diff --git a/check_zambaconfonpve_trmm.sh b/check_zambaconfonpve_trmm.sh new file mode 100644 index 0000000..7db19ef --- /dev/null +++ b/check_zambaconfonpve_trmm.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +export LC_ALL=C +ZAMBA_CONF="/root/zamba-lxc-toolbox/conf/zamba.conf" + +if [[ -f "$ZAMBA_CONF" ]]; then + # Prüfen, ob die Datei älter als 3 Tage ist + if find "$ZAMBA_CONF" -mtime +3 >/dev/null 2>&1; then + echo "⚠️ zamba.conf ist älter als 3 Tage – Datei wird gelöscht: $ZAMBA_CONF" + rm -f "$ZAMBA_CONF" + exit 0 + else + echo "❌ Problem: zamba.conf ist vorhanden und jünger als 3 Tage: $ZAMBA_CONF" + exit 2 + fi +else + echo "✅ OK: zamba.conf ist nicht vorhanden" + exit 0 +fi diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index 714c47d..7a3736a 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -99,17 +99,21 @@ LXC_TAGS="linux,debian,${service}" ############### Zamba-Server-Section ############### -# Defines the REALM for the Active Directory (AD DC, AD member) +# Defines the REALM for the Active Directory (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups) ZMB_REALM="ZMB.ROCKS" -# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone) +# Defines the domain name in your Active Directory or Workgroup (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone) ZMB_DOMAIN="ZMB" -# Defines the name of your domain administrator account (AD DC, AD member, standalone) +# Defines the name of your domain administrator account (Some environments are case sensitive, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone) ZMB_ADMIN_USER="administrator" + # The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour # `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail ZMB_ADMIN_PASS='Start!123' +# Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case) +ZMB_DOMAIN_ADMINS="domain admins" + # Defines the name of your Zamba share ZMB_SHARE="share" diff --git a/install.sh b/install.sh index 2bab1d5..53f763b 100755 --- a/install.sh +++ b/install.sh @@ -102,6 +102,15 @@ source "$config" source "$PWD/src/$service/constants-service.conf" +if [[ $service == "zmb-ad-restore" ]]; then + if find ./ | grep samba-backup*.tar.bz2 ; then + sambabackup=$(find $PWD/ | grep samba-backup*.tar.bz2 | tail -1) + else + echo "No samba backup found in $PWD. Please place a samba online backup into $PWD. Canceling..." + exit 1 + fi +fi + if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then LXC_MEM=$LXC_MEM_MIN fi @@ -184,6 +193,11 @@ pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf +if [[ $service == "zmb-ad-restore" ]]; then + pct exec $LXC_NBR -- mkdir -p /backup/online + pct push $LXC_NBR "$PWD/samba-backup-*.tar.bz2" /backup/online/ +fi + if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi echo "Installing basic container setup..." @@ -195,6 +209,9 @@ pct shutdown $LXC_NBR if [[ $service == "zmb-ad" ]]; then ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format pct set $LXC_NBR -nameserver ${LXC_IP%/*} +elif [[ $service == "zmb-ad-restore" ]]; then + ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format + pct set $LXC_NBR -nameserver ${LXC_IP%/*} elif [[ $service == "zmb-ad-join" ]]; then pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS" fi diff --git a/scripts/nextcloud-update b/scripts/nextcloud-update index c733e47..501cc60 100644 --- a/scripts/nextcloud-update +++ b/scripts/nextcloud-update @@ -1,17 +1,47 @@ #!/bin/bash -# -# Update nextcloud -# place in /etc/cron.daily and make executable with chmod +x /etc/cron.daily/nextcloud-update + +# Update Nextcloud +# Place in /etc/cron.daily and make executable with: chmod +x /etc/cron.daily/nextcloud-update + user=www-data -phpversion=php8.2 +phpversion=php8.3 path=/var/www/nextcloud +logfile="/var/log/nextcloud-update.log" -alias ncc="sudo -u $user $phpversion $path/occ" -alias updater="sudo -u $user $phpversion $path/updater/updater.phar" +ncc() { + sudo -u "$user" "$phpversion" "$path/occ" "$@" +} -updater --no-backup --no-interaction +updater() { + sudo -u "$user" "$phpversion" "$path/updater/updater.phar" "$@" +} -subcommands=("db:add-missing-primary-keys" "db:add-missing-indices" "db:add-missing-columns" "db:convert-filecache-bigint" "files:scan-app-data" "--quiet --all app:update" "upgrade") -for cmd in ${subcommands[@]}; do - ncc -n $cmd -done +{ + echo "===== $(date): Nextcloud Update Start =====" + + updater --no-backup --no-interaction + + subcommands=( + "db:add-missing-primary-keys" + "db:add-missing-indices" + "db:add-missing-columns" + "db:convert-filecache-bigint" + "files:scan-app-data" + "upgrade" + ) + + for cmd in "${subcommands[@]}"; do + echo "Running: occ $cmd" + ncc -n $cmd + done + + # App Updates + echo "Updating apps..." + apps=$(ncc app:list | grep -Po 'Enabled:\s*\K.*' | tr -d ' ' | tr ',' '\n') + for app in $apps; do + echo "Updating app: $app" + ncc app:update "$app" + done + + echo "===== $(date): Nextcloud Update Finished =====" +} >> "$logfile" 2>&1 diff --git a/src/functions.sh b/src/functions.sh index 9ece872..dd0c346 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -9,7 +9,7 @@ random_password() { } generate_dhparam() { - openssl dhparam -out /etc/nginx/dhparam.pem 2048 + openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 2048 cat << EOF > /etc/cron.monthly/generate-dhparams #!/bin/bash openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1 @@ -27,5 +27,26 @@ apt_repo() { wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path} echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list - -} \ No newline at end of file +} +#### Set repo and install Nginx #### +inst_nginx() { + apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx" + apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx +} +#### Set repo and install PHP #### +inst_php() { + curl -sSLo /usr/share/keyrings/sury_php.gpg https://packages.sury.org/php/apt.gpg + echo "deb [signed-by=/usr/share/keyrings/sury_php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury_php.list + apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline} +} +#### Set repo and install Postgresql #### +inst_postgresql() { + apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" + apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION +} +#### Set repo and install Crowdsec #### +inst_crowdsec() { + apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" " https://packagecloud.io/crowdsec/crowdsec/any any main" + apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec + DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables +} diff --git a/src/icinga2/constants-service.conf b/src/icinga2/constants-service.conf new file mode 100644 index 0000000..944f7c9 --- /dev/null +++ b/src/icinga2/constants-service.conf @@ -0,0 +1,37 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-12-standard" + +# Create sharefs mountpoint +LXC_MP=0 +# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank) +LXC_SHAREFS_MOUNTPOINT="tank" +# Defines the recordsize of mp0 +LXC_MP_RECORDSIZE="16K" + +# Create unprivileged container +LXC_UNPRIVILEGED="1" + +# enable nesting feature +LXC_NESTING="1" + +# enable keyctl feature +LXC_KEYCTL="0" + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="php-fpm,nginx,mariadb" + +CRED_FILE="/root/.zamba_credentials/icinga_stack.txt" + +PHP_VERSION=8.2 \ No newline at end of file diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh new file mode 100644 index 0000000..45a7228 --- /dev/null +++ b/src/icinga2/install-service.sh @@ -0,0 +1,533 @@ + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf +source /etc/os-release + +# --- Internal Helper Functions --- +_generate_local_password() { + openssl rand -base64 "$1" +} + + +curl -fsSL https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg +echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-$(lsb_release -cs) main" > /etc/apt/sources.list.d/icinga.list + +curl -fsSL https://packages.netways.de/netways-repo.asc | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg +echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/extras/debian/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/netways.list + +curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg +echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/influxdata.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq --no-install-recommends \ + icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \ + mariadb-server mariadb-client influxdb2 influxdb2-client imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle icinga-notifications icinga-notifications-web \ + icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2 chromium fonts-liberation fonts-noto icinga-x509 \ + monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard monitoring-plugins-systemd icingaweb2-module-pdfexport + + + +ICINGAWEB_DB_PASS=$(_generate_local_password 24) +DIRECTOR_DB_PASS=$(_generate_local_password 24) +ICINGADB_PASS=$(_generate_local_password 24) +ICINGA_X509_DB_PASS=$(_generate_local_password 24) +ICINGA_API_USER_PASS=$(_generate_local_password 24) +NOTIFICATIONS_DB_PASS=$(_generate_local_password 24) +ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16) +INFLUX_ADMIN_PASS=$(_generate_local_password 16) +INFLUX_ADMIN_TOKEN=$(_generate_local_password 40) + +systemctl start mariadb + +mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;" +mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;" +mysql -e "CREATE DATABASE IF NOT EXISTS icingadb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;" +mysql -e "CREATE DATABASE IF NOT EXISTS notifications CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;" +mysql -e "CREATE DATABASE IF NOT EXISTS x509 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;" + +mysql -e "CREATE USER IF NOT EXISTS 'icingaweb2'@'localhost' IDENTIFIED BY '${ICINGAWEB_DB_PASS}';" +mysql -e "CREATE USER IF NOT EXISTS 'director'@'localhost' IDENTIFIED BY '${DIRECTOR_DB_PASS}';" +mysql -e "CREATE USER IF NOT EXISTS 'icingadb'@'localhost' IDENTIFIED BY '${ICINGADB_PASS}';" +mysql -e "CREATE USER IF NOT EXISTS 'notifications'@'localhost' IDENTIFIED BY '${NOTIFICATIONS_DB_PASS}';" +mysql -e "CREATE USER IF NOT EXISTS 'x509'@'localhost' IDENTIFIED BY '${ICINGA_X509_DB_PASS}';" + +mysql -e "GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';" +mysql -e "GRANT ALL PRIVILEGES ON director.* TO 'director'@'localhost';" +mysql -e "GRANT ALL PRIVILEGES ON icingadb.* TO 'icingadb'@'localhost';" +mysql -e "GRANT ALL PRIVILEGES ON notifications.* TO 'notifications'@'localhost';" +mysql -e "GRANT ALL PRIVILEGES ON x509.* TO 'x509'@'localhost';" +mysql -e "FLUSH PRIVILEGES;" + +systemctl start influxdb +influx setup --skip-verify --username admin --password "$INFLUX_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f +INFLUX_ICINGA_TOKEN=$(influx auth create --org icinga --all-access --json | grep -oP '"token": "\K[^"]+') +if [ -z "$INFLUX_ICINGA_TOKEN" ]; then echo "[ERROR] Konnte InfluxDB Token nicht erstellen." >&2; exit 1; fi + + +mkdir -p "$(dirname "$CRED_FILE")" && chmod 700 "$(dirname "$CRED_FILE")" +{ + echo "# --- Icinga Monitoring Stack Credentials ---" + echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2; Benutzer: icingaadmin; Passwort: ${ICINGAWEB_ADMIN_PASS}" + echo "InfluxDB Admin Token: ${INFLUX_ADMIN_TOKEN}" + echo "Icinga Director API: Benutzer: director; Passwort: ${ICINGA_API_USER_PASS}" +} > "$CRED_FILE" && chmod 600 "$CRED_FILE" + +systemctl enable --now icingadb-redis + +cat > /etc/icinga2/features-available/icingadb.conf < /etc/icinga2/conf.d/api-users.conf < /etc/icinga2/features-available/influxdb2-writer.conf < /etc/icinga2/zones.conf < /etc/icingadb/config.yml < /etc/icingaweb2/modules/icingadb/config.ini +[icingadb] +resource = icingadb +EOF +cat << EOF > /etc/icingaweb2/modules/icingadb/redis.ini +[redis1] +host = "localhost" +EOF +cat << EOF > /etc/icingaweb2/modules/icingadb/commandtransports.ini +[$(hostname -f)] +transport = "api" +host = "$(hostname -f)" +port = "5665" +username = "director" +password = "${ICINGA_API_USER_PASS}" +EOF + + + +icinga2 feature enable icingadb + +mkdir -p /etc/icingaweb2 + +cat > /etc/icingaweb2/resources.ini < /etc/icinga2/conf.d/services.conf +apply Service "ping4" { + import "generic-service" + + check_command = "ping4" + + assign where host.address +} + +apply Service "ping6" { + import "generic-service" + + check_command = "ping6" + + assign where host.address6 +} + +apply Service "ssh" { + import "generic-service" + + check_command = "ssh" + + assign where (host.address || host.address6) && host.vars.os == "Linux" +} + + + +apply Service for (http_vhost => config in host.vars.http_vhosts) { + import "generic-service" + + check_command = "http" + + vars += config +} + +apply Service for (disk => config in host.vars.disks) { + import "generic-service" + + check_command = "disk" + + vars += config +} + +apply Service "icinga" { + import "generic-service" + + check_command = "icinga" + + assign where host.name == NodeName +} + +apply Service "load" { + import "generic-service" + + check_command = "load" + + assign where host.name == NodeName +} + +apply Service "procs" { + import "generic-service" + + check_command = "procs" + + assign where host.name == NodeName +} + +apply Service "users" { + import "generic-service" + + check_command = "users" + + assign where host.name == NodeName +} + +apply Service "ssl" { + import "generic-service" + + check_command = "ssl" + + assign where host.name == NodeName +} + +apply Service "smtp" { + import "generic-service" + + check_command = "smtp" + + assign where host.name == NodeName +} + +EOF + +mkdir -p /etc/nginx/ssl +if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then + ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem + ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem +fi + +cat > /etc/nginx/sites-available/icinga-stack < /etc/icinga-notifications/config.yml +database: + type: mysql + + host: localhost + + database: notifications + + user: notifications + + password: ${NOTIFICATIONS_DB_PASS} +EOF + +cat << EOF > /etc/icingaweb2/modules/notifications/config.ini +[database] +resource = "notifications" +EOF + +mkdir -p /etc/icingaweb2/modules/pdfexport +cat << EOF > /etc/icingaweb2/modules/pdfexport/config.ini +[chrome] +binary = "/usr/bin/chromium" +force_temp_storage = "0" +EOF + + + +ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/ +rm -f /etc/nginx/sites-enabled/default + +sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' "/etc/php/${PHP_VERSION}/fpm/php.ini" +sed -i "s|;date.timezone =|date.timezone = $(cat /etc/timezone)|" "/etc/php/${PHP_VERSION}/fpm/php.ini" + +icinga2 api setup +systemctl enable icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb icingadb icingadb-redis icinga-notifications + +systemctl start mariadb +systemctl start icinga2 icingadb-redis nginx php${PHP_VERSION}-fpm influxdb icingadb + +IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql" +DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql" +ICINGADB_SCHEMA="/usr/share/icingadb/schema/mysql/schema.sql" +NOTIFICATIONS_SCHEMA="/usr/share/icinga-notifications/schema/mysql/schema.sql" +X509_SCHEMA="/usr/share/icingaweb2/modules/x509/schema/mysql.schema.sql" + +if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi +if [ ! -f "$DIRECTOR_SCHEMA" ]; then echo "[ERROR] Director-Schema nicht gefunden: $DIRECTOR_SCHEMA" >&2; exit 1; fi +if [ ! -f "$ICINGADB_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $ICINGADB_SCHEMA" >&2; exit 1; fi +if [ ! -f "$NOTIFICATIONS_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $NOTIFICATIONS_SCHEMA" >&2; exit 1; fi +if [ ! -f "$X509_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $X509_SCHEMA" >&2; exit 1; fi + + +if ! mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then + echo "[INFO] Importiere IcingaWeb2-Schema..." + mysql icingaweb2 < "$IWEB_SCHEMA" +fi + +if ! mysql -e "use director; show tables;" | grep -q "director_datafield"; then + echo "[INFO] Importiere Icinga Director-Schema..." + mysql director < "$DIRECTOR_SCHEMA" +fi + +if ! mysql -e "use icingadb; show tables;" | grep -q "icingadb_schema_migration"; then + echo "[INFO] Importiere IcingaDB-Schema..." + mysql icingadb < "$ICINGADB_SCHEMA" +fi + +if ! mysql -e "use notifications; show tables;" | grep -q "incident_rule_escalation_state"; then + echo "[INFO] Importiere Notifications-Schema..." + mysql notifications < "$NOTIFICATIONS_SCHEMA" +fi + +if ! mysql -e "use x509; show tables;" | grep -q "x509_schema"; then + echo "[INFO] Importiere x509-Schema..." + mysql x509 < "$X509_SCHEMA" +fi + + +cat > /etc/icingaweb2/config.ini < /etc/icingaweb2/authentication.ini < /etc/icingaweb2/roles.ini < /etc/icingaweb2/modules/monitoring/backends.ini < /etc/icingaweb2/modules/director/config.ini < /etc/icingaweb2/modules/perfdatagraphsinfluxdbv2/config.ini < /etc/icingaweb2/modules/perfdatagraphs/config.ini << EOF +[perfdatagraphs] +default_timerange = "PT12H" +default_backend = "InfluxDBv2" +EOF + +icinga2 feature enable icingadb api influxdb2-writer perfdata + +icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt + +echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert." +icingacli module enable reactbundle +icingacli module enable incubator +icingacli module enable director +icingacli module enable icingadb +icingacli module enable perfdatagraphs +icingacli module enable perfdatagraphsinfluxdbv2 +icingacli module enable notifications + +echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu laden." +systemctl restart mariadb +systemctl restart php${PHP_VERSION}-fpm +systemctl restart nginx +systemctl restart icingadb +systemctl restart icinga-notifications + +echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein." +PASSWORD_HASH=$(php -r "echo password_hash('${ICINGAWEB_ADMIN_PASS}', PASSWORD_BCRYPT);") +mysql icingaweb2 -e "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, '${PASSWORD_HASH}') ON DUPLICATE KEY UPDATE password_hash='${PASSWORD_HASH}';" + +echo "[INFO] Warte auf Icinga Web 2 und API..." +counter=0 +while ! icingacli director migration run >/dev/null 2>&1; do + counter=$((counter + 1)) + if [ "$counter" -gt 15 ]; then + echo "[ERROR] Icinga Director wurde nach 30 Sekunden nicht bereit." >&2 + exit 1 + fi + echo "[INFO] Director ist noch nicht bereit, warte 2 Sekunden... (Versuch ${counter}/15)" + sleep 2 +done +echo "[INFO] Icinga Director ist bereit." + +echo "[INFO] Icinga Director Setup wird ausgeführt." +cat > /etc/icingaweb2/modules/director/kickstart.ini < /dev/null apt-get update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin jq +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq rsync docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin jq DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix SECRET=$(random_password) @@ -156,7 +156,6 @@ POPS_PORT=995 SIEVE_PORT=4190 DOVEADM_PORT=127.0.0.1:19991 SQL_PORT=127.0.0.1:13306 -SOLR_PORT=127.0.0.1:18983 REDIS_PORT=127.0.0.1:7654 # Your timezone @@ -242,15 +241,6 @@ SKIP_CLAMD=n SKIP_SOGO=n -# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1. - -SKIP_SOLR=n - -# Solr heap size in MB, there is no recommendation, please see Solr docs. -# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended. - -SOLR_HEAP=1024 - # Allow admins to log into SOGo as email user (without any password) ALLOW_ADMIN_EMAIL_LOGIN=n @@ -361,35 +351,45 @@ WEBAUTHN_ONLY_TRUSTED_VENDORS=n # Otherwise it will work normally. SPAMHAUS_DQS_KEY= +# Obtain certificates for autodiscover.* and autoconfig.* domains. +# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those. +# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs +# between services. So acme-mailcow obtains for maildomains and all web-things get handled +# in the reverse proxy. +AUTODISCOVER_SAN=y +# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n +SKIP_UNBOUND_HEALTHCHECK=n +# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n +# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost +DISABLE_NETFILTER_ISOLATION_RULE=n + +# ------------------------------ +# REDIS configuration +# ------------------------------ + +REDISPASS=$(LC_ALL=C /dev/null | head -c 28) +# Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs. +# Flatcurve is used as FTS Engine. It is supposed to be pretty efficient in CPU and RAM consumption. +# Please always monitor your Resource consumption! +FTS_HEAP=128 +# Controls how many processes the Dovecot indexing process can spawn at max. +# Too many indexing processes can use a lot of CPU and Disk I/O +# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations +FTS_PROCS=1 +# Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it. +# Dovecot inside mailcow use Flatcurve as FTS Backend. +SKIP_FTS=y +# Redirect HTTP connections to HTTPS - y/n +HTTP_REDIRECT=y + EOF cat << EOF > /etc/cron.daily/mailcowbackup -#!/bin/sh - -# Backup mailcow data -# https://docs.mailcow.email/backup_restore/b_n_r-backup/ - -set -e - -OUT="\$(mktemp)" -export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup" -SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh" -PARAMETERS="backup all" -OPTIONS="--delete-days 7" -mkdir -p \$MAILCOW_BACKUP_LOCATION - -# run command -set +e -"\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT" -RESULT=\$? - -if [ \$RESULT -ne 0 ] - then - echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:" - echo "RESULT=\$RESULT" - echo "STDOUT / STDERR:" - cat "\$OUT" -fi +#!/bin/bash +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +25 1 * * * rsync -aH --delete /opt/mailcow-dockerized /${LXC_SHAREFS_MOUNTPOINT}/mailcow-dockerized +40 2 * * * rsync -aH --delete /var/lib/docker/volumes /${LXC_SHAREFS_MOUNTPOINT}/var_lib_docker_volumes +5 4 * * * cd /opt/mailcow-dockerized/; BACKUP_LOCATION=/${LXC_SHAREFS_MOUNTPOINT}/db_crypt_redis /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 EOF chmod +x /etc/cron.daily/mailcowbackup diff --git a/src/nextcloud/constants-service.conf b/src/nextcloud/constants-service.conf index 684f4c1..e4665e2 100644 --- a/src/nextcloud/constants-service.conf +++ b/src/nextcloud/constants-service.conf @@ -30,7 +30,10 @@ LXC_KEYCTL="0" NEXTCLOUD_VERSION="latest" # Defines the php version to install -NEXTCLOUD_PHP_VERSION="8.2" +NEXTCLOUD_PHP_VERSION="8.3" + +# Defines the postgresql version to install +POSTGRES_VERSION=16 # Defines the IP from the SQL server NEXTCLOUD_DB_IP="127.0.0.1" @@ -51,4 +54,4 @@ NEXTCLOUD_DB_PWD="$(random_password)" LXC_MEM_MIN=4096 # service dependent meta tags -SERVICE_TAGS="php-fpm,nginx,postgresql" \ No newline at end of file +SERVICE_TAGS="php-fpm,nginx,postgresql" diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh index 516819a..8e50e50 100644 --- a/src/nextcloud/install-service.sh +++ b/src/nextcloud/install-service.sh @@ -5,130 +5,68 @@ # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille +set -euo pipefail + source /root/functions.sh - -NEXTCLOUD_ADMIN_PWD=$(random_password) - source /root/zamba.conf source /root/constants-service.conf +NEXTCLOUD_ADMIN_PWD=$(random_password) +NEXTCLOUD_REDIS_PWD=$(random_password) HOSTNAME=$(hostname -f) +HOST_IP=$(hostname -i) -wget -q -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/sury-php.gpg >/dev/null -echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list - -wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.gpg >/dev/null -echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list - -wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg >/dev/null -echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list - -apt update - -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \ -postgresql-15 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline} - -timedatectl set-timezone $LXC_TIMEZONE -mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www -chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www - -#### Create database for nextcloud #### - -su - postgres <> /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini -sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml -sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml -sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml -sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml - -#### Adjust nginx settings #### - -mkdir -p /etc/nginx/ssl +#### Modify Nginx for Nextcloud #### +mod_nginx() { openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN" generate_dhparam mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak - cat > /etc/nginx/nginx.conf < /etc/nginx/conf.d/http.conf << EOF upstream php-handler { -server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock; + server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock; } map \$arg_v \$asset_immutable { - "" ""; - default "immutable"; + "" ""; + default "immutable"; } server { -listen 80 default_server; -listen [::]:80 default_server; -server_name $NEXTCLOUD_FQDN; -root /var/www; -location / { -return 301 https://\$host\$request_uri; -} + listen 80 default_server; + listen [::]:80 default_server; + server_name $NEXTCLOUD_FQDN; + root /var/www; + location ^~ /.well-known/acme-challenge { + default_type text/plain; + root /var/www/letsencrypt; + } + location / { + return 301 https://\$host\$request_uri; + } } EOF cat > /etc/nginx/conf.d/nextcloud.conf << EOF +limit_req_zone \$binary_remote_addr zone=NextcloudRateLimit:10m rate=2r/s; server { -listen 443 ssl http2; -listen [::]:443 ssl http2; -server_name $NEXTCLOUD_FQDN; -ssl_certificate /etc/ssl/certs/nextcloud.crt; -ssl_certificate_key /etc/ssl/private/nextcloud.key; -ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt; -#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem; -#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem; -#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem; -#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem; -#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem; -ssl_dhparam /etc/nginx/dhparam.pem; -ssl_session_timeout 1d; -ssl_session_cache shared:SSL:50m; -ssl_session_tickets off; -ssl_protocols TLSv1.3 TLSv1.2; -ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384'; -ssl_ecdh_curve X448:secp521r1:secp384r1; -ssl_prefer_server_ciphers on; -ssl_stapling on; -ssl_stapling_verify on; -client_max_body_size 5120M; -client_body_timeout 300s; -client_body_buffer_size 512k; -fastcgi_buffers 64 4K; -gzip on; -gzip_vary on; -gzip_comp_level 4; -gzip_min_length 256; -gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; -gzip_types application/atom+xml text/javascript application/wasm application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; -add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; -add_header Permissions-Policy "interest-cohort=()"; -add_header Referrer-Policy "no-referrer" always; -add_header X-Content-Type-Options "nosniff" always; -add_header X-Download-Options "noopen" always; -add_header X-Frame-Options "SAMEORIGIN" always; -add_header X-Permitted-Cross-Domain-Policies "none" always; -add_header X-Robots-Tag "noindex, nofollow" always; -add_header X-XSS-Protection "1; mode=block" always; -fastcgi_hide_header X-Powered-By; -fastcgi_read_timeout 3600; -fastcgi_send_timeout 3600; -fastcgi_connect_timeout 3600; -root /var/www/nextcloud; -index index.php index.html /index.php\$request_uri; -expires 1m; -location = / { -if ( \$http_user_agent ~ ^DavClnt ) { -return 302 /remote.php/webdav/\$is_args\$args; -} -} -location = /robots.txt { -allow all; -log_not_found off; -access_log off; -} -location ^~ /apps/rainloop/app/data { -deny all; -} -location ^~ /.well-known { -location = /.well-known/carddav { return 301 /remote.php/dav/; } -location = /.well-known/caldav { return 301 /remote.php/dav/; } -location ^~ /.well-known { return 301 /index.php/\$uri; } -try_files \$uri \$uri/ =404; -} -location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/) { return 404; } -location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } -location ~ \.php(?:\$|/) { -rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; -fastcgi_split_path_info ^(.+?\.php)(/.*)\$; -set \$path_info \$fastcgi_path_info; -try_files \$fastcgi_script_name =404; -include fastcgi_params; -fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; -fastcgi_param PATH_INFO \$path_info; -fastcgi_param HTTPS on; -fastcgi_param modHeadersAvailable true; -fastcgi_param front_controller_active true; -fastcgi_pass php-handler; -fastcgi_intercept_errors on; -fastcgi_request_buffering off; -} -location ~ \.(?:css|js|mjs|svg|gif|ico|wasm|tflite|map)\$ { -try_files \$uri /index.php\$request_uri; -expires 6M; -access_log off; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + http2 on; + #listen 443 quic reuseport; + #listen [::]:443 quic reuseport; + #http3 on; + #http3_hq on; + #quic_retry on; + server_name $NEXTCLOUD_FQDN; + ssl_certificate /etc/ssl/certs/nextcloud.crt; + ssl_certificate_key /etc/ssl/private/nextcloud.key; + ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt; + #ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem; + #ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem; + #ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem; + #ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem; + #ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers on; + ssl_stapling on; + ssl_stapling_verify on; + client_max_body_size 10G; + client_body_timeout 3600s; + client_body_buffer_size 512k; + fastcgi_buffers 64 4K; + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + add_header Permissions-Policy "interest-cohort=()"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Alt-Svc 'h3=":\$server_port"; ma=86400'; + add_header x-quic 'h3'; + add_header Alt-Svc 'h3-29=":\$server_port"'; + fastcgi_hide_header X-Powered-By; + include mime.types; + types { + text/javascript mjs; + } + root /var/www/nextcloud; + index index.php index.html /index.php\$request_uri; + location = / { + if ( \$http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/\$is_args\$args; + } + } + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + location ^~ /.well-known { + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + location /.well-known/acme-challenge { try_files \$uri \$uri/ =404; } + location /.well-known/pki-validation { try_files \$uri \$uri/ =404; } + return 301 /index.php\$request_uri; + } + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + location ~ \.php(?:$|/) { + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php\$request_uri; + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set \$path_info \$fastcgi_path_info; + try_files \$fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name; + fastcgi_param PATH_INFO \$path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + fastcgi_read_timeout 3600; + fastcgi_send_timeout 3600; + fastcgi_connect_timeout 3600; + fastcgi_max_temp_file_size 0; + } + location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ { + try_files \$uri /index.php\$request_uri; + add_header Cache-Control "public, max-age=15768000, \$asset_immutable"; + add_header Permissions-Policy "interest-cohort=()"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Alt-Svc 'h3=":\$server_port"; ma=86400'; + add_header x-quic 'h3'; + add_header Alt-Svc 'h3-29=":\$server_port"'; + access_log off; + expires 6M; + access_log off; location ~ \.wasm$ { - default_type application/wasm; - } -} -location ~ \.woff2?\$ { -try_files \$uri /index.php\$request_uri; -expires 7d; -access_log off; -} -location / { -try_files \$uri \$uri/ /index.php\$request_uri; -} -location /push/ { -proxy_pass http://localhost:7867/; -proxy_http_version 1.1; -proxy_set_header Upgrade \$http_upgrade; -proxy_set_header Connection "Upgrade"; -proxy_set_header Host \$host; -proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; -} + default_type application/wasm; + } + } + location ~ \.(otf|woff2?)$ { + try_files \$uri /index.php\$request_uri; + expires 7d; + access_log off; + } + location /remote { + return 301 /remote.php\$request_uri; + } + location /login { + limit_req zone=NextcloudRateLimit burst=5 nodelay; + limit_req_status 429; + try_files \$uri \$uri/ /index.php\$request_uri; + } + location / { + try_files \$uri \$uri/ /index.php\$request_uri; + } + location ^~ /push/ { + proxy_pass http://127.0.0.1:7867/; + proxy_http_version 1.1; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host \$host; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + } } EOF +} -systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm nginx +#### Modify php settings for Nextcloud #### +mod_php() { +cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak +cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak +cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak +cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak +cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak +cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini.bak +cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak -#### Adjust redis settings #### +sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf +sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf +sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf +sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf +sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf +sed -i "s/pm.max_children =.*/pm.max_children = 200/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf +sed -i "s/pm.start_servers =.*/pm.start_servers = 100/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf +sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 60/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf +sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 140/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf +sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf +sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini +sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini +sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini +sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini +sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini +sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini +sed -i "s/;cgi.fix_pathinfo.*/cgi.fix_pathinfo=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini + +sed -i "s/memory_limit = 128M/memory_limit = 1G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/;opcache.validate_timestamps=.*/opcache.validate_timestamps=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=256/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=64/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=100000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini +sed -i "s/;opcache.huge_code_pages=.*/opcache.huge_code_pages=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini + +sed -i "s|;emergency_restart_threshold.*|emergency_restart_threshold = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf +sed -i "s|;emergency_restart_interval.*|emergency_restart_interval = 1m|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf +sed -i "s|;process_control_timeout.*|process_control_timeout = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf + +sed -i '$aapc.enable_cli=1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini + +sed -i 's/opcache.jit=off/opcache.jit=on/' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini +sed -i '$aopcache.jit=1255' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini +sed -i '$aopcache.jit_buffer_size=256M' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini + +sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml +sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml +sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml +sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml + +sed -i '$apgsql.allow_persistent = On' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini +sed -i '$apgsql.auto_reset_persistent = Off' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini +sed -i '$apgsql.max_persistent = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini +sed -i '$apgsql.max_links = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini +sed -i '$apgsql.ignore_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini +sed -i '$apgsql.log_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini +} + +#### Modify Postgresql for Nextcloud #### +mod_postgresql() { +su - postgres < /etc/postgresql/$POSTGRES_VERSION/main/conf.d/nextcloud.conf <> /etc/sysctl.conf -systemctl restart redis +sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf +} -#### HIER MÜSSTE EIN REBOOT REIN #### - - -#### Install nextcloud #### +#### Install some more packages +inst_packages() { +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-6.q16-6-extra +timedatectl set-timezone $LXC_TIMEZONE +mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www /etc/letsencrypt +chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www +} +#### Install and modify Nextcloud #### +inst_nextcloud() { cd /usr/local/src - wget https://download.nextcloud.com/server/releases/latest.tar.bz2 wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5 -md5sum -c latest.tar.bz2.md5 < latest.tar.bz2 - -tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2 +md5sum -c --ignore-missing latest.tar.bz2.md5 < latest.tar.bz2 +tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2* cat > /root/permissions.sh << EOF #!/bin/bash find /var/www/ -type f -print0 | xargs -0 chmod 0640 find /var/www/ -type d -print0 | xargs -0 chmod 0750 -chown -R www-data:www-data /var/www +if [ -d "/var/www/nextcloud/apps/notify_push" ]; then +chmod ug+x /var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push +fi +chmod -R 770 /etc/letsencrypt +chown -R www-data:www-data /var/www chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA chmod 0644 /var/www/nextcloud/.htaccess chmod 0644 /var/www/nextcloud/.user.ini @@ -310,39 +388,14 @@ EOF chmod +x /root/permissions.sh /root/permissions.sh - -#### install fail2ban #### - -cat </etc/fail2ban/filter.d/nextcloud.conf -[Definition] -_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) -failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: - ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. -datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" -EOF - -cat > /etc/fail2ban/jail.d/nextcloud.local << EOF -[nextcloud] -backend = auto -enabled = true -port = 80,443 -protocol = tcp -filter = nextcloud -maxretry = 5 -bantime = 3600 -findtime = 36000 -logpath = /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log -EOF - -systemctl restart fail2ban +} #### Create configuration script for nextcloud, which will be executet as user www-data +mod_nextcloudconfig() { -cat > /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh << DFOE +systemctl stop nginx -#!/bin/bash - -php /var/www/nextcloud/occ maintenance:install --database pgsql \ +sudo -u www-data /usr/bin/php /var/www/nextcloud/occ maintenance:install --database pgsql \ --database-host $NEXTCLOUD_DB_IP \ --database-port $NEXTCLOUD_DB_PORT \ --database-name $NEXTCLOUD_DB_NAME \ @@ -352,110 +405,176 @@ php /var/www/nextcloud/occ maintenance:install --database pgsql \ --admin-pass $NEXTCLOUD_ADMIN_PWD \ --data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA -php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$NEXTCLOUD_FQDN -php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://$NEXTCLOUD_FQDN - -cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak -sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php +sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak sed -i '/);/d' /var/www/nextcloud/config/config.php +sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php +sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini + cat >> /var/www/nextcloud/config/config.php << EOF -'activity_expire_days' => 14, -'auth.bruteforce.protection.enabled' => true, -'blacklisted_files' => -array ( -0 => '.htaccess', -1 => 'Thumbs.db', -2 => 'thumbs.db', -), -'cron_log' => true, -'default_phone_region' => 'DE', -'enable_previews' => true, -'enabledPreviewProviders' => -array ( -0 => 'OC\Preview\PNG', -1 => 'OC\Preview\JPEG', -2 => 'OC\Preview\GIF', -3 => 'OC\Preview\BMP', -4 => 'OC\Preview\XBitmap', -5 => 'OC\Preview\Movie', -6 => 'OC\Preview\PDF', -7 => 'OC\Preview\MP3', -8 => 'OC\Preview\TXT', -9 => 'OC\Preview\MarkDown', -), -'filesystem_check_changes' => 0, -'filelocking.enabled' => 'true', -'htaccess.RewriteBase' => '/', -'integrity.check.disabled' => false, -'knowledgebaseenabled' => false, -'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log', -'loglevel' => 2, -'logtimezone' => '$LXC_TIMEZONE', -'log_rotate_size' => 104857600, -'maintenance' => false, -'memcache.local' => '\OC\Memcache\APCu', -'memcache.locking' => '\OC\Memcache\Redis', -'overwriteprotocol' => 'https', -'preview_max_x' => 1024, -'preview_max_y' => 768, -'preview_max_scale_factor' => 1, -'redis' => -array ( -'host' => '/var/run/redis/redis-server.sock', -'port' => 0, -'timeout' => 0.0, -), -'quota_include_external_storage' => false, -'share_folder' => '/Freigaben', -'skeletondirectory' => '', -'theme' => '', -'trashbin_retention_obligation' => 'auto, 7', -'updater.release.channel' => 'stable', -'trusted_proxies' => -array ( -'$NEXTCLOUD_REVPROX', -'127.0.0.1', -'::1', -), + 'activity_expire_days' => 14, + 'allow_local_remote_servers' => true, + 'auth.bruteforce.protection.enabled' => true, + 'forbidden_filenames' => + array ( + 0 => '.htaccess', + 1 => 'Thumbs.db', + 2 => 'thumbs.db', + ), + 'cron_log' => true, + 'default_phone_region' => 'DE', + 'enable_previews' => true, + 'enabledPreviewProviders' => + array ( + 0 => 'OC\\Preview\\PNG', + 1 => 'OC\\Preview\\JPEG', + 2 => 'OC\\Preview\\GIF', + 3 => 'OC\\Preview\\BMP', + 4 => 'OC\\Preview\\XBitmap', + 5 => 'OC\\Preview\\Movie', + 6 => 'OC\\Preview\\PDF', + 7 => 'OC\\Preview\\MP3', + 8 => 'OC\\Preview\\TXT', + 9 => 'OC\\Preview\\MarkDown', + 10 => 'OC\\Preview\\HEIC', + 11 => 'OC\\Preview\\Movie', + 12 => 'OC\\Preview\\MKV', + 13 => 'OC\\Preview\\MP4', + 14 => 'OC\\Preview\\AVI', + ), + 'filesystem_check_changes' => 0, + 'filelocking.enabled' => 'true', + 'htaccess.RewriteBase' => '/', + 'integrity.check.disabled' => false, + 'knowledgebaseenabled' => false, + 'logfile' => '/$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log', + 'loglevel' => 2, + 'logtimezone' => '$LXC_TIMEZONE', + 'log_rotate_size' => 104857600, + 'memcache.local' => '\OC\Memcache\APCu', + 'memcache.locking' => '\OC\Memcache\Redis', + 'overwriteprotocol' => 'https', + 'preview_max_x' => 1024, + 'preview_max_y' => 768, + 'preview_max_scale_factor' => 1, + 'profile.enabled' => false, + 'redis' => + array ( + 'host' => '/run/redis/redis-server.sock', + 'port' => 0, + 'password' => '$NEXTCLOUD_REDIS_PWD', + 'timeout' => 0.0, + ), + 'quota_include_external_storage' => false, + 'share_folder' => '/Freigaben', + 'skeletondirectory' => '', + 'theme' => '', + 'trashbin_retention_obligation' => 'auto, 7', + 'updater.release.channel' => 'stable', + 'maintenance_window_start' => 1, + 'maintenance' => false, + 'mail_smtpmode' => 'sendmail', + 'mail_sendmailmode' => 'smtp', + 'mail_from_address' => '$NEXTCLOUD_ADMIN_USR', + 'mail_domain' => '$NEXTCLOUD_FQDN', + 'overwrite.cli.url' => 'https://$NEXTCLOUD_FQDN', + 'overwritehost' => '$NEXTCLOUD_FQDN', + 'trusted_domains' => + array ( + 0 => '$HOST_IP', + 1 => '$NEXTCLOUD_FQDN', + ), + ); EOF -sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini -php /var/www/nextcloud/occ app:disable survey_client -php /var/www/nextcloud/occ app:disable firstrunwizard -php /var/www/nextcloud/occ app:enable admin_audit -php /var/www/nextcloud/occ app:enable notify_push -php /var/www/nextcloud/occ app:enable files_pdfviewer -php /var/www/nextcloud/occ background:cron -DFOE - /root/permissions.sh -su -s /bin/bash www-data < /dev/null 2>&1" > /etc/cron.d/nextcloud + +systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm +systemctl start nginx cat > /etc/systemd/system/notify_push.service << EOF [Unit] Description = Push daemon for Nextcloud clients +After=nginx.service php$NEXTCLOUD_PHP_VERSION-fpm.service system-postgresql.slice redis-server.service + [Service] Environment=PORT=7867 Environment=NEXTCLOUD_URL=https://$NEXTCLOUD_FQDN Environment=ALLOW_SELF_SIGNED=true ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php User=www-data + [Install] WantedBy = multi-user.target EOF systemctl daemon-reload -systemctl enable --now notify_push +systemctl enable notify_push +} -echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud +#### Modifying Crowdsec #### +mod_crowdsec() { +systemctl restart crowdsec +cscli collections install crowdsecurity/nginx +cscli collections install crowdsecurity/nextcloud +cscli collections install crowdsecurity/sshd + +cat >> /etc/crowdsec/acquis.yaml << EOF +filenames: + - /var/log/nextcloud/nextcloud.log +labels: + type: Nextcloud +--- +EOF +systemctl reload crowdsec +} +#### Install the system !#### +echo "=> Installing Nginx ..." +inst_nginx +echo "=> Modifying Nginx config for Nextcloud ..." +mod_nginx + +echo "=> Installing PHP $NEXTCLOUD_PHP_VERSION ..." +inst_php +echo "=> Modifying PHP config for Nextcloud ..." +mod_php + +echo "=> Installing Postgresql $POSTGRES_VERSION ..." +inst_postgresql +echo "=> Modifying Postgresql config for Nextcloud ..." +mod_postgresql + +echo "=> Installing Redis-server ..." +inst_redis +echo "=> Modifying Redis-server for Nextcloud ..." +mod_redis + +echo "=> Installing some more packages ..." +inst_packages + +echo "=> Installing Nextcloud ..." +inst_nextcloud +echo "=> Modifying Nextcloud ..." +mod_nextcloudconfig + +echo "=> Installing Crowdsec ..." +inst_crowdsec +echo "=> Modifying Crowdsec ..." +mod_crowdsec echo -e "\n######################################################################\n\n Please note this user and password for the nextcloud login:\n '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n Enjoy your Nextcloud intallation.\n\n######################################################################" - shutdown -r now diff --git a/src/omada/constants-service.conf b/src/omada/constants-service.conf index 83aedc6..5194b1f 100644 --- a/src/omada/constants-service.conf +++ b/src/omada/constants-service.conf @@ -8,7 +8,7 @@ # This file contains the project constants on service level # Debian Version, which will be installed -LXC_TEMPLATE_VERSION="debian-11-standard" +LXC_TEMPLATE_VERSION="debian-12-standard" # Create sharefs mountpoint LXC_MP=0 @@ -27,7 +27,7 @@ LXC_NESTING="1" LXC_KEYCTL="0" # Sets the minimum amount of RAM the service needs for operation -LXC_MEM_MIN=2048 +LXC_MEM_MIN=4096 # service dependent meta tags -SERVICE_TAGS="mongodb-server,java" \ No newline at end of file +SERVICE_TAGS="mongodb-server,java" diff --git a/src/omada/install-service.sh b/src/omada/install-service.sh index 7e88549..5692314 100644 --- a/src/omada/install-service.sh +++ b/src/omada/install-service.sh @@ -10,14 +10,14 @@ set -euo pipefail source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf -wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg +# wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg -wget -O - https://pgp.mongodb.com/server-4.4.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-4.4.gpg +wget -O - https://pgp.mongodb.com/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list -echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list -echo "deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list +# echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list +echo "deb [signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq temurin-8-jre jsvc mongodb-org -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac \ No newline at end of file +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc mongodb-org +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh index 60173bf..9fdfa1f 100644 --- a/src/zmb-ad-join/install-service.sh +++ b/src/zmb-ad-join/install-service.sh @@ -205,7 +205,7 @@ EOF chmod +x /usr/local/bin/smb-backup cat << EOF > /etc/cron.d/smb-backup -23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1 +0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1 EOF cat << EOF > /etc/logrotate.d/smb-backup diff --git a/src/zmb-ad-restore/constants-service.conf b/src/zmb-ad-restore/constants-service.conf new file mode 100644 index 0000000..1042bbc --- /dev/null +++ b/src/zmb-ad-restore/constants-service.conf @@ -0,0 +1,45 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-12-standard" + +# Create sharefs mountpoint +LXC_MP=0 +# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank) +LXC_SHAREFS_MOUNTPOINT="backup" +# Defines the recordsize of mp0 +LXC_MP_RECORDSIZE="16K" + +# Create unprivileged container +LXC_UNPRIVILEGED="0" + +# enable nesting feature +LXC_NESTING="1" + +# enable keyctl feature +LXC_KEYCTL="0" + +# add optional features to samba ad dc + +# CURRENTLY SUPPORTED: +# wsdd = add windows service discovery +# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup +# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ + +# Example: +# OPTIONAL_FEATURES=(wsdd) +# OPTIONAL_FEATURES=(wsdd splitdns) +OPTIONAL_FEATURES=(wsdd) + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary" \ No newline at end of file diff --git a/src/zmb-ad-restore/install-service.sh b/src/zmb-ad-restore/install-service.sh new file mode 100644 index 0000000..b3c14c8 --- /dev/null +++ b/src/zmb-ad-restore/install-service.sh @@ -0,0 +1,195 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +ZMB_DNS_BACKEND="SAMBA_INTERNAL" + +for f in ${OPTIONAL_FEATURES[@]}; do + if [[ "$f" == "wsdd" ]]; then + ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES" + elif [[ "$f" == "splitdns" ]]; then + ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES" + elif [[ "$f" == "bind9dlz" ]]; then + ZMB_DNS_BACKEND="BIND9_DLZ" + ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES" + else + echo "Unsupported optional feature $f" + fi +done + +# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list + +# update packages +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade +# install required packages +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils + +mkdir -p /etc/chrony/conf.d +mkdir -p /etc/systemd/system/chrony.service.d + +cat << EOF > /etc/default/chrony +# This is a configuration file for /etc/init.d/chrony and +# /lib/systemd/system/chrony.service; it allows you to pass various options to +# the chrony daemon without editing the init script or service file. + +# Options to pass to chrony. +DAEMON_OPTS="-x -F 1" +EOF + +cat << EOF > /etc/systemd/system/chrony.service.d/override.conf +[Unit] +ConditionCapability= +EOF + +cat << EOF > /etc/chrony/conf.d/samba.conf +bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev) +server de.pool.ntp.org iburst +server europe.pool.ntp.org iburst +allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev) +ntpsigndsocket /var/lib/samba/ntp_signd +EOF + +if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then + cat << EOF > /etc/nginx/sites-available/default +server { + listen 80 default_server; + server_name _; + return 301 http://www.$LXC_DOMAIN\$request_uri; +} +EOF +fi + +if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then + # configure bind dns service + cat << EOF > /etc/default/bind9 +# +# run resolvconf? +RESOLVCONF=no + +# startup options for the server +OPTIONS="-4 -u bind" +EOF + + cat << EOF > /etc/bind/named.conf.local +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; +dlz "$LXC_DOMAIN" { + database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; +}; +EOF + + cat << EOF > /etc/bind/named.conf.options +options { + directory "/var/cache/bind"; + + forwarders { + $LXC_DNS; + }; + + allow-query { any;}; + dnssec-validation no; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; + listen-on { any; }; + + tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; + minimal-responses yes; +}; +EOF + + mkdir -p /var/lib/samba/bind-dns/dns +fi + +# stop + disable samba services and remove default config +systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1 +rm -f /etc/samba/smb.conf +rm -f /etc/krb5.conf + +rm -r /var/lib/samba/* + +backupfile=$(find /backup/online -name samba-backup* | tail -1) +samba-tool domain backup restore --backup-file=${backupfile} --newservername=${LXC_HOSTNAME} --targetdir=/var/lib/samba/ + +ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf + +# disable password expiry for administrator +samba-tool user setexpiry Administrator --noexpiry + +systemctl unmask samba-ad-dc +systemctl enable samba-ad-dc +systemctl restart samba-ad-dc $ADDITIONAL_SERVICES + +# configure ad backup +cat << EOF > /usr/local/bin/smb-backup +#!/bin/bash +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +rc=0 +keep=\$1 + +mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline} + +prune () { + backup_type=\$1 + if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then + find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm + fi +} + +echo "\$(date) Starting samba-ad-dc online backup" +if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then + echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..." + prune online +else + echo "\$(date) samba-ad-dc online backup failed" + rc=\$((\$rc + 1)) +fi + +echo "\$(date) Starting samba-ad-dc offline backup" +if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then + echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..." + prune offline +else + echo "S(date) samba-ad-dc offline backup failed" + rc=\$((\$rc + 1)) +fi + +exit \$rc +EOF +chmod +x /usr/local/bin/smb-backup + +cat << EOF > /etc/cron.d/smb-backup +23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1 +EOF + +cat << EOF > /etc/logrotate.d/smb-backup +/var/log/smb-backup.log { + weekly + rotate 12 + compress + delaycompress + missingok + notifempty + create 644 root root +} +EOF + +exit 0 \ No newline at end of file diff --git a/src/zmb-ad/install-service.sh b/src/zmb-ad/install-service.sh index 583d41b..fbc3340 100644 --- a/src/zmb-ad/install-service.sh +++ b/src/zmb-ad/install-service.sh @@ -176,7 +176,7 @@ EOF chmod +x /usr/local/bin/smb-backup cat << EOF > /etc/cron.d/smb-backup -23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1 +0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1 EOF cat << EOF > /etc/logrotate.d/smb-backup diff --git a/src/zmb-cups/install-service.sh b/src/zmb-cups/install-service.sh index 726b191..636a723 100644 --- a/src/zmb-cups/install-service.sh +++ b/src/zmb-cups/install-service.sh @@ -96,13 +96,13 @@ systemctl restart winbind nmbd mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers} cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers -chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers +chown -R root:"${ZMB_DOMAIN_ADMINS@L}" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers -setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers -setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers -echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}" +setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers +setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers +echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\${ZMB_DOMAIN_ADMINS@L}" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}" systemctl disable --now cups-browsed.service cupsctl --remote-admin diff --git a/src/zmb-member/install-service.sh b/src/zmb-member/install-service.sh index ae909ad..0cc07d6 100644 --- a/src/zmb-member/install-service.sh +++ b/src/zmb-member/install-service.sh @@ -99,9 +99,9 @@ wbinfo -g mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins' -chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE +chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE -setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE -setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE +setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE +setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE systemctl restart smbd nmbd winbind wsdd