 8M/post_max_size = 100M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
+sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 100M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
+sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION:0:3}/fpm/php.ini
+
+EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
+php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
+if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
+then
+    >&2 echo 'ERROR: Invalid composer installer checksum'
+    rm composer-setup.php
+    exit 1
+fi
+php composer-setup.php --quiet
+rm composer-setup.php
+# Move composer to global installation
+mv composer.phar /usr/local/bin/composer
+
+cd /var/www
+git clone https://github.com/BookStackApp/BookStack.git --branch release --single-branch bookstack
+cd bookstack
+
+# Install BookStack composer dependencies
+export COMPOSER_ALLOW_SUPERUSER=1
+php /usr/local/bin/composer install --no-dev --no-plugins
+
+
+# Copy and update BookStack environment variables
+cp .env.example .env
+sed -i.bak "s@APP_URL=.*\$@APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}@" .env
+sed -i.bak 's/DB_DATABASE=.*$/DB_DATABASE=bookstack/' .env
+sed -i.bak 's/DB_USERNAME=.*$/DB_USERNAME=bookstack/' .env
+sed -i.bak "s/DB_PASSWORD=.*\$/DB_PASSWORD=$BOOKSTACK_DB_PWD/" .env
+
+cat << EOF >> .env
+QUEUE_CONNECTION=database
+STORAGE_TYPE=local_secure
+APP_LANG=de_informal
+FILE_UPLOAD_SIZE_LIMIT=100
+SESSION_SECURE_COOKIE=true
+CACHE_DRIVER=redis
+SESSION_DRIVER=redis
+REDIS_SERVERS=127.0.0.1:6379:0
+WKHTMLTOPDF=/usr/local/bin/wkhtmltopdf
+ALLOW_UNTRUSTED_SERVER_FETCHING=true
+EOF
+
+# Generate the application key
+php artisan key:generate --no-interaction --force
+# Migrate the databases
+php artisan migrate --no-interaction --force
+
+php artisan bookstack:db-utf8mb4 > dbupgrade.sql
+mysql -u root < dbupgrade.sql
+
+chown www-data:www-data -R bootstrap/cache public/uploads storage && chmod -R 755 bootstrap/cache public/uploads storage
+
+cat << EOF > /etc/systemd/system/bookstack-queue.service
+[Unit]
+Description=BookStack Queue Worker
+
+[Service]
+User=www-data
+Group=www-data
+Restart=always
+ExecStart=/usr/bin/php /var/www/bookstack/artisan queue:work --sleep=3 --tries=1 --max-time=3600
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable --now bookstack-queue php${PHP_VERSION:0:3}-fpm nginx redis-server
+systemctl restart php${PHP_VERSION:0:3}-fpm nginx bookstack-queue redis-server
+
+LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
+
+echo -e "Your bookstack installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@admin.com\nPassword:\tpassword\n\n"
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="opt"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# checkmk version
+CMK_VERSION=2.4.0p18
+# build number of the debian package (needs to start with underscore)
+CMK_BUILD=_0
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="apache2"
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+cd /tmp
+wget https://download.checkmk.com/checkmk/$CMK_VERSION/check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ./check-mk-$CMK_EDITION-$CMK_VERSION$CMK_BUILD.$(lsb_release -cs)_amd64.deb
+
+omd create --admin-password $CMK_ADMIN_PW $CMK_INSTANCE
+
+cat << EOF > /etc/apache2/sites-available/000-default.conf
+<VirtualHost *:80>
+	RewriteEngine On
+	RewriteCond %{HTTPS} !=on
+	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$CMK_INSTANCE [R,L]
+</VirtualHost>
+EOF
+
+cat << EOF > /etc/apache2/sites-available/default-ssl.conf
+<VirtualHost *:443>
+	RewriteEngine On
+	RewriteCond %{REQUEST_URI} !^/$CMK_INSTANCE
+	RewriteRule ^/(.*) https://%{HTTP_HOST}/$CMK_INSTANCE/\$1 [R=301,L]
+
+	ServerAdmin webmaster@localhost
+
+	DocumentRoot /var/www/html
+
+	ErrorLog \${APACHE_LOG_DIR}/error.log
+	CustomLog \${APACHE_LOG_DIR}/access.log combined
+
+	SSLEngine on
+
+	SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
+
+	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+	#SSLCACertificatePath /etc/ssl/certs/
+	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+	#SSLCARevocationPath /etc/apache2/ssl.crl/
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+	#SSLVerifyClient require
+	#SSLVerifyDepth  10
+
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(?:cgi|shtml|phtml|php)\$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+
+</VirtualHost>
+EOF
+
+a2enmod ssl
+a2enmod rewrite
+a2ensite default-ssl
+
+systemctl restart apache2.service
+
+omd start $CMK_INSTANCE
+
+# install matrix notification plugin
+
+wget -O /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py https://github.com/bashclub/check_mk_matrix_notifications/raw/master/matrix.py
+chmod +x /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
+chown $CMK_INSTANCE /opt/omd/sites/$CMK_INSTANCE/local/share/check_mk/notifications/matrix.py
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="home"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Author:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source zamba.conf
+
+wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
+
+curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh
+DB_ENGINE=MARIADB_11.8 SWAP=false bash install.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on container level
+
+# Define your (administrative) tools, you always want to have installed into your LXC container
+LXC_TOOLSET_BASE="sudo lsb-release curl dirmngr git gpg gnupg2 apt-transport-https wget ssl-cert tmux jq"
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=512
+
+# service dependent meta tags
+SERVICE_TAGS="privileged"
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+echo "'debian-priv' is ready to use!"
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=512
+
+# service dependent meta tags
+SERVICE_TAGS=""
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+echo "'debian-unpriv' is ready to use!"
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS=""
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+inst_docker
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your Docker intallation.\n\n######################################################################" ;;
+esac
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+FS_PHP_VERSION=8.4
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
@@ -0,0 +1,135 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+webroot=/var/www/html
+
+LXC_RANDOMPWD=20
+MYSQL_PASSWORD="$(random_password)"
+
+apt update
+
+inst_php cli,zip,curl,intl,fpm,mysql,imap,xml,mbstring,gd $FS_PHP_VERSION
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client ssl-cert git
+
+
+echo ‘cgi.fix_pathinfo=0’ >> /etc/php/$FS_PHP_VERSION/fpm/php.ini
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root $webroot/freescout/public;
+
+    index index.php index.html index.htm;
+
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+
+    client_max_body_size 20M;
+
+    location / {
+        try_files \$uri \$uri/ /index.php?\$query_string;
+    }
+
+    location ~ .php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php/php${FS_PHP_VERSION}-fpm.sock;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+    	include fastcgi_params;
+    }
+    
+    location ^~ /storage/app/attachment/ {
+        internal;
+        alias /var/www/html/storage/app/attachment/;
+    }
+    
+    location ~* ^/storage/attachment/ {
+        expires 1M;
+        access_log off;
+        try_files \$uri \$uri/ /index.php?\$query_string;
+    }
+    
+    location ~* ^/(?:css|js)/.*\.(?:css|js)$ {
+        expires 2d;
+        access_log off;
+        add_header Cache-Control "public, must-revalidate";
+    }
+    
+    # The list should be in sync with /storage/app/public/uploads/.htaccess and /config/app.php
+    location ~* ^/storage/.*\.((?!(jpg|jpeg|jfif|pjpeg|pjp|apng|bmp|gif|ico|cur|png|tif|tiff|webp|pdf|txt|diff|patch|json|mp3|wav|ogg|wma)).)*$ {
+        add_header Content-disposition "attachment; filename=\$2";
+        default_type application/octet-stream;
+    }	
+    
+    location ~* ^/(?:css|fonts|img|installer|js|modules|[^\\\\\\]+\..*)$ {
+        expires 1M;
+        access_log off;
+        add_header Cache-Control "public";
+    }
+    
+    location ~ /\. {
+        deny  all;
+    }
+}
+
+EOF
+
+rm /var/www/html/*nginx*.html
+mkdir -p /etc/nginx/ssl
+ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+
+mysql -uroot -e "CREATE USER 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD';
+GRANT USAGE ON * . * TO 'freescout'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
+CREATE DATABASE IF NOT EXISTS freescout;
+GRANT ALL PRIVILEGES ON freescout . * TO 'freescout'@'localhost';"
+
+curl -s https://api.github.com/repos/freescout-help-desk/freescout/releases/latest | grep tarball_url | cut -d '"' -f 4 | wget -O $webroot/freescout.tar.gz -i -
+cd $webroot
+tar -vxf freescout.tar.gz
+dir=$(ls -d freescout-help-desk-freescout*)
+mv -v $dir freescout
+chown -R www-data:www-data /var/www/html
+find /var/www/html -type f -exec chmod 664 {} \;    
+find /var/www/html -type d -exec chmod 775 {} \;
+cd $webroot/freescout
+APP_KEY=$(sudo -u www-data php artisan key:generate --show)
+sudo -u www-data sed -e "s|APP_URL=.*|APP_URL=https://${LXC_HOSTNAME}.${LXC_DOMAIN}|" -e "s|DB_DATABASE=|DB_DATABASE=freescout|" -e "s|DB_USERNAME=|DB_USERNAME=freescout|" -e "s|DB_PASSWORD=|DB_PASSWORD=${MYSQL_PASSWORD}|" -e "s|APP_KEY=|APP_KEY=${APP_KEY}|" .env.example > .env
+sudo -u www-data php artisan freescout:clear-cache
+sudo -u www-data php artisan storage:link
+sudo -u www-data php artisan migrate -n --force
+FS_PASSWORD=$(random_password)
+sudo -u www-data php artisan freescout:create-user -n --role=admin --firstName=$FS_FIRSTNAME --lastName=$FS_LASTNAME --email=$FS_EMAIL --password=$FS_PASSWORD
+
+cat << EOF > /etc/cron.d/freescout 
+* * * * * www-data /bin/php /var/www/html/freescout/artisan schedule:run >> /dev/null 2>&1
+EOF
+
+systemctl enable --now php${FS_PHP_VERSION}-fpm
+systemctl restart php${FS_PHP_VERSION}-fpm nginx
+
+LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
+
+echo -e "Your freescout installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttps://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\t$FS_EMAIL\nPassword:\t$FS_PASSWORD\n"
@@ -0,0 +1,135 @@
+#!/bin/bash
+#
+# This script has basic functions like a random password generator
+LXC_RANDOMPWD=32
+
+random_password() {
+    set +o pipefail
+    LC_CTYPE=C tr -dc 'a-zA-Z0-9' < /dev/urandom 2>/dev/null | head -c${LXC_RANDOMPWD}
+}
+
+generate_dhparam() {
+    openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 2048
+    cat << EOF > /etc/cron.monthly/generate-dhparams
+#!/bin/bash
+openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1
+mv /etc/nginx/dhparam.gen /etc/nginx/dhparam.pem
+systemctl restart nginx
+EOF
+    chmod +x /etc/cron.monthly/generate-dhparams
+}
+
+apt_repo() {
+    apt_name=$1
+    apt_key_url=$2
+    apt_key_path=/usr/share/keyrings/${apt_name}-archive-keyring.gpg
+    apt_repo_url=$3
+    apt_suites=$4
+    apt_components=$5
+    tmp_key_file=$(mktemp)
+    if ! curl -fsSL -o "${tmp_key_file}" "${apt_key_url}"; then
+        echo "❌ Fehler beim Herunterladen des Schlüssels."
+        rm -f "${tmp_key_file}"
+        exit 1
+    fi
+    if file "${tmp_key_file}" | grep -q "ASCII"; then
+        echo "🔍 Format erkannt: ASCII. Konvertiere den Schlüssel..."
+        # Wenn es ASCII ist, konvertiere es mit --dearmor
+        if sudo gpg --dearmor -o "${apt_key_path}" "${tmp_key_file}"; then
+            chmod 644 ${apt_key_path}
+            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} konvertiert."
+        else
+            echo "❌ Fehler bei der Konvertierung des ASCII-Schlüssels."
+            rm -f "${tmp_key_file}" # Temporäre Datei aufräumen
+            exit 1
+        fi
+    else
+        echo "🔍 Format erkannt: Binär. Kopiere den Schlüssel direkt..."
+        # Wenn es kein ASCII ist, gehen wir von Binär aus und verschieben die Datei
+        if sudo mv "${tmp_key_file}" "${apt_key_path}"; then
+            echo "✅ Schlüssel erfolgreich nach ${apt_key_path} kopiert."
+            chmod 644 ${apt_key_path}
+        else
+            echo "❌ Fehler beim Kopieren des binären Schlüssels."
+            rm -f "${tmp_key_file}"
+            exit 1
+        fi
+    fi
+
+    if [[ $(lsb_release -r | cut -f2) -gt 12 ]]; then
+        cat << EOF > /etc/apt/sources.list.d/${apt_name}.sources
+Types: deb
+URIs: $apt_repo_url
+Suites: $apt_suites
+Components: $apt_components
+Enabled: yes
+Signed-By: $apt_key_path
+EOF
+    else
+        echo "deb [signed-by=${apt_key_path}] ${apt_repo_url} ${apt_suites} ${apt_components}" > /etc/apt/sources.list.d/${apt_name}.list
+    fi
+}
+
+#### Set repo and install Nginx ####
+inst_nginx() {
+    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian" "$(lsb_release -cs)" "nginx"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx
+}
+
+#### Set repo and install PHP ####
+inst_php() {
+    PHP_MODULES=${1}
+    PHP_VERSION=${2:-8.4}
+    IFS=',' read -ra MODULE_ARRAY <<< "$PHP_MODULES"
+    PKGS=()
+    for PHP_MODULE in "${MODULE_ARRAY[@]}"; do
+        PKGS+=( "php${PHP_VERSION}-${PHP_MODULE}" )
+    done
+    apt_repo "php" "https://packages.sury.org/php/apt.gpg" "https://packages.sury.org/php/" "$(lsb_release -sc)" "main"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common "${PKGS[@]}"
+}
+
+#### Set repo and install Postgresql ####
+# First paramater is postgres version, default ist curren version postgres 18
+inst_postgresql() {
+    POSTGRES_VERSION=${1:-18}
+    
+    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt" "$(lsb_release -cs)-pgdg" "main"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-${POSTGRES_VERSION}
+}
+
+#### Set repo and install Crowdsec ####
+inst_crowdsec() {
+    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" "https://packagecloud.io/crowdsec/crowdsec/any" "any" "main"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables
+}
+
+#### Set repo and install 45drives (cockpit) ####
+inst_45drives() {
+    apt_repo "45drives" "https://repo.45drives.com/key/gpg.asc" "https://repo.45drives.com/enterprise/debian" "bookworm" "main"
+    apt update
+}
+
+#### Set repo and install Docker ####
+inst_docker() {
+    apt_repo "docker" "https://download.docker.com/linux/debian/gpg" "https://download.docker.com/linux/debian" "$(lsb_release -cs)" stable
+    apt update
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin pwgen
+}
+#### Set repo and install MongoDB ####
+inst_mongodb() {
+    MONGODB_VERSION=${1:-8.0}
+
+    apt_repo "mongodb" "https://www.mongodb.org/static/pgp/server-$MONGODB_VERSION.asc" "http://repo.mongodb.org/apt/debian" "bookworm/mongodb-org/$MONGODB_VERSION" "main"
+    apt update
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq mongodb-org
+}
+
+#### Set repo and install MongoDB ####
+inst_bashclub() {
+    BASHCLUB_COMPONENT=${1:-release}
+
+    apt_repo "bashclub-$BASHCLUB_COMPONENT" "https://apt.bashclub.org/gpg/bashclub.pub" "https://apt.bashclub.org/$BASHCLUB_COMPONENT" "$(lsb_release -cs)" "main"
+    apt update
+}
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Defines the IP from the SQL server
+GITEA_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+GITEA_DB_PORT="5432"
+
+# Defines the name from the SQL database
+GITEA_DB_NAME="gitea"
+
+# Defines the name from the SQL user
+GITEA_DB_USR="gitea"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+GITEA_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql"
@@ -0,0 +1,188 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+inst_nginx
+
+inst_postgresql
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq git ssl-cert unzip zip
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER gitea WITH PASSWORD '${GITEA_DB_PWD}';"
+psql -c "CREATE DATABASE ${GITEA_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${GITEA_DB_USR};"
+echo "Postgres User ${GITEA_DB_USR} and database ${GITEA_DB_NAME} created."
+EOF
+
+adduser  --system  --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git
+
+curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -O /usr/local/bin/gitea -i -
+chmod +x /usr/local/bin/gitea
+mkdir -p /etc/gitea
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/
+chown -R git:git /${LXC_SHAREFS_MOUNTPOINT}/
+chmod -R 750 /${LXC_SHAREFS_MOUNTPOINT}/
+
+cat << EOF > /usr/local/bin/update-gitea
+PATH="/bin:/usr/bin:/usr/local/bin"
+echo "Checking github for new gitea version"
+current_version=\$(curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep "tag_name" | cut -d '"' -f4)
+installed_version=\$(echo v\$(gitea --version | cut -d ' ' -f3))
+echo "Installed gitea version is \$installed_version"
+if [ \$installed_version != \$current_version ]; then
+  echo "New gitea version \$current_version available. Stopping gitea.service"
+  systemctl stop gitea.service
+  echo "Downloading gitea version \$current_version..."
+  curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -q -O /usr/local/bin/gitea -i -
+  chmod +x /usr/local/bin/gitea
+  echo "Starting gitea.service..."
+  systemctl start gitea.service
+  echo "gitea update finished!"
+else
+  echo "gitea version is up-to-date!"
+fi
+EOF
+chmod +x /usr/local/bin/update-gitea
+
+cat << EOF > /etc/apt/apt.conf.d/80-gitea-apt-hook
+DPkg::Post-Invoke {"/usr/local/bin/update-gitea";};
+EOF
+chmod +x /etc/apt/apt.conf.d/80-gitea-apt-hook
+
+cat << EOF > /etc/systemd/system/gitea.service
+[Unit]
+Description=Gitea
+After=syslog.target
+After=network.target
+After=postgresql.service
+
+[Service]
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/${LXC_SHAREFS_MOUNTPOINT}/
+ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/${LXC_SHAREFS_MOUNTPOINT}/
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << EOF > /etc/gitea/app.ini
+RUN_MODE = prod
+RUN_USER = git
+
+[repository]
+ROOT = /${LXC_SHAREFS_MOUNTPOINT}/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/uploads
+
+[database]
+DB_TYPE=postgres
+HOST=localhost
+NAME=${GITEA_DB_NAME}
+USER=${GITEA_DB_USR}
+PASSWD=${GITEA_DB_PWD}
+SSL_MODE=disable
+
+[server]
+APP_DATA_PATH    = /${LXC_SHAREFS_MOUNTPOINT}/gitea
+DOMAIN           = ${LXC_HOSTNAME}.${LXC_DOMAIN}
+SSH_DOMAIN       = ${LXC_HOSTNAME}.${LXC_DOMAIN}
+HTTP_HOST        = localhost
+HTTP_PORT        = 3000
+ROOT_URL         = http://${LXC_HOSTNAME}.${LXC_DOMAIN}/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+SSH_LISTEN_PORT  = 22
+EOF
+
+chown -R root:git /etc/gitea
+chmod 770 /etc/gitea
+chmod 770 /etc/gitea/app.ini
+
+if [ -f /etc/nginx/sites-enabled/default ]; then
+  unlink /etc/nginx/sites-enabled/default
+fi
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/gitea.access.log;
+    error_log /var/log/nginx/gitea.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    access_log /var/log/nginx/gitea.access.log;
+    error_log  /var/log/nginx/gitea.error.log;
+
+    client_max_body_size 50M;
+
+    location / {
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:3000;
+        proxy_read_timeout 90;
+    }
+}
+
+EOF
+generate_dhparam
+
+systemctl daemon-reload
+systemctl enable --now gitea
+systemctl restart nginx
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
+
+CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
+
+PHP_VERSION=8.4
@@ -0,0 +1,536 @@
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+source /etc/os-release
+
+# --- Internal Helper Functions ---
+_generate_local_password() {
+    openssl rand -base64 "$1"
+}
+
+
+curl -fsSL https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-$(lsb_release -cs) main" > /etc/apt/sources.list.d/icinga.list
+
+curl -fsSL https://packages.netways.de/netways-repo.asc | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/extras/debian/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/netways.list
+
+curl -fsSL https://repos.influxdata.com/influxdata-archive.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian bookworm stable" > /etc/apt/sources.list.d/influxdata.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq --no-install-recommends \
+        icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
+        mariadb-server mariadb-client influxdb2 influxdb2-client imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle icinga-notifications icinga-notifications-web \
+        icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2 chromium fonts-liberation fonts-noto icinga-x509 \
+        monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard monitoring-plugins-systemd icingaweb2-module-pdfexport
+
+
+
+ICINGAWEB_DB_PASS=$(_generate_local_password 24)
+DIRECTOR_DB_PASS=$(_generate_local_password 24)
+ICINGADB_PASS=$(_generate_local_password 24)
+ICINGA_X509_DB_PASS=$(_generate_local_password 24)
+ICINGA_API_USER_PASS=$(_generate_local_password 24)
+NOTIFICATIONS_DB_PASS=$(_generate_local_password 24)
+ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
+INFLUX_ADMIN_PASS=$(_generate_local_password 16)
+INFLUX_ADMIN_TOKEN=$(_generate_local_password 40)
+
+systemctl start mariadb
+
+mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS icingadb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS notifications CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS x509 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+
+mysql -e "CREATE USER IF NOT EXISTS 'icingaweb2'@'localhost' IDENTIFIED BY '${ICINGAWEB_DB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'director'@'localhost' IDENTIFIED BY '${DIRECTOR_DB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'icingadb'@'localhost' IDENTIFIED BY '${ICINGADB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'notifications'@'localhost' IDENTIFIED BY '${NOTIFICATIONS_DB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'x509'@'localhost' IDENTIFIED BY '${ICINGA_X509_DB_PASS}';"
+
+mysql -e "GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON director.* TO 'director'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON icingadb.* TO 'icingadb'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON notifications.* TO 'notifications'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON x509.* TO 'x509'@'localhost';"
+mysql -e "FLUSH PRIVILEGES;"
+
+systemctl start influxdb
+influx setup --skip-verify --username admin --password "$INFLUX_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
+INFLUX_ICINGA_TOKEN=$(influx auth create --org icinga --all-access --json | grep -oP '"token": "\K[^"]+')
+if [ -z "$INFLUX_ICINGA_TOKEN" ]; then echo "[ERROR] Konnte InfluxDB Token nicht erstellen." >&2; exit 1; fi
+
+
+mkdir -p "$(dirname "$CRED_FILE")" && chmod 700 "$(dirname "$CRED_FILE")"
+{
+    echo "# --- Icinga Monitoring Stack Credentials ---"
+    echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2; Benutzer: icingaadmin; Passwort: ${ICINGAWEB_ADMIN_PASS}"
+    echo "InfluxDB Admin Token: ${INFLUX_ADMIN_TOKEN}"
+    echo "Icinga Director API: Benutzer: director; Passwort: ${ICINGA_API_USER_PASS}"
+} > "$CRED_FILE" && chmod 600 "$CRED_FILE"
+
+systemctl enable --now icingadb-redis
+
+cat > /etc/icinga2/features-available/icingadb.conf <<EOF
+library "icingadb"
+
+object IcingaDB "icingadb" {
+  host = "127.0.0.1"
+  port = 6380
+}
+EOF
+
+cat > /etc/icinga2/conf.d/api-users.conf <<EOF
+object ApiUser "director" {
+  password = "${ICINGA_API_USER_PASS}"
+  permissions = [ "*" ]
+}
+EOF
+
+cat > /etc/icinga2/features-available/influxdb2-writer.conf <<EOF
+object Influxdb2Writer "influxdb2" {
+  host = "127.0.0.1"
+  port = 8086
+  organization = "icinga"
+  bucket = "icinga"
+  auth_token = "${INFLUX_ICINGA_TOKEN}"
+  
+  flush_threshold = 1024
+  flush_interval = 10s
+
+  host_template = {
+    measurement = "\$host.check_command\$"
+    tags = {
+      hostname = "\$host.name\$"
+    }
+  }
+  service_template = {
+    measurement = "\$service.check_command\$"
+    tags = {
+      hostname = "\$host.name\$"
+      service = "\$service.name\$"
+    }
+  }
+}
+EOF
+cat > /etc/icinga2/zones.conf <<EOF
+object Endpoint "$(hostname -f)" { host = "127.0.0.1" }
+object Zone "master" { endpoints = [ "$(hostname -f)" ] }
+object Zone "global-templates" { global = true }
+object Zone "director-global" { global = true }
+EOF
+
+cat > /etc/icingadb/config.yml <<EOF
+database:
+  type: mysql
+  host: localhost
+  database: icingadb
+  user: icingadb
+  password: ${ICINGADB_PASS}
+redis:
+  host: 127.0.0.1
+  port: 6380
+logging:
+  level: info
+  output: systemd-journald
+EOF
+
+mkdir -p /etc/icingaweb2/modules/icingadb
+cat << EOF > /etc/icingaweb2/modules/icingadb/config.ini
+[icingadb]
+resource = icingadb
+EOF
+cat << EOF > /etc/icingaweb2/modules/icingadb/redis.ini
+[redis1]
+host = "localhost"
+EOF
+cat << EOF > /etc/icingaweb2/modules/icingadb/commandtransports.ini
+[$(hostname -f)]
+transport = "api"
+host = "$(hostname -f)"
+port = "5665"
+username = "director"
+password = "${ICINGA_API_USER_PASS}"
+EOF
+
+
+
+icinga2 feature enable icingadb
+
+mkdir -p /etc/icingaweb2
+
+cat > /etc/icingaweb2/resources.ini <<EOF
+[icingaweb_db]
+type = "db"
+db = "mysql"
+host = "localhost"
+dbname = "icingaweb2"
+username = "icingaweb2"
+password = "${ICINGAWEB_DB_PASS}"
+charset = "utf8mb4"
+
+[director_db]
+type = "db"
+db = "mysql"
+host = "localhost"
+dbname = "director"
+username = "director"
+password = "${DIRECTOR_DB_PASS}"
+charset = "utf8mb4"
+
+[icingadb]
+type = "db"
+db = "mysql"
+host = "localhost"
+dbname = "icingadb"
+username = "icingadb"
+password = "${ICINGADB_PASS}"
+charset = "utf8mb4"
+
+[notifications]
+type = "db"
+db = "mysql"
+host = "localhost"
+dbname = "notifications"
+username = "notifications"
+password = "${NOTIFICATIONS_DB_PASS}"
+charset = "utf8mb4"
+EOF
+
+cat << EOF > /etc/icinga2/conf.d/services.conf
+apply Service "ping4" {
+  import "generic-service"
+
+  check_command = "ping4"
+
+  assign where host.address
+}
+
+apply Service "ping6" {
+  import "generic-service"
+
+  check_command = "ping6"
+
+  assign where host.address6
+}
+
+apply Service "ssh" {
+  import "generic-service"
+
+  check_command = "ssh"
+
+  assign where (host.address || host.address6) && host.vars.os == "Linux"
+}
+
+
+
+apply Service for (http_vhost => config in host.vars.http_vhosts) {
+  import "generic-service"
+
+  check_command = "http"
+
+  vars += config
+}
+
+apply Service for (disk => config in host.vars.disks) {
+  import "generic-service"
+
+  check_command = "disk"
+
+  vars += config
+}
+
+apply Service "icinga" {
+  import "generic-service"
+
+  check_command = "icinga"
+
+  assign where host.name == NodeName
+}
+
+apply Service "load" {
+  import "generic-service"
+
+  check_command = "load"
+
+  assign where host.name == NodeName
+}
+
+apply Service "procs" {
+  import "generic-service"
+
+  check_command = "procs"
+
+  assign where host.name == NodeName
+}
+
+apply Service "users" {
+  import "generic-service"
+
+  check_command = "users"
+
+  assign where host.name == NodeName
+}
+
+apply Service "ssl" {
+  import "generic-service"
+
+  check_command = "ssl"
+
+  assign where host.name == NodeName
+}
+
+apply Service "smtp" {
+  import "generic-service"
+
+  check_command = "smtp"
+
+  assign where host.name == NodeName
+}
+
+EOF
+
+mkdir -p /etc/nginx/ssl
+if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
+    ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+    ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+fi
+
+cat > /etc/nginx/sites-available/icinga-stack <<EOF
+server {
+    listen 80;
+    server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
+    return 301 https://\$host\$request_uri;
+}
+server {
+    listen 443 ssl http2;
+    server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+    root /usr/share/icingaweb2/public;
+    index index.php;
+    location / { try_files \$uri \$uri/ /index.php\$is_args\$args; }
+    location ~ \.php$ {
+        include fastcgi_params;
+        fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+        fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
+    }
+    #location /grafana {
+    #    proxy_pass http://localhost:3000;
+    #    proxy_set_header Host \$http_host;
+    #}
+    location /icingadb-web {
+        proxy_pass http://localhost:8080/icingadb-web;
+        proxy_set_header Host \$http_host;
+    }
+}
+EOF
+
+cat << EOF > /etc/icinga-notifications/config.yml
+database:
+  type: mysql
+
+  host: localhost
+  
+  database: notifications
+
+  user: notifications
+
+  password: ${NOTIFICATIONS_DB_PASS}
+EOF
+
+mkdir -p /etc/icingaweb2/modules/notifications/
+cat << EOF > /etc/icingaweb2/modules/notifications/config.ini
+[database]
+resource = "notifications"
+EOF
+
+mkdir -p /etc/icingaweb2/modules/pdfexport
+cat << EOF > /etc/icingaweb2/modules/pdfexport/config.ini 
+[chrome]
+binary = "/usr/bin/chromium"
+force_temp_storage = "0"
+EOF
+
+
+
+ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
+rm -f /etc/nginx/sites-enabled/default
+
+sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' "/etc/php/${PHP_VERSION}/fpm/php.ini"
+sed -i "s|;date.timezone =|date.timezone = $(cat /etc/timezone)|" "/etc/php/${PHP_VERSION}/fpm/php.ini"
+
+icinga2 api setup
+systemctl enable icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb icingadb icingadb-redis icinga-notifications
+
+systemctl start mariadb
+systemctl start icinga2 icingadb-redis nginx php${PHP_VERSION}-fpm influxdb icingadb
+
+IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
+DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
+ICINGADB_SCHEMA="/usr/share/icingadb/schema/mysql/schema.sql"
+NOTIFICATIONS_SCHEMA="/usr/share/icinga-notifications/schema/mysql/schema.sql"
+X509_SCHEMA="/usr/share/icingaweb2/modules/x509/schema/mysql.schema.sql"
+
+if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi
+if [ ! -f "$DIRECTOR_SCHEMA" ]; then echo "[ERROR] Director-Schema nicht gefunden: $DIRECTOR_SCHEMA" >&2; exit 1; fi
+if [ ! -f "$ICINGADB_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $ICINGADB_SCHEMA" >&2; exit 1; fi
+if [ ! -f "$NOTIFICATIONS_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $NOTIFICATIONS_SCHEMA" >&2; exit 1; fi
+if [ ! -f "$X509_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $X509_SCHEMA" >&2; exit 1; fi
+
+
+if ! mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then
+    echo "[INFO] Importiere IcingaWeb2-Schema..."
+    mysql icingaweb2 < "$IWEB_SCHEMA"
+fi
+
+if ! mysql -e "use director; show tables;" | grep -q "director_datafield"; then
+    echo "[INFO] Importiere Icinga Director-Schema..."
+    mysql director < "$DIRECTOR_SCHEMA"
+fi
+
+if ! mysql -e "use icingadb; show tables;" | grep -q "icingadb_schema_migration"; then
+    echo "[INFO] Importiere IcingaDB-Schema..."
+    mysql icingadb < "$ICINGADB_SCHEMA"
+fi
+
+if ! mysql -e "use notifications; show tables;" | grep -q "incident_rule_escalation_state"; then
+    echo "[INFO] Importiere Notifications-Schema..."
+    mysql notifications < "$NOTIFICATIONS_SCHEMA"
+fi
+
+if ! mysql -e "use x509; show tables;" | grep -q "x509_schema"; then
+    echo "[INFO] Importiere x509-Schema..."
+    mysql x509 < "$X509_SCHEMA"
+fi
+
+
+cat > /etc/icingaweb2/config.ini <<EOF
+[global]
+show_stacktraces = "0"
+config_backend = "db"
+config_resource = "icingaweb_db"
+[logging]
+log = "file"
+log_file = "/var/log/icingaweb2/icingaweb2.log"
+level = "ERROR"
+EOF
+
+cat > /etc/icingaweb2/authentication.ini <<EOF
+[icinga-web-admin]
+backend = "db"
+resource = "icingaweb_db"
+EOF
+
+cat > /etc/icingaweb2/roles.ini <<EOF
+[Administrators]
+users = "icingaadmin"
+permissions = "*"
+groups = "Administrators"
+EOF
+    
+mkdir -p /etc/icingaweb2/modules/monitoring
+cat > /etc/icingaweb2/modules/monitoring/backends.ini <<EOF
+[icingadb]
+backend = "icingadb"
+resource = "icingadb"
+EOF
+    
+mkdir -p /etc/icingaweb2/modules/director
+cat > /etc/icingaweb2/modules/director/config.ini <<EOF
+[db]
+resource = "director_db"
+EOF
+
+mkdir -p /etc/icingaweb2/modules/perfdatagraphs
+mkdir -p /etc/icingaweb2/modules/perfdatagraphsinfluxdbv2
+cat > /etc/icingaweb2/modules/perfdatagraphsinfluxdbv2/config.ini <<EOF
+[influx]
+api_url = "http://127.0.0.1:8086"
+api_token = "${INFLUX_ICINGA_TOKEN}"
+api_org = "icinga"
+api_bucket = "icinga"
+api_tls_insecure = "1"
+EOF
+
+cat > /etc/icingaweb2/modules/perfdatagraphs/config.ini << EOF
+[perfdatagraphs]
+default_timerange = "PT12H"
+default_backend = "InfluxDBv2"
+EOF
+
+icinga2 feature enable icingadb api influxdb2-writer perfdata
+
+#icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt
+
+echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
+icingacli module enable reactbundle
+icingacli module enable incubator
+icingacli module enable director
+icingacli module enable icingadb
+icingacli module enable perfdatagraphs
+icingacli module enable perfdatagraphsinfluxdbv2
+icingacli module enable notifications
+
+echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu laden."
+systemctl restart mariadb
+systemctl restart php${PHP_VERSION}-fpm
+systemctl restart nginx
+systemctl restart icingadb
+systemctl restart icinga-notifications
+
+echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein."
+PASSWORD_HASH=$(php -r "echo password_hash('${ICINGAWEB_ADMIN_PASS}', PASSWORD_BCRYPT);")
+mysql icingaweb2 -e "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, '${PASSWORD_HASH}') ON DUPLICATE KEY UPDATE password_hash='${PASSWORD_HASH}';"
+
+echo "[INFO] Warte auf Icinga Web 2 und API..."
+counter=0
+while ! icingacli director migration run >/dev/null 2>&1; do
+    counter=$((counter + 1))
+    if [ "$counter" -gt 15 ]; then
+        echo "[ERROR] Icinga Director wurde nach 30 Sekunden nicht bereit." >&2
+        exit 1
+    fi
+    echo "[INFO] Director ist noch nicht bereit, warte 2 Sekunden... (Versuch ${counter}/15)"
+    sleep 2
+done
+echo "[INFO] Icinga Director ist bereit."
+
+echo "[INFO] Icinga Director Setup wird ausgeführt."
+cat > /etc/icingaweb2/modules/director/kickstart.ini <<EOF
+[config]
+endpoint = "$(hostname -f)"
+port = "5665"
+username = "director"
+password = "${ICINGA_API_USER_PASS}"
+EOF
+systemctl restart icinga2
+icingacli director kickstart run
+
+echo "[INFO] Director Konfiguration wird angewendet."
+icingacli director config deploy
+
+echo ""
+echo "================================================="
+echo "  Installation des Icinga Monitoring Stacks abgeschlossen"
+echo "================================================="
+echo ""
+echo "Die Konfiguration wurde erfolgreich abgeschlossen."
+echo "Alle notwendigen Passwörter, Logins und API-Keys wurden generiert."
+echo ""
+echo "Sie finden alle Zugangsdaten in der folgenden Datei:"
+echo "  ${CRED_FILE}"
+echo ""
+echo "Wichtige URLs:"
+echo "  Icinga Web 2: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
+echo "  IcingaDB Web: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingadb-web"
+echo ""
+cat ${CRED_FILE}
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Defines the version number of kimai mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+#KIMAI_VERSION="main"
+
+# Defines the php version to install
+KIMAI_PHP_VERSION="8.4"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
@@ -0,0 +1,171 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+KIMAI_DB_PWD=$(random_password)
+webroot=/var/www/kimai/public
+
+apt update
+
+inst_php intl,cli,fpm,mysql,xml,mbstring,gd,tokenizer,zip,opcache,curl $KIMAI_PHP_VERSION
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client  
+
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+PHP_VERSION=$(php -v | head -1 | cut -d ' ' -f2)
+PHP_VERSION=${PHP_VERSION:0:3}
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+server {
+
+    client_max_body_size 2M;
+    fastcgi_buffers 64 4K;
+    client_body_timeout 120s;
+
+    listen 443 http2 ssl default_server;
+    listen [::]:443 http2 ssl default_server;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root $webroot;
+
+    index index.php;
+
+    ssl_certificate /etc/nginx/ssl/kimai.crt;
+    ssl_certificate_key /etc/nginx/ssl/kimai.key;
+
+    access_log  /var/log/nginx/kimai.access.log;
+    error_log   /var/log/nginx/kimai.error.log;
+
+    location / {
+        try_files \$uri \$uri/ /index.php?\$query_string;
+    }
+
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+        fastcgi_intercept_errors off;
+        fastcgi_buffer_size 16k;
+        fastcgi_buffers 4 16k;
+    }
+
+    location = /favicon.ico { access_log off; log_not_found off; }
+    location = /robots.txt  { access_log off; log_not_found off; }
+
+    location ~ /\.ht {
+        deny all;
+    }
+
+    fastcgi_hide_header X-Powered-By;
+    fastcgi_read_timeout 3600;
+    fastcgi_send_timeout 3600;
+    fastcgi_connect_timeout 3600;
+
+    add_header Permissions-Policy                   "interest-cohort=()";
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
+
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+}
+
+EOF
+
+mysql -uroot -e "CREATE USER 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
+CREATE DATABASE IF NOT EXISTS kimai;
+GRANT ALL PRIVILEGES ON kimai.* TO 'kimai'@'localhost' IDENTIFIED BY '$KIMAI_DB_PWD';
+FLUSH PRIVILEGES;"
+
+sed -i "s/post_max_size = 8M/post_max_size = 2M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/memory_limit = 128M/memory_limit = 512M/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/;opcache.enable=1/opcache.enable=1/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/;opcache.memory_consumption=128/opcache.memory_consumption=256/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/opcache.interned_strings_buffer=8/opcache.interned_strings_buffer=24/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/;opcache.max_accelerated_files=10000/opcache.max_accelerated_files=100000/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/;opcache.validate_timestamps=1/opcache.validate_timestamps=0/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+sed -i "s/session.gc_maxlifetime = 1440/session.gc_maxlifetime = 604800/g" /etc/php/${PHP_VERSION}/fpm/php.ini
+
+EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
+php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
+if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
+then
+    >&2 echo 'ERROR: Invalid composer installer checksum'
+    rm composer-setup.php
+    exit 1
+fi
+php composer-setup.php --quiet
+rm composer-setup.php
+# Move composer to global installation
+mv composer.phar /usr/local/bin/composer
+
+cd /var/www
+dl=$(curl -s https://api.github.com/repos/kimai/kimai/releases/latest | grep tarball_url | cut -d'"' -f4)
+version=$(echo $dl | rev | cut -d'/' -f1 | rev)
+wget -O kimai-${version}.tar.gz ${dl}
+tar xfz kimai-${version}.tar.gz
+rm kimai-${version}.tar.gz
+mv kimai-* kimai
+cd kimai
+
+# Install kimai composer dependencies
+export COMPOSER_ALLOW_SUPERUSER=1
+/usr/local/bin/composer install --optimize-autoloader -n
+
+# Copy and update kimai environment variables
+cat << EOF > .env
+# For more infos about the variables, see .env.dist
+DATABASE_URL=mysql://kimai:$KIMAI_DB_PWD@localhost:3306/kimai?charset=utf8&serverVersion=mariadb-10.11.3
+MAILER_FROM=admin@$LXC_DOMAIN
+MAILER_URL=null://null
+APP_ENV=prod
+APP_SECRET=$(random_password)
+CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$
+EOF
+
+bin/console kimai:install -n
+
+bin/console kimai:user:create admin admin@$LXC_DOMAIN ROLE_SUPER_ADMIN $LXC_PWD
+
+chown -R www-data:www-data .
+chmod -R g+r .
+chmod -R g+rw var/
+
+systemctl daemon-reload
+systemctl enable --now php${PHP_VERSION}-fpm nginx
+systemctl restart php${PHP_VERSION}-fpm nginx
+
+LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
+
+echo -e "Your kimai installation is now complete. Please continue with setup in your Browser.\nURL:\t\thttp://$(echo ${LXC_IP} | cut -d'/' -f1)\nLogin:\t\tadmin@${LXC_DOMAIN}\nPassword:\t${LXC_PWD}\n\n"
@@ -0,0 +1,77 @@
+#!/bin/bash
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# load configuration
+echo "Loading configuration..."
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants.conf
+source /root/constants-service.conf
+
+echo "Updating locales"
+# update locales
+sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
+sed -i "s|# en_US.UTF-8|en_US.UTF-8|" /etc/locale.gen
+cat << EOF > /etc/default/locale
+LANG="$LXC_LOCALE"
+LANGUAGE=$LXC_LOCALE
+EOF
+locale-gen $LXC_LOCALE 
+
+# Generate sources
+if [ "$LXC_TEMPLATE_VERSION" == "debian-12-standard" ] ; then
+
+cat << EOF > /etc/apt/sources.list
+deb http://deb.debian.org/debian/ bookworm main contrib
+
+deb http://deb.debian.org/debian/ bookworm-updates main contrib
+
+# security updates
+deb http://security.debian.org/debian-security bookworm-security main contrib
+EOF
+elif [ "$LXC_TEMPLATE_VERSION" == "debian-13-standard" ] ; then
+
+if [ -f /etc/apt/sources.list ] ; then rm /etc/apt/sources.list ; fi
+cat << EOF > /etc/apt/sources.list.d/debian.sources
+Types: deb deb-src
+URIs: https://deb.debian.org/debian
+Suites: trixie trixie-updates
+Components: main non-free-firmware contrib non-free
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+Types: deb deb-src
+URIs: https://security.debian.org/debian-security
+Suites: trixie-security
+Components: main non-free-firmware contrib non-free
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+EOF
+
+else echo "LXC Debian Version false. Please check configuration files!" ; exit
+fi
+
+# update package lists
+echo "Updating package database..."
+apt --allow-releaseinfo-change update
+
+# install latest packages
+echo "Installing latest updates"
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+
+# install toolset
+echo "Installing preconfigured toolset..."
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET_BASE $LXC_TOOLSET
+
+echo "Enabling vim syntax highlighting..."
+sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc
+if [ $LXC_VIM_BG_DARK -gt 0 ]; then
+    sed -i "s|\"set background=dark|set background=dark|g" /etc/vim/vimrc
+fi
+
+echo "Basic container setup finished, continuing with service installation..."
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="backup"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="1"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=8192
+
+# service dependent meta tags
+SERVICE_TAGS="docker"
@@ -0,0 +1,440 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# Add Docker's official GPG key:
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+
+# Add the repository to Apt sources:
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq rsync docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin jq
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
+
+SECRET=$(random_password)
+myip=$(ip a s dev eth0 | grep -m1 inet | cut -d' ' -f6 | cut -d'/' -f1)
+
+install_portainer_full() {
+    mkdir -p /opt/portainer/data
+    cd /opt/portainer
+    cat << EOF > /opt/portainer/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always
+    image: portainer/portainer:latest
+    volumes:
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    command: --admin-password-file=/data/admin_password
+EOF
+    echo -n "$SECRET" > ./data/admin_password
+
+    docker compose pull
+    docker compose up -d
+    echo -e "\n######################################################################\n\n    You can access Portainer with your browser at https://${myip}:9443\n\n    Please note the following admin password to access the portainer:\n    '$SECRET'\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+install_portainer_agent() {
+    mkdir -p /opt/portainer-agent/data
+    cd /opt/portainer-agent
+    cat << EOF > /opt/portainer-agent/docker-compose.yml
+version: "3.4"
+
+services:
+  portainer:
+    restart: always  
+    image: portainer/agent:latest
+    volumes:
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "9001:9001"
+EOF
+
+    docker compose pull
+    docker compose up -d
+
+    echo -e "\n######################################################################\n\n    Please enter the following data into the Portainer "Add environment" wizard:\n\tEnvironment address: ${myip}:9001\n\n    Enjoy your Docker intallation.\n\n######################################################################"
+
+}
+
+# fix docker errors for slow machines
+cat << EOF > /etc/docker/daemon.json
+{
+  "default-ulimits": {
+    "nproc": {
+      "Name": "nproc",
+      "Soft": 4096,
+      "Hard": 4096
+    }
+  }
+}
+EOF
+systemctl restart docker
+
+
+cd /opt
+git clone https://github.com/mailcow/mailcow-dockerized
+cd mailcow-dockerized
+
+cat << EOF > mailcow.conf
+# ------------------------------
+# mailcow web ui configuration
+# ------------------------------
+# example.org is _not_ a valid hostname, use a fqdn here.
+# Default admin user is "admin"
+# Default password is "moohoo"
+
+MAILCOW_HOSTNAME=${LXC_HOSTNAME}.${LXC_DOMAIN}
+
+# Password hash algorithm
+# Only certain password hash algorithm are supported. For a fully list of supported schemes,
+# see https://docs.mailcow.email/models/model-passwd/
+MAILCOW_PASS_SCHEME=BLF-CRYPT
+
+# ------------------------------
+# SQL database configuration
+# ------------------------------
+
+DBNAME=mailcow
+DBUSER=mailcow
+
+# Please use long, random alphanumeric strings (A-Za-z0-9)
+
+DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+
+REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+
+# ------------------------------
+# HTTP/S Bindings
+# ------------------------------
+
+# You should use HTTPS, but in case of SSL offloaded reverse proxies:
+# Might be important: This will also change the binding within the container.
+# If you use a proxy within Docker, point it to the ports you set below.
+# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
+# IMPORTANT: Do not use port 8081, 9081 or 65510!
+# Example: HTTP_BIND=1.2.3.4
+# For IPv4 leave it as it is: HTTP_BIND= & HTTPS_PORT=
+# For IPv6 see https://docs.mailcow.email/post_installation/firststeps-ip_bindings/
+
+HTTP_PORT=80
+HTTP_BIND=
+
+HTTPS_PORT=443
+HTTPS_BIND=
+
+# ------------------------------
+# Other bindings
+# ------------------------------
+# You should leave that alone
+# Format: 11.22.33.44:25 or 12.34.56.78:465 etc.
+
+SMTP_PORT=25
+SMTPS_PORT=465
+SUBMISSION_PORT=587
+IMAP_PORT=143
+IMAPS_PORT=993
+POP_PORT=110
+POPS_PORT=995
+SIEVE_PORT=4190
+DOVEADM_PORT=127.0.0.1:19991
+SQL_PORT=127.0.0.1:13306
+REDIS_PORT=127.0.0.1:7654
+
+# Your timezone
+# See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
+# Use the column named 'TZ identifier' + pay attention for the column named 'Notes'
+
+TZ=${LXC_TIMEZONE}
+
+# Fixed project name
+# Please use lowercase letters only
+
+COMPOSE_PROJECT_NAME=mailcowdockerized
+
+# Used Docker Compose version
+# Switch here between native (compose plugin) and standalone
+# For more informations take a look at the mailcow docs regarding the configuration options.
+# Normally this should be untouched but if you decided to use either of those you can switch it manually here.
+# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail.
+
+DOCKER_COMPOSE_VERSION=native
+
+# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
+# When enabled, ACL can be created, that apply to "All authenticated users"
+# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
+# Otherwise a user might share data with too many other users.
+ACL_ANYONE=disallow
+
+# Garbage collector cleanup
+# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
+# How long should objects remain in the garbage until they are being deleted? (value in minutes)
+# Check interval is hourly
+
+MAILDIR_GC_TIME=7200
+
+# Additional SAN for the certificate
+#
+# You can use wildcard records to create specific names for every domain you add to mailcow.
+# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
+#ADDITIONAL_SAN=imap.*,smtp.*
+# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "smtp.example.net"
+# plus every domain you add in the future.
+#
+# You can also just add static names...
+#ADDITIONAL_SAN=srv1.example.net
+# ...or combine wildcard and static names:
+#ADDITIONAL_SAN=imap.*,srv1.example.com
+#
+
+ADDITIONAL_SAN=
+
+# Additional server names for mailcow UI
+#
+# Specify alternative addresses for the mailcow UI to respond to
+# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
+# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
+# You can understand this as server_name directive in Nginx.
+# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f
+
+ADDITIONAL_SERVER_NAMES=
+
+# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
+
+SKIP_LETS_ENCRYPT=y
+
+# Create seperate certificates for all domains - y/n
+# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
+# see https://doc.dovecot.org/admin_manual/ssl/sni_support
+ENABLE_SSL_SNI=n
+
+# Skip IPv4 check in ACME container - y/n
+
+SKIP_IP_CHECK=n
+
+# Skip HTTP verification in ACME container - y/n
+
+SKIP_HTTP_VERIFICATION=n
+
+# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
+
+SKIP_CLAMD=n
+
+# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n
+
+SKIP_SOGO=n
+
+# Allow admins to log into SOGo as email user (without any password)
+
+ALLOW_ADMIN_EMAIL_LOGIN=n
+
+# Enable watchdog (watchdog-mailcow) to restart unhealthy containers
+
+USE_WATCHDOG=y
+
+# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
+# CAUTION:
+# 1. You should use external recipients
+# 2. Mails are sent unsigned (no DKIM)
+# 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
+# Multiple rcpts allowed, NO quotation marks, NO spaces
+
+#WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
+#WATCHDOG_NOTIFY_EMAIL=
+
+# Send notifications to a webhook URL that receives a POST request with the content type "application/json".
+# You can use this to send notifications to services like Discord, Slack and others.
+#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+# JSON body included in the webhook POST request. Needs to be in single quotes.
+# Following variables are available: SUBJECT, BODY
+#WATCHDOG_NOTIFY_WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**\${SUBJECT}**\n\${BODY}"}'
+
+# Notify about banned IP (includes whois lookup)
+WATCHDOG_NOTIFY_BAN=n
+
+# Send a notification when the watchdog is started.
+WATCHDOG_NOTIFY_START=y
+
+# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
+#WATCHDOG_SUBJECT=
+
+# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
+# https://www.servercow.de/mailcow?lang=en
+# https://www.servercow.de/mailcow?lang=de
+# No data is collected. Opt-in and anonymous.
+# Will only work with unmodified mailcow setups.
+WATCHDOG_EXTERNAL_CHECKS=n
+
+# Enable watchdog verbose logging
+WATCHDOG_VERBOSE=n
+
+# Max log lines per service to keep in Redis logs
+
+LOG_LINES=9999
+
+# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
+# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
+
+IPV4_NETWORK=172.22.1
+
+# Internal IPv6 subnet in fc00::/7
+# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses
+
+IPV6_NETWORK=fd4d:6169:6c63:6f77::/64
+
+# Use this IPv4 for outgoing connections (SNAT)
+
+#SNAT_TO_SOURCE=
+
+# Use this IPv6 for outgoing connections (SNAT)
+
+#SNAT6_TO_SOURCE=
+
+# Create or override an API key for the web UI
+# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
+# An API key defined as API_KEY has read-write access
+# An API key defined as API_KEY_READ_ONLY has read-only access
+# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
+# You can define API_KEY and/or API_KEY_READ_ONLY
+
+#API_KEY=
+#API_KEY_READ_ONLY=
+#API_ALLOW_FROM=172.22.1.1,127.0.0.1
+
+# mail_home is ~/Maildir
+MAILDIR_SUB=Maildir
+
+# SOGo session timeout in minutes
+SOGO_EXPIRE_SESSION=480
+
+# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
+# Empty by default to auto-generate master user and password on start.
+# User expands to DOVECOT_MASTER_USER@mailcow.local
+# LEAVE EMPTY IF UNSURE
+DOVECOT_MASTER_USER=
+# LEAVE EMPTY IF UNSURE
+DOVECOT_MASTER_PASS=
+
+# Let's Encrypt registration contact information
+# Optional: Leave empty for none
+# This value is only used on first order!
+# Setting it at a later point will require the following steps:
+# https://docs.mailcow.email/troubleshooting/debug-reset_tls/
+ACME_CONTACT=
+
+# WebAuthn device manufacturer verification
+# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
+# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
+WEBAUTHN_ONLY_TRUSTED_VENDORS=n
+
+# Spamhaus Data Query Service Key
+# Optional: Leave empty for none
+# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist. 
+# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.
+# Otherwise it will work normally.
+SPAMHAUS_DQS_KEY=
+
+# Obtain certificates for autodiscover.* and autoconfig.* domains.
+# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.
+# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs
+# between services. So acme-mailcow obtains for maildomains and all web-things get handled
+# in the reverse proxy.
+AUTODISCOVER_SAN=y
+# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n
+SKIP_UNBOUND_HEALTHCHECK=n
+# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n
+# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost
+DISABLE_NETFILTER_ISOLATION_RULE=n
+
+# ------------------------------
+# REDIS configuration
+# ------------------------------
+
+REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+# Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.
+# Flatcurve is used as FTS Engine. It is supposed to be pretty efficient in CPU and RAM consumption.
+# Please always monitor your Resource consumption!
+FTS_HEAP=128
+# Controls how many processes the Dovecot indexing process can spawn at max.
+# Too many indexing processes can use a lot of CPU and Disk I/O
+# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations
+FTS_PROCS=1
+# Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.
+# Dovecot inside mailcow use Flatcurve as FTS Backend.
+SKIP_FTS=y
+# Redirect HTTP connections to HTTPS - y/n
+HTTP_REDIRECT=y
+
+EOF
+
+cat << EOF > /etc/cron.daily/mailcowbackup
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+25 1 * * * rsync -aH --delete /opt/mailcow-dockerized /${LXC_SHAREFS_MOUNTPOINT}/mailcow-dockerized
+40 2 * * * rsync -aH --delete /var/lib/docker/volumes /${LXC_SHAREFS_MOUNTPOINT}/var_lib_docker_volumes
+5 4 * * * cd /opt/mailcow-dockerized/; BACKUP_LOCATION=/${LXC_SHAREFS_MOUNTPOINT}/db_crypt_redis /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3
+EOF
+
+chmod +x /etc/cron.daily/mailcowbackup
+
+cat << EOF > /etc/cron.daily/checkmk-mailcow-update-check
+#!/bin/bash
+if ! which check_mk_agent ; then
+  cd /opt/mailcow-dockerized/ && ./update.sh -c >/dev/null
+  status=\$?
+  if [ \$status -eq 3 ]; then
+    state="0 \"mailcow_update\" mailcow_update=0;1;;0;1 No updates available."
+  elif [ \$status -eq 0 ]; then
+    state="1 \"mailcow_update\" mailcow_update=1;1;;0;1 Updated code is available.\nThe changes can be found here: https://github.com/mailcow/mailcow-dockerized/commits/master"
+  else
+    state="3 \"mailcow_update\" - Unknown output from update script ..."
+  fi
+  echo -e "<<<local>>>\n$\state" > /tmp/87000_mailcowupdate
+  mv /tmp/87000_mailcowupdate /var/lib/check_mk_agent/spool/
+fi
+exit
+EOF
+chmod +x /etc/cron.daily/checkmk-mailcow-update-check
+
+chmod 600 mailcow.conf
+
+mkdir -p data/assets/ssl
+
+openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl/key.pem -out data/assets/ssl/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${LXC_HOSTNAME}.${LXC_DOMAIN}" -sha256 -nodes
+
+openssl dhparam -out data/assets/ssl/dhparams.pem 2048
+cat << EOF > /etc/cron.monthly/generate-dhparams
+#!/bin/bash
+openssl dhparam -out data/assets/ssl/dhparams.gen 4096 > /dev/null 2>&1
+mv data/assets/ssl/dhparams.gen data/assets/ssl/dhparams.pem
+systemctl restart nginx
+EOF
+chmod +x /etc/cron.monthly/generate-dhparams
+
+docker compose pull
+docker compose up -d
+
+case $PORTAINER in
+  full) install_portainer_full ;;
+  agent) install_portainer_agent ;;
+  *)     echo -e "\n######################################################################\n\n   Enjoy your Docker intallation.\n\n######################################################################" ;;
+esac
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql,element-web"
@@ -5,33 +5,33 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>

+set -euo pipefail
+
+source /root/functions.sh
 source /root/zamba.conf
+source /root/constants-service.conf

-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
+#### Set repo and install matrix ####
+inst_matrix() {
+    apt_repo "matrix" "https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg" "https://packages.matrix.org/debian" "$(lsb_release -cs)" "main"
+    apt update
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq matrix-synapse-py3 && systemctl enable matrix-synapse
+}

-MRX_PKE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+MRX_PKE=$(random_password)

 ELE_DBNAME="synapse_db"
 ELE_DBUSER="synapse_user"
-ELE_DBPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+ELE_DBPASS=$(random_password)
+ELE_PATH=/var/www/element-web
+WEBROOT=/var/www

-apt update && apt full-upgrade -y
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx python3-psycopg2

-apt install -y $LXC_TOOLSET apt-transport-https gpg software-properties-common nginx postgresql python3-psycopg2
+inst_postgresql
+inst_matrix

-wget wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
-echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/matrix-org.list
-apt update && apt install -y matrix-synapse-py3
-systemctl enable matrix-synapse
-
-ss -tulpen
-
-mkdir /etc/nginx/ssl
+mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/matrix.key -out /etc/nginx/ssl/matrix.crt -subj "/CN=$MATRIX_FQDN" -addext "subjectAltName=DNS:$MATRIX_FQDN"

 cat > /etc/nginx/sites-available/$MATRIX_FQDN <<EOF
@@ -51,9 +51,9 @@ server {
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
+    http2 on;
    server_name $MATRIX_FQDN;

-    ssl on;
    ssl_certificate /etc/nginx/ssl/matrix.crt;
    ssl_certificate_key /etc/nginx/ssl/matrix.key;

@@ -66,14 +66,14 @@ server {
 server {
    listen 8448 ssl;
    listen [::]:8448 ssl;
+    http2 on;
    server_name $MATRIX_FQDN;

-    ssl on;
    ssl_certificate /etc/nginx/ssl/matrix.crt;
    ssl_certificate_key /etc/nginx/ssl/matrix.key;

    # If you don't wanna serve a site, comment this out
-    root /var/www/$MATRIX_FQDN;
+    root $ELE_PATH;
    index index.html index.htm;

    location / {
@@ -94,45 +94,48 @@ cat > /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN <<EOF
 server {
    listen 80;
    listen [::]:80;
-    server_name $MATRIX_ELEMENT_FQDN;
+    server_name _;
    return 301 https://$MATRIX_ELEMENT_FQDN;
 }

 server {
    listen 443 ssl;
    listen [::]:443 ssl;
+    http2 on;
    server_name $MATRIX_ELEMENT_FQDN;

-    ssl on;
    ssl_certificate /etc/nginx/ssl/matrix.crt;
    ssl_certificate_key /etc/nginx/ssl/matrix.key;

    # If you don't wanna serve a site, comment this out
-    root /var/www/$MATRIX_ELEMENT_FQDN/element;
+    root $ELE_PATH;
    index index.html index.htm;
 } 

 EOF

+unlink /etc/nginx/sites-enabled/default
 ln -s /etc/nginx/sites-available/$MATRIX_ELEMENT_FQDN /etc/nginx/sites-enabled/$MATRIX_ELEMENT_FQDN

 systemctl restart nginx

-mkdir /var/www/$MATRIX_ELEMENT_FQDN
-cd /var/www/$MATRIX_ELEMENT_FQDN
-wget https://packages.riot.im/element-release-key.asc
+cd /var/www
+
+wget -O element-release-key.asc https://packages.riot.im/element-release-key.asc
 gpg --import element-release-key.asc

-wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
-wget https://github.com/vector-im/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
+MATRIX_ELEMENT_VERSION=$(curl -s https://api.github.com/repos/element-hq/element-web/releases/latest | grep tag_name | cut -d'"' -f4)
+
+wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz https://github.com/element-hq/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz
+wget -O element-$MATRIX_ELEMENT_VERSION.tar.gz.asc https://github.com/element-hq/element-web/releases/download/$MATRIX_ELEMENT_VERSION/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc
 gpg --verify element-$MATRIX_ELEMENT_VERSION.tar.gz.asc

 tar -xzvf element-$MATRIX_ELEMENT_VERSION.tar.gz
-ln -s element-$MATRIX_ELEMENT_VERSION element
-chown www-data:www-data -R element
-cp ./element/config.sample.json ./element/config.json
-sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" ./element/config.json
-sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" ./element/config.json
+mv element-$MATRIX_ELEMENT_VERSION $ELE_PATH
+chown www-data:www-data -R $ELE_PATH
+cp $ELE_PATH/config.sample.json $ELE_PATH/config.json
+sed -i "s|https://matrix-client.matrix.org|https://$MATRIX_FQDN|" $ELE_PATH/config.json
+sed -i "s|\"server_name\": \"matrix.org\"|\"server_name\": \"$MATRIX_FQDN\"|" $ELE_PATH/config.json

 su postgres <<EOF
 psql -c "CREATE USER $ELE_DBUSER WITH PASSWORD '$ELE_DBPASS';"
@@ -143,19 +146,18 @@ EOF
 cd /
 sed -i "s|#registration_shared_secret: <PRIVATE STRING>|registration_shared_secret: \"$MRX_PKE\"|" /etc/matrix-synapse/homeserver.yaml
 sed -i "s|#public_baseurl: https://example.com/|public_baseurl: https://$MATRIX_FQDN/|" /etc/matrix-synapse/homeserver.yaml
+sed -i "s|server_name:|server_name: $MATRIX_FQDN|g" /etc/matrix-synapse/conf.d/server_name.yaml
 sed -i "s|#enable_registration: false|enable_registration: true|" /etc/matrix-synapse/homeserver.yaml
 sed -i "s|name: sqlite3|name: psycopg2|" /etc/matrix-synapse/homeserver.yaml
 sed -i "s|database: /var/lib/matrix-synapse/homeserver.db|database: $ELE_DBNAME\n    user: $ELE_DBUSER\n    password: $ELE_DBPASS\n    host: 127.0.0.1\n    cp_min: 5\n    cp_max: 10|" /etc/matrix-synapse/homeserver.yaml

+reg_secret=$(random_password)
+echo -e "registration_shared_secret: \"$reg_secret\"" > /etc/matrix-synapse/conf.d/registration.yaml
+
 systemctl restart matrix-synapse

-register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008
-
-#curl https://download.jitsi.org/jitsi-key.gpg.key | sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'
-#echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null
-
-#apt update
-#apt install -y jitsi-meet
-
+rm /var/www/element-release-key.asc /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz /var/www/element-$MATRIX_ELEMENT_VERSION.tar.gz.asc

+register_new_matrix_user -a -u $MATRIX_ADMIN_USER -p "$MATRIX_ADMIN_PASSWORD" -c /etc/matrix-synapse/conf.d/registration.yaml http://127.0.0.1:8008

+echo -e "Your matrix installation is now complete. Please login into your element:\nLogin:\t\t$MATRIX_ADMIN_USER\nPassword:\t$MATRIX_ADMIN_PASSWORD\n\n"
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
+NEXTCLOUD_VERSION="latest"
+
+# Defines the php version to install
+NEXTCLOUD_PHP_VERSION="8.4"
+
+# Defines the postgresql version to install
+POSTGRES_VERSION=17
+
+# Defines the IP from the SQL server
+NEXTCLOUD_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+NEXTCLOUD_DB_PORT="5432"
+
+# Defines the name from the SQL database
+NEXTCLOUD_DB_NAME="nextcloud_db"
+
+# Defines the name from the SQL user
+NEXTCLOUD_DB_USR="nextcloud"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed 
+NEXTCLOUD_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,postgresql"
@@ -0,0 +1,578 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+NEXTCLOUD_ADMIN_PWD=$(random_password)
+NEXTCLOUD_REDIS_PWD=$(random_password)
+HOSTNAME=$(hostname -f)
+HOST_IP=$(hostname -i)
+
+#### Modify Nginx for Nextcloud ####
+mod_nginx() {
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
+generate_dhparam
+
+mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
+
+cat > /etc/nginx/nginx.conf <<EOF
+user www-data;
+worker_processes auto;
+pid /var/run/nginx.pid;
+events {
+  worker_connections 2048;
+  multi_accept on;
+  use epoll;
+}
+http {
+  log_format bashclub escape=json
+  '{'
+    '"time_local":"\$time_local",'
+    '"remote_addr":"\$remote_addr",'
+    '"remote_user":"\$remote_user",'
+    '"request":"\$request",'
+    '"status": "\$status",'
+    '"body_bytes_sent":"\$body_bytes_sent",'
+    '"request_time":"\$request_time",'
+    '"http_referrer":"\$http_referer",'
+    '"http_user_agent":"\$http_user_agent"'
+  '}';
+  server_names_hash_bucket_size 64;
+  access_log /var/log/nginx/access.log;
+  error_log /var/log/nginx/error.log warn;
+  set_real_ip_from 127.0.0.1;
+  # optional, set reverse proxy ip, if used:
+  # set_real_ip_from $NEXTCLOUD_REVPROX;
+  real_ip_header X-Forwarded-For;
+  real_ip_recursive on;
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+  sendfile on;
+  send_timeout 3600;
+  tcp_nopush on;
+  tcp_nodelay on;
+  open_file_cache max=500 inactive=10m;
+  open_file_cache_errors on;
+  keepalive_timeout 65;
+  reset_timedout_connection on;
+  server_tokens off;
+  resolver $NEXTCLOUD_REVPROX valid=30s;
+  resolver_timeout 5s;
+  include /etc/nginx/conf.d/*.conf;
+}
+EOF
+
+[ -f /etc/nginx/conf.d/default.conf ] && mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak
+touch /etc/nginx/conf.d/default.conf
+
+cat > /etc/nginx/conf.d/http.conf << EOF
+upstream php-handler {
+  server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
+}
+map \$arg_v \$asset_immutable {
+  "" "";
+  default "immutable";
+}
+server {
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  server_name $NEXTCLOUD_FQDN;
+  root /var/www;
+  location ^~ /.well-known/acme-challenge {
+    default_type text/plain;
+    root /var/www/letsencrypt;
+  }
+  location / {
+    return 301 https://\$host\$request_uri;
+  }  
+}
+EOF
+
+cat > /etc/nginx/conf.d/nextcloud.conf << EOF
+limit_req_zone \$binary_remote_addr zone=NextcloudRateLimit:10m rate=2r/s;
+server {
+  listen 443 ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+  #listen 443 quic reuseport;
+  #listen [::]:443 quic reuseport;
+  #http3 on;
+  #http3_hq on;
+  #quic_retry on;
+  server_name $NEXTCLOUD_FQDN;
+  ssl_certificate /etc/ssl/certs/nextcloud.crt;
+  ssl_certificate_key /etc/ssl/private/nextcloud.key;
+  ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
+  #ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
+  #ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
+  #ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
+  #ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
+  #ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
+  ssl_dhparam /etc/nginx/dhparam.pem;
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.3 TLSv1.2;
+  ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
+  ssl_prefer_server_ciphers on;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  client_max_body_size 10G;
+  client_body_timeout 3600s;
+  client_body_buffer_size 512k;
+  fastcgi_buffers 64 4K;
+  gzip on;
+  gzip_vary on;
+  gzip_comp_level 4;
+  gzip_min_length 256;
+  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+  gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+  add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
+  add_header Permissions-Policy                   "interest-cohort=()";
+  add_header Referrer-Policy                      "no-referrer"   always;
+  add_header X-Content-Type-Options               "nosniff"       always;
+  add_header X-Download-Options                   "noopen"        always;
+  add_header X-Frame-Options                      "SAMEORIGIN"    always;
+  add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+  add_header X-Robots-Tag                         "noindex, nofollow" always;
+  add_header X-XSS-Protection                     "1; mode=block" always;
+  add_header Alt-Svc                              'h3=":\$server_port"; ma=86400';
+  add_header x-quic                               'h3';
+  add_header Alt-Svc                              'h3-29=":\$server_port"';
+  fastcgi_hide_header X-Powered-By;
+  include mime.types;
+  types {
+    text/javascript mjs;
+  }
+  root /var/www/nextcloud;
+  index index.php index.html /index.php\$request_uri;
+  location = / {
+    if ( \$http_user_agent ~ ^DavClnt ) {
+      return 302 /remote.php/webdav/\$is_args\$args;
+    }
+  }
+  location = /robots.txt {
+    allow all;
+    log_not_found off;
+    access_log off;
+  }
+  location ^~ /.well-known {
+    location = /.well-known/carddav { return 301 /remote.php/dav/; }
+    location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+    location /.well-known/acme-challenge { try_files \$uri \$uri/ =404; }
+    location /.well-known/pki-validation { try_files \$uri \$uri/ =404; }
+    return 301 /index.php\$request_uri;
+  }
+  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+  location ~ \.php(?:$|/) {
+    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php\$request_uri;
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    set \$path_info \$fastcgi_path_info;
+    try_files \$fastcgi_script_name =404;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+    fastcgi_param PATH_INFO \$path_info;
+    fastcgi_param HTTPS on;
+    fastcgi_param modHeadersAvailable true;
+    fastcgi_param front_controller_active true;
+    fastcgi_pass php-handler;
+    fastcgi_intercept_errors on;
+    fastcgi_request_buffering off;
+    fastcgi_read_timeout 3600;
+    fastcgi_send_timeout 3600;
+    fastcgi_connect_timeout 3600;
+    fastcgi_max_temp_file_size 0;
+  }
+  location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
+    try_files \$uri /index.php\$request_uri;
+    add_header Cache-Control                     "public, max-age=15768000, \$asset_immutable";
+    add_header Permissions-Policy                "interest-cohort=()";
+    add_header Referrer-Policy                   "no-referrer"       always;
+    add_header X-Content-Type-Options            "nosniff"           always;
+    add_header X-Frame-Options                   "SAMEORIGIN"        always;
+    add_header X-Permitted-Cross-Domain-Policies "none"              always;
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
+    add_header X-XSS-Protection                  "1; mode=block"     always;
+    add_header Alt-Svc                           'h3=":\$server_port"; ma=86400';
+    add_header x-quic                            'h3';
+    add_header Alt-Svc                           'h3-29=":\$server_port"';
+    access_log off;
+    expires 6M;
+    access_log off;
+    location ~ \.wasm$ {
+      default_type application/wasm;
+    }
+  }
+  location ~ \.(otf|woff2?)$ {
+    try_files \$uri /index.php\$request_uri;
+    expires 7d;
+    access_log off;
+  }
+  location /remote {
+    return 301 /remote.php\$request_uri;
+  }
+  location /login {
+    limit_req zone=NextcloudRateLimit burst=5 nodelay;
+    limit_req_status 429;
+    try_files \$uri \$uri/ /index.php\$request_uri;
+  }
+  location / {
+    try_files \$uri \$uri/ /index.php\$request_uri;
+  }
+  location ^~ /push/ {
+    proxy_pass http://127.0.0.1:7867/;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade \$http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host \$host;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+  }
+}
+EOF
+}
+
+#### Modify php settings for Nextcloud ####
+mod_php() {
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini.bak
+cp /etc/ImageMagick-7/policy.xml /etc/ImageMagick-7/policy.xml.bak
+
+sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_children =.*/pm.max_children = 200/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.start_servers =.*/pm.start_servers = 100/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 60/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 140/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+
+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/;cgi.fix_pathinfo.*/cgi.fix_pathinfo=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+
+sed -i "s/memory_limit = 128M/memory_limit = 1G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.validate_timestamps=.*/opcache.validate_timestamps=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=256/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=64/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=100000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.huge_code_pages=.*/opcache.huge_code_pages=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+
+sed -i "s|;emergency_restart_threshold.*|emergency_restart_threshold = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
+sed -i "s|;emergency_restart_interval.*|emergency_restart_interval = 1m|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
+sed -i "s|;process_control_timeout.*|process_control_timeout = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
+
+sed -i '$aapc.enable_cli=1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
+
+sed -i 's/opcache.jit=off/opcache.jit=on/' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
+sed -i '$aopcache.jit=1255' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
+sed -i '$aopcache.jit_buffer_size=256M' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
+
+sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-7/policy.xml
+sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-7/policy.xml
+sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-7/policy.xml
+sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-7/policy.xml
+
+sed -i '$apgsql.allow_persistent = On' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.auto_reset_persistent = Off' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.max_persistent = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.max_links = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.ignore_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.log_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+}
+
+#### Modify Postgresql for Nextcloud ####
+mod_postgresql() {
+su - postgres <<EOF
+    psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
+    psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
+    echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
+EOF
+    cat > /etc/postgresql/$POSTGRES_VERSION/main/conf.d/nextcloud.conf <<EOF
+    max_connections = 200
+    shared_buffers = 1GB
+    effective_cache_size = 3GB
+    maintenance_work_mem = 256MB
+    checkpoint_completion_target = 0.9
+    wal_buffers = 16MB
+    default_statistics_target = 100
+    random_page_cost = 1.1
+    effective_io_concurrency = 200
+    work_mem = 2621kB
+    min_wal_size = 1GB
+    max_wal_size = 4GB
+    max_worker_processes = 4
+    max_parallel_workers_per_gather = 2
+    max_parallel_workers = 4
+    max_parallel_maintenance_workers = 2
+EOF
+}
+
+#### Install and modify Redis-server ####
+inst_redis() {
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends redis-server
+}
+mod_redis() {
+cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
+sed -i "s/port 6379/port 0/" /etc/redis/redis.conf
+sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
+sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
+sed -i "s/# maxclients 10000/maxclients 10240/" /etc/redis/redis.conf
+sed -i "s/# requirepass foobared/requirepass $NEXTCLOUD_REDIS_PWD/" /etc/redis/redis.conf
+usermod -aG redis www-data
+echo 'vm.overcommit_memory = 1' > /etc/sysctl.d/overcommit_memory.conf
+}
+
+#### Install some more packages
+inst_packages() {
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-7.q16-10-extra
+timedatectl set-timezone $LXC_TIMEZONE
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www /etc/letsencrypt
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+}
+
+#### Install and modify Nextcloud ####
+inst_nextcloud() {
+cd /usr/local/src
+wget https://download.nextcloud.com/server/releases/latest.tar.bz2
+wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5
+
+md5sum -c --ignore-missing latest.tar.bz2.md5 < latest.tar.bz2
+tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2*
+
+cat > /root/permissions.sh << EOF
+#!/bin/bash
+find /var/www/ -type f -print0 | xargs -0 chmod 0640
+find /var/www/ -type d -print0 | xargs -0 chmod 0750
+if [ -d "/var/www/nextcloud/apps/notify_push" ]; then
+chmod ug+x /var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push
+fi
+chmod -R 770 /etc/letsencrypt 
+chown -R www-data:www-data /var/www
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
+chmod 0644 /var/www/nextcloud/.htaccess
+chmod 0644 /var/www/nextcloud/.user.ini
+exit 0
+EOF
+
+chmod +x /root/permissions.sh
+/root/permissions.sh
+}
+
+#### Create configuration script for nextcloud, which will be executet as user www-data
+mod_nextcloudconfig() {
+
+systemctl stop nginx
+
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ maintenance:install --database pgsql \
+--database-host $NEXTCLOUD_DB_IP \
+--database-port $NEXTCLOUD_DB_PORT \
+--database-name $NEXTCLOUD_DB_NAME \
+--database-user $NEXTCLOUD_DB_USR \
+--database-pass $NEXTCLOUD_DB_PWD \
+--admin-user $NEXTCLOUD_ADMIN_USR \
+--admin-pass $NEXTCLOUD_ADMIN_PWD \
+--data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
+
+sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
+sed -i '/);/d' /var/www/nextcloud/config/config.php
+sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
+
+
+cat >> /var/www/nextcloud/config/config.php << EOF
+  'activity_expire_days' => 14,
+  'allow_local_remote_servers' => true,
+  'auth.bruteforce.protection.enabled' => true,
+  'forbidden_filenames' =>
+  array (
+    0 => '.htaccess',
+    1 => 'Thumbs.db',
+    2 => 'thumbs.db',
+    ),
+  'cron_log' => true,
+  'default_phone_region' => 'DE',
+  'enable_previews' => true,
+  'enabledPreviewProviders' =>
+  array (
+    0 => 'OC\\Preview\\PNG',
+    1 => 'OC\\Preview\\JPEG',
+    2 => 'OC\\Preview\\GIF',
+    3 => 'OC\\Preview\\BMP',
+    4 => 'OC\\Preview\\XBitmap',
+    5 => 'OC\\Preview\\Movie',
+    6 => 'OC\\Preview\\PDF',
+    7 => 'OC\\Preview\\MP3',
+    8 => 'OC\\Preview\\TXT',
+    9 => 'OC\\Preview\\MarkDown',
+    10 => 'OC\\Preview\\HEIC',
+    11 => 'OC\\Preview\\Movie',
+    12 => 'OC\\Preview\\MKV',
+    13 => 'OC\\Preview\\MP4',
+    14 => 'OC\\Preview\\AVI',
+    ),
+  'filesystem_check_changes' => 0,
+  'filelocking.enabled' => 'true',
+  'htaccess.RewriteBase' => '/',
+  'integrity.check.disabled' => false,
+  'knowledgebaseenabled' => false,
+  'logfile' => '/$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log',
+  'loglevel' => 2,
+  'logtimezone' => '$LXC_TIMEZONE',
+  'log_rotate_size' => 104857600,
+  'memcache.local' => '\OC\Memcache\APCu',
+  'memcache.locking' => '\OC\Memcache\Redis',
+  'overwriteprotocol' => 'https',
+  'preview_max_x' => 1024,
+  'preview_max_y' => 768,
+  'preview_max_scale_factor' => 1,
+  'profile.enabled' => false,
+  'redis' => 
+  array (
+    'host' => '/run/redis/redis-server.sock',
+    'port' => 0,
+    'password' => '$NEXTCLOUD_REDIS_PWD',
+    'timeout' => 0.0,
+  ),
+  'quota_include_external_storage' => false,
+  'share_folder' => '/Freigaben',
+  'skeletondirectory' => '',
+  'theme' => '',
+  'trashbin_retention_obligation' => 'auto, 7',
+  'updater.release.channel' => 'stable',
+  'maintenance_window_start' => 1,
+  'maintenance' => false,
+  'mail_smtpmode' => 'sendmail',
+  'mail_sendmailmode' => 'smtp',
+  'mail_from_address' => '$NEXTCLOUD_ADMIN_USR',
+  'mail_domain' => '$NEXTCLOUD_FQDN',
+  'overwrite.cli.url' => 'https://$NEXTCLOUD_FQDN',
+  'overwritehost' => '$NEXTCLOUD_FQDN',
+  'trusted_domains' => 
+  array (
+    0 => '$HOST_IP',
+    1 => '$NEXTCLOUD_FQDN',
+  ),
+
+);
+EOF
+
+/root/permissions.sh
+
+sudo -u www-data /usr/bin/cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable survey_client
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable firstrunwizard
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable admin_audit
+#sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable notify_push
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ background:cron
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ db:add-missing-indices
+sudo -u www-data nohup /usr/bin/php /var/www/nextcloud/occ maintenance:repair --include-expensive &
+sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
+
+echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
+
+systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm
+systemctl start nginx
+
+cat > /etc/systemd/system/notify_push.service << EOF
+[Unit]
+Description = Push daemon for Nextcloud clients
+After=nginx.service php$NEXTCLOUD_PHP_VERSION-fpm.service system-postgresql.slice redis-server.service
+
+[Service]
+Environment=PORT=7867
+Environment=NEXTCLOUD_URL=https://$NEXTCLOUD_FQDN
+Environment=ALLOW_SELF_SIGNED=true
+ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php
+User=www-data
+
+[Install]
+WantedBy = multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable notify_push
+}
+
+#### Modifying Crowdsec ####
+mod_crowdsec() {
+systemctl restart crowdsec
+cscli collections install crowdsecurity/nginx
+cscli collections install crowdsecurity/nextcloud
+cscli collections install crowdsecurity/sshd
+
+cat >> /etc/crowdsec/acquis.yaml << EOF
+filenames:
+ - /var/log/nextcloud/nextcloud.log
+labels:
+  type: Nextcloud
+---
+EOF
+systemctl reload crowdsec
+}
+#### Install the system !####
+echo "=> Installing Nginx ..."
+inst_nginx
+echo "=> Modifying Nginx config for Nextcloud ..."
+mod_nginx
+
+echo "=> Installing PHP $NEXTCLOUD_PHP_VERSION ..."
+inst_php fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline $NEXTCLOUD_PHP_VERSION
+echo "=> Modifying PHP config for Nextcloud ..."
+mod_php
+
+echo "=> Installing Postgresql $POSTGRES_VERSION ..."
+inst_postgresql
+echo "=> Modifying Postgresql config for Nextcloud ..."
+mod_postgresql
+
+echo "=> Installing Redis-server ..."
+inst_redis
+echo "=> Modifying Redis-server for Nextcloud ..."
+mod_redis
+
+echo "=> Installing some more packages ..."
+inst_packages
+
+echo "=> Installing Nextcloud ..."
+inst_nextcloud
+echo "=> Modifying Nextcloud ..."
+mod_nextcloudconfig
+
+echo "=> Installing Crowdsec ..."
+inst_crowdsec
+echo "=> Modifying Crowdsec ..."
+mod_crowdsec
+
+echo -e "\n######################################################################\n\n    Please note this user and password for the nextcloud login:\n        '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n                Enjoy your Nextcloud intallation.\n\n######################################################################"
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="mongodb-server,java"
@@ -1,18 +1,20 @@
 #!/bin/bash

+set -euo pipefail
+
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>

-dpkg-reconfigure locales
-
+source /root/functions.sh
 source /root/zamba.conf
+source /root/constants-service.conf

-# Set Timezone
-ln -sf /usr/share/zoneinfo/$LXC_TIMEZONE /etc/localtime
+inst_mongodb 

-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET
-sed -i "s|\"syntax on|syntax on|g" /etc/vim/vimrc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc
+
+inst_bashclub omada
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+ONLYOFFICE_DB_HOST=localhost
+
+ONLYOFFICE_DB_NAME=onlyoffice
+
+ONLYOFFICE_DB_USER=onlyoffice
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql,rabbitmq"
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+cat > /usr/local/bin/ods-apt-pre-hook << DFOE
+#!/bin/bash
+rm /etc/nginx/conf.d/ds-ssl.conf
+systemctl stop nginx.service
+DFOE
+chmod +x /usr/local/bin/ods-apt-pre-hook
+
+cat > /usr/local/bin/ods-apt-post-hook << DFOE
+#!/bin/bash
+rm /etc/nginx/conf.d/ds.conf
+ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
+systemctl restart nginx
+DFOE
+chmod +x /usr/local/bin/ods-apt-post-hook
+
+
+cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
+DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
+EOF
+
+cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
+DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
+EOF
@@ -0,0 +1,89 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+#### Set repo and install onlyoffice ####
+inst_onlyoffice() {
+    apt_repo "onlyoffice" "https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE" "https://download.onlyoffice.com/repo/debian" "squeeze" "main"
+    apt update
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq ttf-mscorefonts-installer onlyoffice-documentserver
+}
+
+ONLYOFFICE_DB_PASS=$(random_password)
+
+inst_postgresql
+
+#cat > /etc/apt/preferences.d/onlyoffice << EOF
+#Package: onlyoffice-documentserver
+#Pin: version 7.1.1-23
+#Pin-Priority: 900
+#EOF
+
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq rabbitmq-server libstdc++6 supervisor
+
+su postgres <<EOF
+psql -c "CREATE USER $ONLYOFFICE_DB_USER WITH PASSWORD '$ONLYOFFICE_DB_PASS';"
+psql -c "CREATE DATABASE $ONLYOFFICE_DB_NAME ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER $ONLYOFFICE_DB_USER;"
+echo "Postgres User '$ONLYOFFICE_DB_USER' and database '$ONLYOFFICE_DB_NAME' created."
+EOF
+
+echo onlyoffice-documentserver onlyoffice/ds-port select 80 | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-host string $ONLYOFFICE_DB_HOST | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-user string $ONLYOFFICE_DB_NAME | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-name string $ONLYOFFICE_DB_USER | debconf-set-selections
+echo onlyoffice-documentserver onlyoffice/db-pwd password $ONLYOFFICE_DB_PASS | debconf-set-selections
+
+inst_onlyoffice
+
+cat << EOF > /root/onlyoffice.credentials
+ONLYOFFICE_DB_HOST=$ONLYOFFICE_DB_HOST
+ONLYOFFICE_DB_NAME=$ONLYOFFICE_DB_NAME
+ONLYOFFICE_DB_USER=$ONLYOFFICE_DB_USER
+ONLYOFFICE_DB_PASS=$ONLYOFFICE_DB_PASS
+EOF
+
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/onlyoffice.key -out /etc/nginx/ssl/onlyoffice.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+rm /etc/nginx/conf.d/ds.conf
+cp /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
+
+sed -i "s|ssl_certificate {{SSL_CERTIFICATE_PATH}}|ssl_certificate /etc/nginx/ssl/onlyoffice.crt|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
+sed -i "s|ssl_certificate_key {{SSL_KEY_PATH}}|ssl_certificate_key /etc/nginx/ssl/onlyoffice.key|" /etc/onlyoffice/documentserver/nginx/ds-ssl.conf
+
+ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
+
+cat > /usr/local/bin/ods-apt-pre-hook << DFOE
+#!/bin/bash
+rm /etc/nginx/conf.d/ds-ssl.conf
+systemctl stop nginx.service
+DFOE
+chmod +x /usr/local/bin/ods-apt-pre-hook
+
+cat > /usr/local/bin/ods-apt-post-hook << DFOE
+#!/bin/bash
+rm /etc/nginx/conf.d/ds.conf
+ln -sf /etc/onlyoffice/documentserver/nginx/ds-ssl.conf /etc/nginx/conf.d/ds-ssl.conf
+systemctl restart nginx
+DFOE
+chmod +x /usr/local/bin/ods-apt-post-hook
+
+cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-pre-hook
+DPkg::Pre-Invoke {"/usr/local/bin/ods-apt-pre-hook";};
+EOF
+
+cat << EOF > /etc/apt/apt.conf.d/80-ods-apt-post-hook
+DPkg::Post-Invoke {"/usr/local/bin/ods-apt-post-hook";};
+EOF
+
+systemctl restart nginx
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
@@ -0,0 +1,88 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+webroot=/var/www/html
+
+LXC_RANDOMPWD=20
+MYSQL_PASSWORD="$(random_password)"
+PHP_VERSION=8.4
+
+apt update
+
+inst_php cli,fpm,mysql,xml,mbstring,gd $PHP_VERSION
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unzip sudo nginx-full mariadb-server mariadb-client 
+
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/open3a.key -out /etc/nginx/ssl/open3a.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root $webroot;
+
+    index index.php;
+
+    ssl_certificate /etc/nginx/ssl/open3a.crt;
+    ssl_certificate_key /etc/nginx/ssl/open3a.key;
+
+    location ~ .php$ {
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php${PHP_VERSION}-fpm.sock;
+    }
+}
+
+EOF
+
+mysql -uroot -e "CREATE USER 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD';
+GRANT USAGE ON * . * TO 'open3a'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
+CREATE DATABASE IF NOT EXISTS open3a;
+GRANT ALL PRIVILEGES ON open3a . * TO 'open3a'@'localhost';"
+
+cd $webroot
+wget https://www.open3a.de/download/open3A%204.0.zip -O $webroot/open3a.zip
+unzip open3a.zip
+rm open3a.zip
+chmod 666 system/DBData/Installation.pfdb.php
+chmod -R 777 specifics/
+chmod -R 777 system/Backup
+chown -R www-data:www-data $webroot
+
+echo "sudo -u www-data /usr/bin/php $webroot/plugins/Installation/backup.php; for backup in \$(ls -r1 $webroot/system/Backup/*.gz | /bin/grep -v \$(date +%Y%m%d)); do /bin/rm \$backup;done" > /etc/cron.daily/open3a-backup
+chmod +x /etc/cron.daily/open3a-backup
+
+cat << EOF >/var/www/html/system/DBData/Installation.pfdb.php
+<?php echo "This is a database-file."; /*
+host&%%%&user&%%%&password&%%%&datab&%%%&httpHost
+varchar(40)&%%%&varchar(20)&%%%&varchar(20)&%%%&varchar(30)&%%%&varchar(40)                                                                                         
+localhost                               &%%%&open3a              &%%%&$MYSQL_PASSWORD&%%%&open3a                        &%%%&*                                       %%&&&
+*/ ?>
+EOF
+
+systemctl enable --now php${PHP_VERSION}-fpm
+systemctl restart php${PHP_VERSION}-fpm nginx
+
+LXC_IP=$(ip address show dev eth0 | grep "inet " | cut -d ' ' -f6)
+
+echo -e "Your open3a installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\nLogin:\t\tAdmin\nPassword:\tAdmin\n\nMysql-Settings:\nServer:\t\tlocalhost\nUser:\t\topen3a\nPassword:\t$MYSQL_PASSWORD\nDatabase:\topen3a"
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/piler"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb,manticore"
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Author:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+inst_bashclub manticore
+inst_bashclub $PILER_BRANCH
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends piler
+
+echo -e "Installation of piler finished."
+echo -e "\nFor administration please visit the following Website:"
+echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/"
+echo -e "\nLogin with following credentials:"
+echo -e "\tUser: admin@local"
+echo -e "\tPass: pilerrocks"
+echo -e "\n\nPlease have a look the the GOBD notes (in German):"
+echo -e "\thttps://${LXC_HOSTNAME}.${LXC_DOMAIN}/gobd"
@@ -0,0 +1,111 @@
+# PMG-Integration des KI-Rspamd Filters
+
+Diese Anleitung beschreibt, wie das PMG als zentrale Filter-Instanz die Scores deines externen Rspamd-LXC abfragt, visualisiert und gewichtet, ohne die eigene Filterhoheit zu verlieren.
+
+## 1. Architektur-Übersicht
+
+Das PMG fungiert als SMTP-Relay. Der externe Rspamd wird als **Before-Queue Milter** eingebunden. Er verarbeitet die Mail, setzt Header-Attribute und das PMG wertet diese Header innerhalb seines eigenen Regelwerks aus.
+
+
+---
+
+## 2. Persistente Milter-Anbindung (Updatesicher)
+
+Damit Postfix den Rspamd-LXC anspricht, muss die Konfiguration über das PMG-Template-System erfolgen.
+
+
+1. **Template-Verzeichnis erstellen:**
+
+   ```javascript
+   mkdir -p /etc/pmg/templates
+   cp /var/lib/pmg/templates/main.cf.in /etc/pmg/templates/
+   
+   ```
+2. **Milter in `main.cf.in` eintragen:** Öffne `/etc/pmg/templates/main.cf.in` und füge am Ende (vor den lokalen Overrides) folgende Zeilen hinzu:
+
+   ```javascript
+   smtpd_milters = inet:IP_DEINES_LXC:11332
+   milter_default_action = accept
+   milter_protocol = 6
+   
+   ```
+3. **Konfiguration generieren:**
+
+   ```javascript
+   pmgconfig sync
+   
+   ```
+
+
+---
+
+## 3. Score-Gewichtung (SpamAssassin-Integration)
+
+Da das PMG-UI keine direkte Punkte-Addition erlaubt, integrieren wir die Rspamd-Ergebnisse direkt in den internen Scan-Prozess. Dies stellt sicher, dass die Scores im **Tracking Center** namentlich auftauchen.
+
+
+1. **Konfigurationsdatei erstellen:** Erstelle auf dem PMG-Host: `/etc/mail/spamassassin/rspamd_scores.cf`
+2. **Regeln definieren:** Kopiere diesen Block in die Datei:
+
+   ```javascript
+   # Rspamd Medium (4 - 5.9)
+   header RSPAMD_MEDIUM X-Rspamd-Score =~ /^([45]\.[0-9]+)/
+   describe RSPAMD_MEDIUM Rspamd bewertet diese Mail als leicht verdaechtig (4-5.9)
+   score RSPAMD_MEDIUM 1.5
+   
+   # Rspamd High (6 - 14.9)
+   header RSPAMD_HIGH X-Rspamd-Score =~ /^([6-9]|1[0-4])\.[0-9]+/
+   describe RSPAMD_HIGH Rspamd bewertet diese Mail als Spam (6-14.9)
+   score RSPAMD_HIGH 4.0
+   
+   # Rspamd Critical (15+)
+   header RSPAMD_CRITICAL X-Rspamd-Score =~ /^(1[5-9]|[2-9][0-9]|[1-9][0-9][0-9])\.[0-9]+/
+   describe RSPAMD_CRITICAL Rspamd (KI/Llama) ist sich absolut sicher: Scam/Betrug (15+)
+   score RSPAMD_CRITICAL 10.0
+   
+   ```
+3. **Dienst neu starten:**
+
+   ```javascript
+   systemctl restart pmg-smtp-filter
+   
+   ```
+
+
+---
+
+## 4. UI-Logik für harte Aktionen (Optional)
+
+Wenn du für extrem hohe Scores (`RSPAMD_CRITICAL`) eine sofortige Quarantäne erzwingen möchtest, kannst du dies im WebUI ergänzen:
+
+
+1. **What Object:** Erstelle unter *Mail Filter > What Objects* ein **Match Field**.
+   * **Name:** `Rspamd-Critical-Header`
+   * **Field:** `X-Rspamd-Score`
+   * **Value:** `^(1[5-9]|[2-9][0-9])\..*`
+2. **Rule:** Erstelle eine Regel mit Priorität **99**.
+   * **What:** `Rspamd-Critical-Header`
+   * **Action:** `Quarantine`
+
+
+---
+
+## 5. Verifizierung & Monitoring
+
+Nach der Integration sollten eingehende E-Mails im PMG Tracking Center detailliert aufgeschlüsselt werden.
+
+* **Live-Log Prüfung:** Überwache die Auswertung der neuen Header live auf der Konsole:
+
+  ```javascript
+  tail -f /var/log/mail.log | grep -E "RSPAMD_(MEDIUM|HIGH|CRITICAL)"
+  
+  ```
+* **Tracking Center:** In der Detailansicht einer E-Mail unter **Spam Analysis** erscheint nun z. B. der Eintrag: `RSPAMD_HIGH (4.00)`
+
+
+---
+
+### Wartungshinweise
+
+* **Persistent:** Die `.cf`-Dateien unter `/etc/mail/spamassassin/` bleiben bei PMG-Updates erhalten.
+* **Anpassung:** Sollten zu viele False Positives auftreten, senke einfach die `score`-Werte in der `rspamd_scores.cf` und starte den `pmg-smtp-filter` neu.
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="128K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=8192
+
+# service dependent meta tags
+SERVICE_TAGS="rspamd,unbound,ollama"
@@ -0,0 +1,373 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+RSPAMD_PASSWORD=$(random_password)
+LLM=llama3.1:8b
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y redis-server unbound python3-venv rspamd zstd nginx ssl-cert
+
+# Eine abgeschottete Python-Umgebung in /opt/oletools erstellen
+python3 -m venv /opt/oletools
+
+# Oletools innerhalb dieser Umgebung installieren (berührt das System nicht!)
+/opt/oletools/bin/pip install oletools python-magic
+ln -s /opt/oletools/bin/olevba /usr/local/bin/olevba3
+
+
+# install olefy servvice
+curl -o /usr/local/bin/olefy.py https://raw.githubusercontent.com/HeinleinSupport/olefy/master/olefy.py
+chmod +x /usr/local/bin/olefy.py
+sed -i "s/addr_re = re.compile('\[\\\[\" \\\]\]')/addr_re = re.compile(r'\[\\\[\" \\\]\]')/g" /usr/local/bin/olefy.py
+
+# olefy Systemd-Service anlegen
+cat << 'EOF' > /etc/systemd/system/olefy.service
+[Unit]
+Description=Olefy Daemon for Rspamd
+After=network.target
+
+[Service]
+Type=simple
+User=nobody
+ExecStart=/opt/oletools/bin/python3 /usr/local/bin/olefy.py
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# oletools update
+cat << 'EOF' > /usr/local/bin/apt-hook-oletools.sh
+#!/bin/bash
+# Unterdrücke Standard-Ausgaben, fange aber das Ergebnis auf
+UPDATE_OUT=$(/opt/oletools/bin/pip install --upgrade oletools 2>&1)
+
+# Prüfen, ob der Text "Successfully installed" im Output vorkommt
+if echo "$UPDATE_OUT" | grep -q "Successfully installed"; then
+    # Neues Update wurde gefunden und installiert! Dienst neu starten:
+    systemctl restart olefy
+    # Einen sauberen Eintrag ins System-Log (syslog) schreiben
+    logger -t oletools-updater "Neues Oletools Update via APT-Hook installiert. Olefy Dienst neu gestartet."
+fi
+
+# Immer erfolgreich beenden (Exit Code 0), damit apt niemals blockiert wird
+exit 0
+EOF
+
+# Skript ausführbar machen
+chmod +x /usr/local/bin/apt-hook-oletools.sh
+
+# apt hook
+cat << EOF > /etc/apt/apt.conf.d/99oletools-update
+# Automatisches Update von Oletools nach jedem dpkg-Lauf
+DPkg::Post-Invoke { "/usr/local/bin/apt-hook-oletools.sh || true"; };
+EOF
+
+# download ollama
+curl -fsSL https://ollama.com/install.sh | bash 2>/dev/null
+
+# konfiguriere ollama, dass llm dauerhaft geladen bleibt
+mkdir -p /etc/systemd/system/ollama.service.d
+cat << 'EOF' > /etc/systemd/system/ollama.service.d/override.conf
+[Service]
+Environment="OLLAMA_KEEP_ALIVE=-1"
+EOF
+
+# qwen3 llm herunterladen
+ollama pull $LLM
+
+# ollama qwen3 preload service erstellen
+cat << EOF > /etc/systemd/system/ollama-preload.service
+[Unit]
+Description=Preload Qwen3 Model into Ollama
+After=ollama.service
+Requires=ollama.service
+
+[Service]
+Type=oneshot
+# Warteschleife: Prüfe im Sekundentakt, ob die API erreichbar ist, bevor wir weitermachen
+ExecStartPre=/bin/bash -c 'until curl -s http://127.0.0.1:11434/ > /dev/null; do sleep 1; done'
+# Erst wenn der Port antwortet, laden wir das Modell
+ExecStart=/usr/bin/curl -s -X POST http://127.0.0.1:11434/api/generate -d '{"model": "$LLM", "keep_alive": -1}'
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# milter socket für rspamd konfigurieren
+cat << EOF > /etc/rspamd/local.d/worker-proxy.inc
+# Lausche auf allen Schnittstellen (für das PMG)
+bind_socket = "${LXC_IP%/*}:11332";
+# Aktiviere explizit das Milter-Protokoll
+milter = yes;
+EOF
+
+# rspamd an redis anbinden
+cat << 'EOF' > /etc/rspamd/local.d/redis.conf
+servers = "127.0.0.1";
+write_servers = "127.0.0.1";
+EOF
+
+# lua script for llm integration
+cat << EOF > /etc/rspamd/lua.local.d/ollama_ai.lua
+local logger = require "rspamd_logger"
+local http = require "rspamd_http"
+local ucl = require "ucl"
+
+local function ollama_check(task)
+    logger.errx(task, "KI-Check: ANALYSE START (Llama-3.1-8B)")
+    
+    local text_parts = task:get_text_parts()
+    local email_text = ""
+    
+    if text_parts then
+        for _, part in ipairs(text_parts) do
+            email_text = email_text .. tostring(part:get_content() or "")
+        end
+    end
+
+    -- Abbruch bei zu kurzen Mails
+    if #email_text < 15 then 
+        logger.errx(task, "KI-Check: Text zu kurz für Analyse")
+        return 
+    end
+
+    local req_data = {
+      model = "$LLM",
+      messages = {
+        {
+          role = "system",
+          content = "You are a cybersecurity analyst. Score the following email for fraud/phishing from 0 to 10. Output ONLY the integer number."
+        },
+        {
+          role = "user",
+          content = "Rate this content: " .. string.sub(email_text, 1, 1000)
+        }
+      },
+      stream = false,
+      options = {
+        num_predict = 5,
+        temperature = 0.0
+      }
+    }
+
+    http.request({
+      task = task,
+      url = 'http://127.0.0.1:11434/api/chat',
+      body = ucl.to_format(req_data, 'json'),
+      timeout = 25.0,
+      callback = function(err, code, body, headers)
+        -- Falls der Dienst nicht erreichbar ist
+        if err or code ~= 200 then
+            logger.errx(task, "KI-Check: Ollama API Fehler oder Timeout")
+            return 
+        end
+
+        local parser = ucl.parser()
+        local res, _ = parser:parse_string(body)
+        if res then
+            local data = parser:get_object()
+            local reply = data.message and data.message.content or ""
+            local score_num = reply:match("%d+")
+            
+            if score_num then
+                local score = tonumber(score_num)
+                logger.errx(task, "KI-Check: Ergebnis erhalten: %s/10", score)
+                
+                -- 1. Header: Basis-Info (Wird immer gesetzt, wenn KI geantwortet hat)
+                task:set_milter_reply({
+                    ['add_header'] = {['X-AI-Scanner'] = 'Llama-3.1-8B-Verified'}
+                })
+
+                -- 2. Header & Symbol: Nur bei Verdacht (Score >= 7)
+                if score >= 7 then
+                    task:insert_result('OLLAMA_LLM_FRAUD', 1.0, "Score " .. score .. "/10")
+                    task:set_milter_reply({
+                        ['add_header'] = {['X-AI-Fraud-Rating'] = tostring(score) .. '/10'}
+                    })
+                    logger.errx(task, "KI-Check: Symbol und Header gesetzt (Betrugsverdacht)")
+                end
+            end
+        end
+      end
+    })
+end
+
+rspamd_config:register_symbol({
+  name = 'OLLAMA_LLM_FRAUD',
+  callback = ollama_check,
+  flags = 'async',
+  score = 6.0,
+  description = 'AI-based fraud detection using Llama-3.1-8B'
+})
+EOF
+
+# dns resolver konfigurieren
+cat << 'EOF' > /etc/rspamd/local.d/options.inc
+dns {
+    nameserver = ["127.0.0.1"];
+}
+
+# Basis-Regeln, die immer gelten müssen
+local_addrs = "127.0.0.1";
+local_addrs = "::1";
+
+task_timeout = 59s;
+
+# Lade alle Server-spezifischen Dateien (*.conf)
+.include(try=true,glob=true) "$LOCAL_CONFDIR/local_addrs.d/*.conf"
+EOF
+
+PWHASH=$(rspamadm pw --password "$RSPAMD_PASSWORD")
+cat << EOF > /etc/rspamd/local.d/worker-controller.inc
+
+bind_socket = "127.0.0.1:11334";
+password = "$PWHASH"; 
+
+# Basis-Regeln (LXC-interner Zugriff)
+secure_ip = "127.0.0.1";
+secure_ip = "::1";
+secure_ip = "${LXC_IP%/*}";
+
+# Lade alle Server-spezifischen Dateien (*.conf)
+.include(try=true,glob=true) "\$LOCAL_CONFDIR/secure_ips.d/*.conf"
+EOF
+
+cat << EOF > /etc/rspamd/local.d/actions.conf
+# Alle Aktionen, die normalerweise ablehnen würden, auf null setzen
+reject = null;      # Niemals ablehnen
+add_header = 6.0;   # Ab diesem Score den X-Spam-Header setzen
+greylist = null;    # Greylisting deaktivieren (macht PMG schon besser)
+rewrite_subject = null;
+EOF
+
+cat << EOF > /etc/rspamd/local.d/milter_headers.conf
+# Diese Header werden für jede Mail geschrieben
+use = ["spam-header", "symbols", "score"];
+
+header_names {
+    "spam-header" = "X-Spam-Flag";
+    "symbols" = "X-Rspamd-Symbols";
+    "score" = "X-Rspamd-Score";
+}
+
+# Fügt den Score immer hinzu, egal wie hoch er ist
+skip_local = false;
+extended_symbols = true;
+EOF
+
+# oletools aktivieren
+cat << 'EOF' > /etc/rspamd/local.d/oletools.conf
+enabled = true;
+servers = "127.0.0.1:10050"; # Standard-Port von olefy
+EOF
+
+# learning aktivieren
+cat << 'EOF' > /etc/rspamd/local.d/classifier-ham-spam.conf
+# Nutze Redis als Backend für gelerntes Wissen
+backend = "redis";
+# Erlaube das Lernen (wichtig für deine Mailcows!)
+autolearn = true;
+EOF
+
+# betreffzeilen anzeigen
+cat << 'EOF' > /etc/rspamd/local.d/history_redis.conf
+# Speichere die letzten Mail-Logs in Redis für die WebUI
+subject_privacy = false; # Zeigt Betreffzeilen im Dashboard an (hilfreich für MSPs)
+EOF
+
+# set include for local modules
+cat << 'EOF' > /etc/rspamd/local.d/groups.conf
+# Lade alle Symbol-Definitionen aus dem scores.d Verzeichnis
+.include(try=true,glob=true) "$LOCAL_CONFDIR/scores.d/*.conf"
+EOF
+
+# create folder for trusted addresses
+mkdir -p /etc/rspamd/local.d/local_addrs.d
+mkdir -p /etc/rspamd/local.d/secure_ips.d
+
+# persistenz in redis aktivieren
+sed -i 's/appendonly no/appendonly yes/g' /etc/redis/redis.conf
+sed -i 's/^#\? \?appendfsync .*/appendfsync everysec/g' /etc/redis/redis.conf
+
+# nginx konfigurieren
+mkdir -p /etc/nginx/ssl
+
+# Symlinks auf Snakeoil (Pfade ggf. anpassen, falls ssl-cert nicht installiert ist)
+ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+
+# Starke Diffie-Hellman Parameter generieren (wichtig!)
+openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
+
+# generiere config
+cat << EOF > /etc/nginx/sites-available/rspamd_proxy
+# HTTP - Redirect auf HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+    return 301 https://\$host\$request_uri;
+}
+
+# HTTPS - Sicherer Proxy
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    # Zertifikate
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+    # TLS Sicherheit nach Stand der Technik (Modern)
+    ssl_protocols TLSv1.3; # TLS 1.2 entfernt für maximale Sicherheit
+    ssl_prefer_server_ciphers off;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;";
+
+    # Proxy-Einstellungen
+    location / {
+        proxy_pass http://127.0.0.1:11334; # Dein Rspamd Controller/UI
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+
+        # Wichtig für lange KI-Analysen
+        proxy_read_timeout 120s;
+        proxy_connect_timeout 120s;
+
+        # Optional: Zusätzlicher Schutz auf Nginx-Ebene
+        # allow 1.2.3.4; # Deine Admin IP
+        # deny all;
+    }
+}
+EOF
+ln -s /etc/nginx/sites-available/rspamd_proxy /etc/nginx/sites-enabled/
+nginx -t
+
+# dienste aktivieren
+systemctl daemon-reload
+systemctl enable --now unbound olefy ollama ollama-preload.service
+systemctl restart redis-server rspamd nginx
+
+echo "Your rspamd instance setup is finished!"
+echo "Please visit http://${LXC_IP%/*}:11334/"
+echo "rspamd password is: $RSPAMD_PASSWORD"
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="128K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Backup ubdir where Urbackup will store backups
+PBS_DATA="backup"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="backup"
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+#### Set repo and install onlyoffice ####
+inst_pbs() {
+    apt_repo "proxmox" "https://enterprise.proxmox.com/debian/proxmox-release-trixie.gpg" "http://download.proxmox.com/debian/pbs" "trixie" "pbs-no-subscription"
+apt update && apt upgrade -y
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" proxmox-backup-server
+}
+
+inst_pbs
+
+proxmox-backup-manager datastore create $PBS_DATA /$LXC_SHAREFS_MOUNTPOINT/$PBS_DATA
+
+systemctl disable --now zfs-mount.service zfs-share.service
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+
+# Defines the IP from the SQL server
+REI3_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+REI3_DB_PORT="5432"
+
+# Defines the name from the SQL database
+REI3_DB_NAME="app"
+
+# Defines the name from the SQL user
+REI3_DB_USR="rei3"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+REI3_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="postgresql"
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+mkdir /opt/rei3
+wget -c https://rei3.de/latest/x64_linux -O - | tar -zx -C /opt/rei3
+
+inst_postgresql
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends imagemagick ghostscript
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER ${REI3_DB_USR} WITH PASSWORD '${REI3_DB_PWD}';"
+psql -c "CREATE DATABASE ${REI3_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${REI3_DB_USR};"
+psql -c "GRANT ALL PRIVILEGES ON DATABASE ${REI3_DB_NAME} TO ${REI3_DB_USR};"
+echo "Postgres User ${REI3_DB_USR} and database ${REI3_DB_NAME} created."
+EOF
+
+cp /opt/rei3/config_template.json /opt/rei3/config.json
+chmod u+x /opt/rei3/r3
+
+sed -i 's/"user": "app",/"user": "'${REI3_DB_USR}'",/g' /opt/rei3/config.json 
+sed -i 's/"pass": "app",/"pass": "'${REI3_DB_PWD}'",/g' /opt/rei3/config.json 
+
+/opt/rei3/r3 -install
+#/opt/rei/r3 -newadmin
+systemctl start rei3
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=2048
+
+# service dependent meta tags
+SERVICE_TAGS="mongodb-server,java"
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+inst_unifi() {
+    apt_repo "unifi" "https://dl.ubnt.com/unifi/unifi-repo.gpg" "http://www.ui.com/downloads/unifi/debian" "stable" "ubiquiti"
+    apt update 
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends unifi
+}
+
+inst_mongodb
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq default-jre-headless
+
+inst_unifi
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="128K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Backup ubdir where Urbackup will store backups
+URBACKUP_DATA="urbackup"
+
+# OS codename for opensuse / urbackup repo
+REPO_CODENAME="Debian_13"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx"
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+set -euo pipefail
+
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/tmp
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
+mkdir -p /etc/urbackup
+echo "/$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA" > /etc/urbackup/backupfolder
+
+echo "deb http://download.opensuse.org/repositories/home:/uroni/$REPO_CODENAME/ /" | tee /etc/apt/sources.list.d/urbackup.list
+curl -fsSL https://download.opensuse.org/repositories/home:uroni/$REPO_CODENAME/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/home_uroni.gpg > /dev/null
+
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y --no-install-recommends -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" ssl-cert urbackup-server nginx
+
+install -d -m 0750 -o root -g root /etc/nginx/ssl
+ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+
+ln -s /usr/share/urbackup/www /var/www/urbackup
+
+cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    return 301 https://$LXC_HOSTNAME.$LXC_DOMAIN;
+}
+
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name $LXC_HOSTNAME.$LXC_DOMAIN;
+
+    root /var/www/urbackup;
+
+    index index.htm;
+
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+
+    location /x {
+        include /etc/nginx/fastcgi_params;
+        fastcgi_pass 127.0.0.1:55413;
+    }
+}
+
+EOF
+
+sed -i "s/DAEMON_TMPDIR=\"\/tmp\"/DAEMON_TMPDIR=\"\/$LXC_SHAREFS_MOUNTPOINT\/tmp\"/g" /etc/default/urbackupsrv
+sed -i "s/HTTP_SERVER=\"true\"/HTTP_SERVER=\"false\"/g" /etc/default/urbackupsrv
+chown urbackup:urbackup /$LXC_SHAREFS_MOUNTPOINT/tmp
+chown urbackup:urbackup /$LXC_SHAREFS_MOUNTPOINT/$URBACKUP_DATA
+
+systemctl restart urbackupsrv nginx
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Defines the name from the SQL database
+VAULTWARDEN_DB_NAME="vaultwarden"
+
+# Defines the name from the SQL user
+VAULTWARDEN_DB_USR="vaultwarden"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+VAULTWARDEN_DB_PWD="$(random_password)"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql"
@@ -0,0 +1,170 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+admin_token=$(openssl rand -base64 48)
+
+inst_postgresql 
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq nginx git ssl-cert
+
+systemctl enable --now postgresql
+
+wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
+chmod +x docker-image-extract
+./docker-image-extract vaultwarden/server:alpine
+mkdir -p /opt/vaultwarden
+mkdir -p /var/lib/vaultwarden/data
+useradd vaultwarden
+chown -R vaultwarden:vaultwarden /var/lib/vaultwarden
+mv output/vaultwarden /opt/vaultwarden
+mv output/web-vault /var/lib/vaultwarden/
+rm -Rf output
+rm -Rf docker-image-extract
+
+su - postgres <<EOF
+psql -c "CREATE USER ${VAULTWARDEN_DB_USR} WITH PASSWORD '${VAULTWARDEN_DB_PWD}';"
+psql -c "CREATE DATABASE ${VAULTWARDEN_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${VAULTWARDEN_DB_USR};"
+echo "Postgres User ${VAULTWARDEN_DB_USR} and database ${VAULTWARDEN_DB_NAME} created."
+EOF
+
+cat << EOF > /var/lib/vaultwarden/.env
+DATABASE_URL=postgresql://vaultwarden:${VAULTWARDEN_DB_PWD}@localhost:5432/vaultwarden
+DOMAIN=https://${LXC_HOSTNAME}.${LXC_DOMAIN}
+ORG_CREATION_USERS=admin@$LXC_DOMAIN
+# Use `openssl rand -base64 48` to generate
+ADMIN_TOKEN=$admin_token
+# Uncomment this once vaults restored
+SIGNUPS_ALLOWED=$VW_SIGNUPS_ALLOWED
+SMTP_HOST=$VW_SMTP_HOST
+SMTP_FROM=$VW_SMTP_FROM
+SMTP_FROM_NAME="$VW_SMTP_FROM_NAME"
+SMTP_PORT=$VW_SMTP_PORT          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and us>
+SMTP_SSL=$VW_SMTP_SSL          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_>
+SMTP_EXPLICIT_TLS=$VW_SMTP_EXPLICIT_TLS # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this o>
+SMTP_USERNAME=$VW_SMTP_USERNAME
+SMTP_PASSWORD=$VW_SMTP_PASSWORD
+SMTP_TIMEOUT=15
+EOF
+
+cat << EOF > /etc/systemd/system/vaultwarden.service
+[Unit]
+Description=Bitwarden Server (Rust Edition)
+Documentation=https://github.com/dani-garcia/vaultwarden
+After=network.target
+
+[Service]
+User=vaultwarden
+Group=vaultwarden
+EnvironmentFile=/var/lib/vaultwarden/.env
+ExecStart=/opt/vaultwarden/vaultwarden
+LimitNOFILE=1048576
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=strict
+WorkingDirectory=/var/lib/vaultwarden
+ReadWriteDirectories=/var/lib/vaultwarden
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << EOF > /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
+DPkg::Post-Invoke {"/var/lib/vaultwarden/update.sh";};
+EOF
+
+cat << EOF > /var/lib/vaultwarden/update.sh
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
+chmod +x docker-image-extract
+./docker-image-extract vaultwarden/server:alpine
+mv output/vaultwarden /opt/vaultwarden
+systemctl stop vaultwarden.service
+cp -rlf output/web-vault /var/lib/vaultwarden/
+rm -Rf output
+rm -Rf docker-image-extract
+systemctl start vaultwarden.service
+EOF
+
+chmod +x /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
+chmod +x /var/lib/vaultwarden/update.sh
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/vaultwarden.access.log;
+    error_log /var/log/nginx/vaultwarden.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    access_log /var/log/nginx/vaultwarden.access.log;
+    error_log  /var/log/nginx/vaultwarden.error.log;
+
+    client_max_body_size 50M;
+
+    location / {
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:8000;
+        proxy_read_timeout 90;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
+
+EOF
+
+generate_dhparam
+
+unlink /etc/nginx/sites-enabled/default
+
+systemctl daemon-reload
+systemctl enable --now vaultwarden
+systemctl restart nginx
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="var/lib/opensearch"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=8192
+
+# service dependent meta tags
+SERVICE_TAGS="opensearch"
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Author:
+# (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+WAZUH_VERSION=4.14
+REG_PASS=$(random_password)
+
+curl -sO https://packages.wazuh.com/$WAZUH_VERSION/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i 2>/dev/null
+
+
+sed -i "s|<use_password>no</use_password>|<use_password>yes</use_password>|" /var/ossec/etc/ossec.conf
+echo "$REG_PASS" > /var/ossec/etc/authd.pass
+chmod 640 /var/ossec/etc/authd.pass
+chown root:wazuh /var/ossec/etc/authd.pass
+systemctl restart wazuh-manager
+
+echo "Please use the following password for agent registration: $REG_PASS"
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="data"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+
+# Defines the IP from the SQL server
+ZABBIX_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+ZABBIX_DB_PORT="5432"
+
+# Defines the name from the SQL database
+ZABBIX_DB_NAME="zabbix_proxy"
+
+# Defines the name from the SQL user
+ZABBIX_DB_USR="zabbix"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+ZABBIX_DB_PWD="$(random_password)"
+
+ZABBIX_VERSION=7.4 #zabbix 7 beta
+POSTGRES_VERSION=18 #postgres repo, latest release (2024-05-13) 
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,postgresql"
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/stable/debian/" "$(lsb_release -cs)" "main"
+
+apt update
+
+inst_postgresql $POSTGRES_VERSION
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends zabbix-proxy-pgsql zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER ${ZABBIX_DB_USR} WITH PASSWORD '${ZABBIX_DB_PWD}';"
+psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
+echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
+EOF
+
+cat /usr/share/zabbix/sql-scripts/postgresql/proxy.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+
+echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_proxy.conf
+
+srv=$(grep -E "^Server" /etc/zabbix/zabbix_proxy.conf)
+sed -i "s/$srv/Server=${ZBX_ADDR}/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s/# ListenPort=/ListenPort=/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s/Hostname=Zabbix proxy/Hostname=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
+
+mkdir -p /var/lib/zabbix
+chown -R zabbix:zabbix /var/lib/zabbix/
+chmod 700 /var/lib/zabbix/
+
+
+psk=$(openssl rand -hex 32)
+echo "$psk" > /var/lib/zabbix/proxy.psk
+chown zabbix:zabbix /var/lib/zabbix/proxy.psk
+chmod 600 /var/lib/zabbix/proxy.psk
+
+sed -i "s/# TLSConnect=unencrypted/TLSConnect=psk/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s/# TLSAccept=unencrypted/TLSAccept=psk/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s/# TLSPSKIdentity=/TLSPSKIdentity=${LXC_HOSTNAME}.${LXC_DOMAIN}/g" /etc/zabbix/zabbix_proxy.conf
+sed -i "s|# TLSPSKFile=|TLSPSKFile=/var/lib/zabbix/proxy.psk|g" /etc/zabbix/zabbix_proxy.conf
+
+mv /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.conf  /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.off
+
+systemctl enable zabbix-proxy zabbix-agent2
+
+systemctl restart zabbix-proxy zabbix-agent2 
+
+echo -e "Installation of zabbix-proxy finished."
+echo -e "\nPlease register the Proxy on yout zabbix server with following data:"
+echo -e "Proxy name:\t${LXC_HOSTNAME}.${LXC_DOMAIN}"
+echo -e "Proxy mode: Active"
+echo -e "Proxy address:\t$(ip a s dev eth0 | grep -m1 inet | cut -d ' ' -f6 | cut -d'/' -f1)"
+echo -e "Encryption:\tPSK"
+echo -e "PSK identity:\t${LXC_HOSTNAME}.${LXC_DOMAIN}"
+echo -e "PSK:\t\t${psk}"
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="data"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+
+# Defines the IP from the SQL server
+ZABBIX_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+ZABBIX_DB_PORT="5432"
+
+# Defines the name from the SQL database
+ZABBIX_DB_NAME="zabbix"
+
+# Defines the name from the SQL user
+ZABBIX_DB_USR="zabbix"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+ZABBIX_DB_PWD="$(random_password)"
+
+ZABBIX_VERSION=7.4 #zabbix 7 beta
+POSTGRES_VERSION=18 #postgres repo, latest release (2024-05-13) 
+PHP_VERSION=8.4 # debian 12 default
+TS_VERSION=2.23.0 # currently latest by zabbix supported version of timescaledb (2024-05-13)
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,postgresql"
@@ -0,0 +1,239 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+apt_repo "zabbix" "https://repo.zabbix.com/zabbix-official-repo.key" "https://repo.zabbix.com/zabbix/${ZABBIX_VERSION}/stable/debian/" "$(lsb_release -cs)" "main"
+apt_repo "timescaledb" "https://packagecloud.io/timescale/timescaledb/gpgkey" "https://packagecloud.io/timescale/timescaledb/debian/" "$(lsb_release -cs)" "main"
+inst_postgresql ${POSTGRES_VERSION}
+inst_php pgsql,fpm $PHP_VERSION
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install --no-install-recommends timescaledb-2-oss-$TS_VERSION-postgresql-$POSTGRES_VERSION timescaledb-tools nginx  zabbix-server-pgsql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2 zabbix-agent2-plugin-* ssl-cert
+
+unlink /etc/nginx/sites-enabled/default
+
+cat << EOF > /etc/zabbix/nginx.conf
+server {
+        listen          80 default_server;
+        listen          [::]:80 default_server;
+        server_name _;
+
+        server_tokens off;
+
+        access_log /var/log/nginx/zabbix.access.log;
+        error_log /var/log/nginx/zabbix.error.log;
+
+        location /.well-known/ {
+        }
+
+        return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+        }
+
+server {
+        listen 443 ssl http2 default_server;
+        listen [::]:443 ssl http2 default_server;
+
+        server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+
+        server_tokens off;
+        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+        ssl_protocols TLSv1.3 TLSv1.2;
+        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+        ssl_dhparam /etc/nginx/dhparam.pem;
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 180m;
+
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        resolver 1.1.1.1 1.0.0.1;
+
+        add_header Strict-Transport-Security "max-age=31536000" always;
+
+        root    /usr/share/zabbix;
+
+        index   index.php;
+
+        location = /favicon.ico {
+                log_not_found   off;
+        }
+
+        location / {
+                try_files       \$uri \$uri/ =404;
+        }
+
+        location /assets {
+                access_log      off;
+                expires         10d;
+        }
+
+        location ~ /\.ht {
+                deny            all;
+        }
+
+        location ~ /(api\/|conf[^\.]|include|locale) {
+                deny            all;
+                return          404;
+        }
+
+        location /vendor {
+                deny            all;
+                return          404;
+        }
+
+        location ~ [^/]\.php(/|$) {
+                fastcgi_pass    unix:/var/run/php/zabbix.sock;
+                fastcgi_split_path_info ^(.+\.php)(/.+)$;
+                fastcgi_index   index.php;
+
+                fastcgi_param   DOCUMENT_ROOT   /usr/share/zabbix;
+                fastcgi_param   SCRIPT_FILENAME /usr/share/zabbix\$fastcgi_script_name;
+                fastcgi_param   PATH_TRANSLATED /usr/share/zabbix\$fastcgi_script_name;
+
+                include fastcgi_params;
+                fastcgi_param   QUERY_STRING    \$query_string;
+                fastcgi_param   REQUEST_METHOD  \$request_method;
+                fastcgi_param   CONTENT_TYPE    \$content_type;
+                fastcgi_param   CONTENT_LENGTH  \$content_length;
+
+                fastcgi_intercept_errors        on;
+                fastcgi_ignore_client_abort     off;
+                fastcgi_connect_timeout         60;
+                fastcgi_send_timeout            180;
+                fastcgi_read_timeout            180;
+                fastcgi_buffer_size             128k;
+                fastcgi_buffers                 4 256k;
+                fastcgi_busy_buffers_size       256k;
+                fastcgi_temp_file_write_size    256k;
+        }
+}
+EOF
+
+cat << EOF > /etc/php/$PHP_VERSION/fpm/pool.d/zabbix-php-fpm.conf
+[zabbix]
+user = www-data
+group = www-data
+
+listen = /var/run/php/zabbix.sock
+listen.owner = www-data
+listen.allowed_clients = 127.0.0.1
+
+pm = dynamic
+pm.max_children = 50
+pm.start_servers = 5
+pm.min_spare_servers = 5
+pm.max_spare_servers = 35
+pm.max_requests = 200
+
+php_value[session.save_handler] = files
+php_value[session.save_path]    = /var/lib/php/sessions/
+
+php_value[max_execution_time] = 300
+php_value[memory_limit] = 128M
+php_value[post_max_size] = 16M
+php_value[upload_max_filesize] = 2M
+php_value[max_input_time] = 300
+php_value[max_input_vars] = 10000
+EOF
+
+cat << EOF > /etc/zabbix/web/zabbix.conf.php 
+<?php
+// Zabbix GUI configuration file.
+
+\$DB['TYPE']				= 'POSTGRESQL';
+\$DB['SERVER']			= 'localhost';
+\$DB['PORT']				= '0';
+\$DB['DATABASE']			= '${ZABBIX_DB_NAME}';
+\$DB['USER']				= '${ZABBIX_DB_USR}';
+\$DB['PASSWORD']			= '${ZABBIX_DB_PWD}';
+
+// Schema name. Used for PostgreSQL.
+\$DB['SCHEMA']			= '';
+
+// Used for TLS connection.
+\$DB['ENCRYPTION']		= true;
+\$DB['KEY_FILE']			= '';
+\$DB['CERT_FILE']		= '';
+\$DB['CA_FILE']			= '';
+\$DB['VERIFY_HOST']		= false;
+\$DB['CIPHER_LIST']		= '';
+
+// Vault configuration. Used if database credentials are stored in Vault secrets manager.
+\$DB['VAULT_URL']		= '';
+\$DB['VAULT_DB_PATH']	= '';
+\$DB['VAULT_TOKEN']		= '';
+
+// Use IEEE754 compatible value range for 64-bit Numeric (float) history values.
+// This option is enabled by default for new Zabbix installations.
+// For upgraded installations, please read database upgrade notes before enabling this option.
+\$DB['DOUBLE_IEEE754']	= true;
+
+// Uncomment and set to desired values to override Zabbix hostname/IP and port.
+// \$ZBX_SERVER			= '';
+// \$ZBX_SERVER_PORT		= '';
+
+\$ZBX_SERVER_NAME		= '${LXC_HOSTNAME}';
+
+\$IMAGE_FORMAT_DEFAULT	= IMAGE_FORMAT_PNG;
+
+// Uncomment this block only if you are using Elasticsearch.
+// Elasticsearch url (can be string if same url is used for all types).
+//\$HISTORY['url'] = [
+//	'uint' => 'http://localhost:9200',
+//	'text' => 'http://localhost:9200'
+//];
+// Value types stored in Elasticsearch.
+//\$HISTORY['types'] = ['uint', 'text'];
+
+// Used for SAML authentication.
+// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.
+//\$SSO['SP_KEY']			= 'conf/certs/sp.key';
+//\$SSO['SP_CERT']			= 'conf/certs/sp.crt';
+//\$SSO['IDP_CERT']		= 'conf/certs/idp.crt';
+//\$SSO['SETTINGS']		= [];
+EOF
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER ${ZABBIX_DB_USR} WITH PASSWORD '${ZABBIX_DB_PWD}';"
+psql -c "CREATE DATABASE ${ZABBIX_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${ZABBIX_DB_USR};"
+echo "Postgres User ${ZABBIX_DB_USR} and database ${ZABBIX_DB_NAME} created."
+EOF
+
+#sed -i "s/false/true/g" /usr/share/zabbix/include/locales.inc.php
+
+zcat /usr/share/zabbix/sql-scripts/postgresql/server.sql.gz | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+
+timescaledb-tune --quiet --yes >> /etc/postgresql/$POSTGRES_VERSION/main/postgresql.conf
+
+systemctl restart postgresql
+
+echo "CREATE EXTENSION IF NOT EXISTS timescaledb CASCADE;" | sudo -u postgres psql zabbix
+cat /usr/share/zabbix/sql-scripts/postgresql/timescaledb/schema.sql | sudo -u zabbix psql ${ZABBIX_DB_NAME}
+
+echo "DBPassword=${ZABBIX_DB_PWD}" >> /etc/zabbix/zabbix_server.d/dbpassword.conf
+
+mv /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.conf  /etc/zabbix/zabbix_agent2.d/plugins.d/nvidia.off
+
+generate_dhparam
+
+systemctl enable nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2 
+
+systemctl restart nginx php$PHP_VERSION-fpm zabbix-server zabbix-agent2 > /dev/null 2>&1
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=4096
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql,elasticsearch"
@@ -0,0 +1,66 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+curl -fsSL https://dl.packager.io/srv/zammad/zammad/key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/pkgr-zammad.gpg > /dev/null
+curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor | tee /etc/apt/trusted.gpg.d/elasticsearch.gpg> /dev/null
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main"| tee -a /etc/apt/sources.list.d/elastic-7.x.list > /dev/null
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/pkgr-zammad.gpg] https://dl.packager.io/srv/deb/zammad/zammad/stable/debian 12 main"| tee /etc/apt/sources.list.d/zammad.list > /dev/null
+
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql zammad
+
+
+# Java set startup environment 
+mkdir -p /etc/elasticsearch/jvm.options.d
+cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
+# INFO: https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-heap-size
+# max 50% of total RAM - 2G Ram then set Xms and Xmx 1g
+-Xms1g
+-Xmx1g
+EOF
+
+# configure nginx
+generate_dhparam
+
+unlink /etc/nginx/sites-enabled/default
+unlink /etc/nginx/sites-enabled/zammad.conf
+
+mkdir -p /etc/nginx/ssl
+ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+ln -sf /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+ln -sf /etc/nginx/dhparam.pem /etc/nginx/ssl/dhparam.pem
+
+echo "Customizing nginx configuration..."
+sed -e "s|$(grep -m1 server_name /opt/zammad/contrib/nginx/zammad_ssl.conf)|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
+ -e "s|$(grep -m1 ssl_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
+ -e "s|$(grep -m1 ssl_certificate_key /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
+ -e "s|$(grep -m1 ssl_protocols /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_protocols TLSv1.2 TLSv1.3;|g" \
+ -e "s|$(grep -m1 ssl_dhparam /opt/zammad/contrib/nginx/zammad_ssl.conf)|ssl_dhparam /etc/nginx/ssl/dhparam.pem;|g" \
+ -e "s|$(grep -m1 ssl_trusted_certificate /opt/zammad/contrib/nginx/zammad_ssl.conf)|#  ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
+ /opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
+
+ ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
+
+# configure elasticsearch
+/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
+
+systemctl enable elasticsearch.service
+systemctl restart nginx elasticsearch.service
+
+# Elasticsearch conntact to Zammad
+zammad run rails r "Setting.set('es_url', 'http://127.0.0.1:9200')"
+zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')"
+zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy"
+systemctl restart elasticsearch.service
+zammad run rake zammad:searchindex:rebuild[$(nproc)]
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="backup"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"
@@ -0,0 +1,176 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+
+# update packages
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+# install required packages
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc
+# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
+
+mkdir -p /etc/chrony/conf.d
+mkdir -p /etc/systemd/system/chrony.service.d
+
+cat << EOF > /etc/default/chrony
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-x -F 1"
+EOF
+
+cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+
+cat << EOF > /etc/chrony/conf.d/samba.conf
+bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
+server de.pool.ntp.org iburst
+server europe.pool.ntp.org iburst
+allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
+ntpsigndsocket /var/lib/samba/ntp_signd
+EOF
+
+mv /etc/krb5.conf /etc/krb5.conf.bak
+cat > /etc/krb5.conf <<EOF
+[libdefaults]
+	default_realm = $ZMB_REALM
+	ticket_lifetime = 600
+	dns_lookup_realm = true
+	dns_lookup_kdc = true
+	renew_lifetime = 7d
+EOF
+
+# stop + disable samba services and remove default config
+systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
+rm -f /etc/samba/smb.conf
+
+echo "fixing samba service to wait for lxc being online"
+
+install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
+
+cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
+[Unit]
+After=networking.service
+Wants=networking.service
+
+[Service]
+# Wait up to 30s for eth0 to get an IPv4 address
+ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
+
+Restart=on-failure
+RestartSec=3
+EOF
+
+systemctl daemon-reload
+
+echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
+samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
+
+
+rm /etc/krb5.conf
+ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
+
+mkdir -p /mnt/sysvol
+
+cat << EOF > /root/.smbcredentials
+username=$ZMB_ADMIN_USER
+password=$ZMB_ADMIN_PASS
+domain=$ZMB_DOMAIN
+EOF
+
+echo "//$LXC_DNS/sysvol /mnt/sysvol cifs credentials=/root/.smbcredentials 0 0" >> /etc/fstab
+
+mount.cifs //$LXC_DNS/sysvol /mnt/sysvol -o credentials=/root/.smbcredentials
+
+cat > /etc/cron.d/sysvol-sync << EOF
+*/15 * * * * root /usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol; if ! /usr/bin/samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then /usr/bin/samba-tool ntacl sysvolreset ; fi
+EOF
+
+/usr/bin/rsync -XAavz --delete-after /mnt/sysvol/ /var/lib/samba/sysvol
+
+if ! samba-tool ntacl sysvolcheck > /dev/null 2>&1 ; then
+  samba-tool ntacl sysvolreset
+fi
+
+ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
+
+systemctl unmask samba-ad-dc
+systemctl enable samba-ad-dc
+systemctl restart samba-ad-dc
+
+bash /root/zmb-ad_auto-map-root.sh
+chmod +x /usr/bin/create-service-account
+
+# configure ad backup
+cat << EOF > /usr/local/bin/smb-backup
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+rc=0
+keep=\$1
+if \$1 ; then
+  keep=\$1
+fi
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
+
+prune () {
+  backup_type=\$1
+  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
+    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
+  fi
+}
+
+echo "\$(date) Starting samba-ad-dc online backup"
+if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
+  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
+  prune online
+else
+  echo "\$(date) samba-ad-dc online backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+echo "\$(date) Starting samba-ad-dc offline backup"
+if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
+  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
+  prune offline
+else
+  echo "S(date) samba-ad-dc offline backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+exit \$rc
+EOF
+chmod +x /usr/local/bin/smb-backup
+
+cat << EOF > /etc/cron.d/smb-backup
+0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+EOF
+
+cat << EOF > /etc/logrotate.d/smb-backup
+/var/log/smb-backup.log {
+        weekly
+        rotate 12
+        compress
+        delaycompress
+        missingok
+        notifempty
+        create 644 root root
+}
+EOF
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="backup"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,primary"
@@ -0,0 +1,142 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# update packages
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+# install required packages
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc wsdd2
+# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+echo "configuring chrony"
+mkdir -p /etc/chrony/conf.d
+mkdir -p /etc/systemd/system/chrony.service.d
+
+cat << EOF > /etc/default/chrony
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-x -F 1"
+EOF
+
+cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+
+cat << EOF > /etc/chrony/conf.d/samba.conf
+bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
+server de.pool.ntp.org iburst
+server europe.pool.ntp.org iburst
+allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
+ntpsigndsocket /var/lib/samba/ntp_signd
+EOF
+echo "disabling services"
+# stop + disable samba services and remove default config
+systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
+rm -f /etc/samba/smb.conf
+rm -f /etc/krb5.conf
+
+echo "fixing samba service to wait for lxc being online"
+
+install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
+
+cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
+[Unit]
+After=networking.service
+Wants=networking.service
+
+[Service]
+# Wait up to 30s for eth0 to get an IPv4 address
+ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
+
+Restart=on-failure
+RestartSec=3
+EOF
+
+systemctl daemon-reload
+
+echo "provisioning domain"
+# provision zamba domain
+samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=SAMBA_INTERNAL
+echo "provosioning finished"
+ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
+
+# disable password expiry for administrator
+samba-tool user setexpiry Administrator --noexpiry
+
+systemctl unmask samba-ad-dc
+systemctl enable samba-ad-dc
+systemctl restart samba-ad-dc
+
+bash /root/zmb-ad_auto-map-root.sh
+chmod +x /usr/bin/create-service-account
+
+# configure ad backup
+cat << EOF > /usr/local/bin/smb-backup
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+rc=0
+keep=\$1
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
+
+prune () {
+  backup_type=\$1
+  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
+    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
+  fi
+}
+
+echo "\$(date) Starting samba-ad-dc online backup"
+if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
+  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
+  prune online
+else
+  echo "\$(date) samba-ad-dc online backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+echo "\$(date) Starting samba-ad-dc offline backup"
+if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
+  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
+  prune offline
+else
+  echo "S(date) samba-ad-dc offline backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+exit \$rc
+EOF
+chmod +x /usr/local/bin/smb-backup
+
+cat << EOF > /etc/cron.d/smb-backup
+0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+EOF
+
+cat << EOF > /etc/logrotate.d/smb-backup
+/var/log/smb-backup.log {
+        weekly
+        rotate 12
+        compress
+        delaycompress
+        missingok
+        notifempty
+        create 644 root root
+}
+EOF
+
+exit 0
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="samba,member,cups,printserver"
@@ -0,0 +1,112 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+
+apt update
+
+# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl cups samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules wsdd2
+
+mv /etc/krb5.conf /etc/krb5.conf.bak
+cat > /etc/krb5.conf <<EOF
+[libdefaults]
+	default_realm = $ZMB_REALM
+	ticket_lifetime = 600
+	dns_lookup_realm = true
+	dns_lookup_kdc = true
+	renew_lifetime = 7d
+EOF
+
+echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
+klist
+
+mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
+cat > /etc/samba/smb.conf <<EOF
+[global]
+	workgroup = $ZMB_DOMAIN
+	security = ADS
+	realm = $ZMB_REALM
+	server string = %h server
+
+	vfs objects = acl_xattr shadow_copy2
+	map acl inherit = Yes
+	store dos attributes = Yes
+	idmap config *:backend = tdb
+	idmap config *:range = 3000000-4000000
+	idmap config *:schema_mode = rfc2307
+
+	winbind refresh tickets = Yes
+	winbind use default domain = Yes
+	winbind separator = /
+	winbind nested groups = yes
+	winbind nss info = rfc2307
+
+	pam password change = Yes
+	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+	passwd program = /usr/bin/passwd %u
+
+	template homedir = /home/%U
+	template shell = /bin/bash
+	bind interfaces only = Yes
+	interfaces = lo eth0
+	log file = /var/log/samba/log.%m
+	logging = syslog
+	max log size = 1000
+	panic action = /usr/share/samba/panic-action %d
+
+	dns proxy = No
+	shadow: snapdir = .zfs/snapshot
+	shadow: sort = desc
+	shadow: format = -%Y-%m-%d-%H%M
+	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
+	shadow: delimiter = -20
+	
+	printing = CUPS
+	rpcd_spoolss:idle_seconds=300
+	rpcd_spoolss:num_workers = 10
+	spoolss: architecture = Windows x64
+
+[printers]
+	path = /${LXC_SHAREFS_MOUNTPOINT}/spool
+	printable = yes
+
+[print$]
+	path = /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+	read only = no
+
+EOF
+
+systemctl restart smbd
+
+echo -e "$ZMB_ADMIN_PASS" | net ads join -U $ZMB_ADMIN_USER createcomputer=Computers
+sed -i "s|files systemd|files systemd winbind|g" /etc/nsswitch.conf
+sed -i "s|#WINBINDD_OPTS=|WINBINDD_OPTS=|" /etc/default/winbind
+echo -e "session optional        pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
+
+systemctl restart winbind nmbd
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
+cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+chown -R root:"${ZMB_DOMAIN_ADMINS@L}" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
+chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\${ZMB_DOMAIN_ADMINS@L}" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
+systemctl disable --now cups-browsed.service
+
+cupsctl --remote-admin
+
+systemctl restart cups smbd nmbd winbind wsdd2
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="128K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="samba,member,fileserver"
@@ -5,18 +5,15 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>

-source /root/zamba.conf
+set -euo pipefail

-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf

 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules 
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba winbind libpam-winbind libnss-winbind krb5-user krb5-config samba-dsdb-modules samba-vfs-modules

 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
@@ -28,9 +25,6 @@ cat > /etc/krb5.conf <<EOF
 	renew_lifetime = 7d
 EOF

-echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
-klist
-
 mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
 cat > /etc/samba/smb.conf <<EOF
 [global]
@@ -70,25 +64,30 @@ cat > /etc/samba/smb.conf <<EOF
 	printing = bsd
 	disable spoolss = Yes

-	allow trusted domains = No
 	dns proxy = No
 	shadow: snapdir = .zfs/snapshot
 	shadow: sort = desc
 	shadow: format = -%Y-%m-%d-%H%M
-	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
+	shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}\(backup\)\{0,1\}\(manual\)\{0,1\}
 	shadow: delimiter = -20

+EOF
+
+IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}" ; do
+    cat >> /etc/samba/smb.conf << EOF
 [$ZMB_SHARE]
-	comment = Main Share
 	path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 	read only = No
 	create mask = 0660
 	directory mask = 0770
 	inherit acls = Yes

-
-
 EOF
+done
+
+echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
+klist

 systemctl restart smbd

@@ -101,13 +100,17 @@ systemctl restart winbind nmbd
 wbinfo -u
 wbinfo -g

-mkdir /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+unset ZMB_SHARE

-# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-chown "$ZMB_ADMIN_USER" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
+do
+  mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE

-setfacl -Rm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rdm u:$ZMB_ADMIN_USER:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
+  chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+
+  setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+  setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+done

 systemctl restart smbd nmbd winbind
-
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-13-standard"
+
+# Create sharefs mountpoint
+LXC_MP=1
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="128K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="samba,nfs,standalone,fileserver,cockpit"
@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+set -euo pipefail
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+inst_45drives
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules samba-libs libwbclient0 winbind wsdd2
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator
+
+USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
+useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
+echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
+smbpasswd -x $USER || true
+(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
+
+usermod -aG sudo $USER
+
+cat << EOF | sudo tee -i /etc/samba/smb.conf
+[global]
+    include = registry
+EOF
+
+cat << EOF | sudo tee -i /etc/samba/import.template
+[global]
+    workgroup = WORKGROUP
+    log file = /var/log/samba/log.%m
+    max log size = 1000
+    logging = file
+    panic action = /usr/share/samba/panic-action %d
+    log level = 3
+    server role = standalone server
+    obey pam restrictions = yes
+    unix password sync = yes
+    passwd program = /usr/bin/passwd %u
+    passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+    pam password change = yes
+    map to guest = bad user
+    vfs objects = shadow_copy2 acl_xattr catia fruit streams_xattr
+    map acl inherit = yes
+    acl_xattr:ignore system acls = yes
+    shadow: snapdir = .zfs/snapshot
+    shadow: sort = desc
+    shadow: format = -%Y-%m-%d-%H%M
+    shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}
+    shadow: delimiter = -20
+    fruit:encoding = native
+    fruit:metadata = stream
+    fruit:zero_file_id = yes
+    fruit:nfs_aces = no
+EOF
+
+net conf import /etc/samba/import.template
+
+IFS=',' read -r -a ZMB_SHARES_ARRAY <<< "$ZMB_SHARES"
+for ZMB_SHARE in "${ZMB_SHARES_ARRAY[@]}"
+do
+    mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+
+    net conf addshare $ZMB_SHARE /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+    net conf setparm $ZMB_SHARE readonly no
+    net conf setparm $ZMB_SHARE browseable yes
+    net conf setparm $ZMB_SHARE createmask 0660
+    net conf setparm $ZMB_SHARE directorymask 0770
+done
+
+systemctl restart smbd nmbd wsdd2
@@ -1,119 +0,0 @@
-#!/bin/bash
-
-# This ist the Zamba main configuration file.
-# Please adjust the settings to your needs before running the installer.
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-
-############### Linux Container Section ###############
-
-# Defines the Proxmox storage where your LXC container template are stored (default: local)
-LXC_TEMPLATE_STORAGE="local"
-
-# Defines the size in GB of the LXC container's root filesystem (default: 32)
-# Depending on your environment, you should consider increasing the size for use of `mailpiler` or `matrix`.
-LXC_ROOTFS_SIZE="32"
-# Defines the Proxmox storage where your LXC container's root filesystem will be generated (default: local-zfs)
-LXC_ROOTFS_STORAGE="local-zfs"
-
-# Defines the size in GB your LXC container's filesystem shared by Zamba (AD member & standalone) (default: 100)
-LXC_SHAREFS_SIZE="100"
-# Defines the Proxmox storage where your LXC container's filesystem shared by Zamba will be generated (default: local-zfs)
-LXC_SHAREFS_STORAGE="local-zfs"
-# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="tank"
-
-# Defines the amount of RAM in MB your LXC container is allowed to use (default: 1024)
-LXC_MEM="1024"
-
-# Defines the amount of swap space in MB your LXC container is allowed to use (default: 1024)
-LXC_SWAP="1024"
-
-# Defines the hostname of your LXC container
-LXC_HOSTNAME="zamba"
-
-# Defines the domain name / search domain of your LXC container
-LXC_DOMAIN="zmb.rocks"
-
-# Defines the local IP address and subnet of your LXC container in CIDR format
-LXC_IP="192.168.100.200/24"
-
-# Defines the default gateway IP address of your LXC container
-LXC_GW="192.168.100.254"
-
-# Defines the DNS server ip address of your LXC container
-# `zmb-ad` used this DNS server for installation, after installation and domain provisioning it will be used as forwarding DNS
-# For other services this should be your active directory domain controller (if present, else a DNS server of your choice)
-LXC_DNS="192.168.100.254"
-
-# Defines the network bridge to bind the network adapter of your LXC container
-LXC_BRIDGE="vmbr0"
-
-# Defines the vlan id of the LXC container's network interface, if the network adapter should be connected untagged, just leave the value empty.
-LXC_VLAN=
-
-# Defines the `root` password of your LXC container. Please use 'single quatation marks' to avoid unexpected behaviour.
-LXC_PWD='S3cr3tp@ssw0rd'
-
-# Defines an authorized_keys file to push into the LXC container.
-# By default the authorized_keys will be inherited from your proxmox host.
-LXC_AUTHORIZED_KEY=~/.ssh/authorized_keys
-
-# Define your (administrative) tools, you always want to have installed into your LXC container
-LXC_TOOLSET="vim htop net-tools dnsutils mc sysstat lsb-release curl git gnupg2 apt-transport-https"
-
-# Define the local timezone of your LXC container (default: Euroe/Berlin)
-LXC_TIMEZONE="Europe/Berlin"
-
-# Define system language on LXC container (locales)
-LXC_LOCALE=de_DE.UTF-8
-
-############### Zamba-Server-Section ###############
-
-# Defines the REALM for the Active Directory (AD DC, AD member)
-ZMB_REALM="ZMB.ROCKS"
-# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
-ZMB_DOMAIN="ZMB"
-
-# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
-ZMB_DNS_BACKEND="SAMBA_INTERNAL"
-
-# Defines the name of your domain administrator account (AD DC, AD member, standalone)
-ZMB_ADMIN_USER="administrator"
-# The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
-# `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
-ZMB_ADMIN_PASS='1c@nd0@nyth1n9'
-
-# Defines the name of your Zamba share
-ZMB_SHARE="share"
-
-############### Mailpiler-Section ###############
-
-# Defines the (public) FQDN of your piler mail archive
-PILER_FQDN="piler.zmb.rocks"
-# Defines the smarthost for piler mail archive
-PILER_SMARTHOST="your.mailserver.tld"
-# Defines the version number of piler mail archive to install
-PILER_VERSION="1.3.11"
-# Defines the version of sphinx to install
-PILER_SPHINX_VERSION="3.3.1"
-# Defines the php version to install
-PILER_PHP_VERSION="7.4"
-
-############### Matrix-Section ###############
-
-# Define the FQDN of your Matrix server
-MATRIX_FQDN="matrix.zmb.rocks"
-
-# Define the FQDN for the Element Web virtual host
-MATRIX_ELEMENT_FQDN="element.zmb.rocks"
-
-# Define the version of Element Web
-MATRIX_ELEMENT_VERSION="v1.7.25"
-
-# Define the FQDN for the Jitsi Meet virtual host
-MATRIX_JITSI_FQDN="meet.zmb.rocks"
@@ -1,119 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
-  BINDNINE=bind9
-fi
-
-## configure ntp
-cat << EOF > /etc/ntp.conf
-# Local clock. Note that is not the "localhost" address!
-server 127.127.1.0
-fudge  127.127.1.0 stratum 10
-
-# Where to retrieve the time from
-server 0.de.pool.ntp.org     iburst prefer
-server 1.de.pool.ntp.org     iburst prefer
-server 2.de.pool.ntp.org     iburst prefer
-
-driftfile       /var/lib/ntp/ntp.drift
-logfile         /var/log/ntp
-ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
-
-# Access control
-# Default restriction: Allow clients only to query the time
-restrict default kod nomodify notrap nopeer mssntp
-
-# No restrictions for "localhost"
-restrict 127.0.0.1
-
-# Enable the time sources to only provide time to this host
-restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
-
-tinker panic 0
-EOF
-
-# update packages
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-# install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl attr ntpdate nginx-full rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils $BINDNINE
-
-if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
-  # configure bind dns service
-  cat << EOF > /etc/default/bind9
-#
-# run resolvconf?
-RESOLVCONF=no
-
-# startup options for the server
-OPTIONS="-4 -u bind"
-EOF
-
-cat << EOF > /etc/bind/named.conf.local
-//
-// Do any local configuration here
-//
-
-// Consider adding the 1918 zones here, if they are not used in your
-// organization
-//include "/etc/bind/zones.rfc1918";
-dlz "$LXC_DOMAIN" {
-  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
-};
-EOF
-
-  cat << EOF > /etc/bind/named.conf.options
-options {
-  directory "/var/cache/bind";
-
-  forwarders {
-    $LXC_DNS;
-  };
-
-  allow-query {  any;};
-  dnssec-validation no;
-
-  auth-nxdomain no;    # conform to RFC1035
-  listen-on-v6 { any; };
-  listen-on { any; };
-
-  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
-  minimal-responses yes;
-};
-EOF
-
-  mkdir -p /var/lib/samba/bind-dns/dns
-fi
-
-# stop + disable samba services and remove default config
-systemctl stop smbd nmbd winbind
-systemctl disable smbd nmbd winbind
-rm -f /etc/samba/smb.conf
-rm -f /etc/krb5.conf
-
-# provision zamba domain
-samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
-
-cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
-
-systemctl unmask samba-ad-dc
-systemctl enable samba-ad-dc $BINDNINE
-systemctl restart samba-ad-dc $BINDNINE
-
-exit 0
@@ -1,44 +0,0 @@
-#!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-source /root/zamba.conf
-
-sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
-cat << EOF > /etc/default/locale
-LANG="$LXC_LOCALE"
-LANGUAGE=$LXC_LOCALE
-EOF
-locale-gen $LXC_LOCALE
-
-apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl samba samba-dsdb-modules samba-vfs-modules 
-
-USER=$(echo "$ZMB_ADMIN_USER" | awk '{print tolower($0)}')
-useradd --comment "Zamba fileserver admin" --create-home --shell /bin/bash $USER
-echo "$USER:$ZMB_ADMIN_PASS" | chpasswd
-smbpasswd -x $USER
-(echo $ZMB_ADMIN_PASS; echo $ZMB_ADMIN_PASS) | smbpasswd -a $USER
-
-cat << EOF >> /etc/samba/smb.conf
-[share]
-    comment = Main Share
-    path = /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-    read only = No
-    vfs objects = shadow_copy2
-    shadow: snapdir = .zfs/snapshot
-    shadow: sort = desc
-    shadow: format = -%Y-%m-%d-%H%M
-    shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
-    shadow: delimiter = -20
-EOF
-
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-chmod -R 770 /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-chown -R $USER:root /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-
-systemctl restart smbd nmbd