From 8cf9c45f79717513870560417743c25c6b2d537c Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Thu, 28 Nov 2024 21:27:56 +0100
Subject: [PATCH 001/105] set domain admins group in zmb.conf, add
 zmb-ad-restore container

---
 conf/zamba.conf.example                   |  10 +-
 install.sh                                |  17 ++
 src/zmb-ad-restore/constants-service.conf |  45 +++++
 src/zmb-ad-restore/install-service.sh     | 195 ++++++++++++++++++++++
 src/zmb-cups/install-service.sh           |   8 +-
 5 files changed, 268 insertions(+), 7 deletions(-)
 create mode 100644 src/zmb-ad-restore/constants-service.conf
 create mode 100644 src/zmb-ad-restore/install-service.sh

diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example
index 714c47d..fa1d436 100644
--- a/conf/zamba.conf.example
+++ b/conf/zamba.conf.example
@@ -99,17 +99,21 @@ LXC_TAGS="linux,debian,${service}"
 
 ############### Zamba-Server-Section ###############
 
-# Defines the REALM for the Active Directory (AD DC, AD member)
+# Defines the REALM for the Active Directory (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups)
 ZMB_REALM="ZMB.ROCKS"
-# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
+# Defines the domain name in your Active Directory or Workgroup (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
 ZMB_DOMAIN="ZMB"
 
-# Defines the name of your domain administrator account (AD DC, AD member, standalone)
+# Defines the name of your domain administrator account (Some environments are case sensitive, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
 ZMB_ADMIN_USER="administrator"
+
 # The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
 # `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
 ZMB_ADMIN_PASS='Start!123'
 
+# Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups)
+ZMB_DOMAIN_ADMINS="domain admins"
+
 # Defines the name of your Zamba share
 ZMB_SHARE="share"
 
diff --git a/install.sh b/install.sh
index 2bab1d5..53f763b 100755
--- a/install.sh
+++ b/install.sh
@@ -102,6 +102,15 @@ source "$config"
 
 source "$PWD/src/$service/constants-service.conf"
 
+if [[ $service == "zmb-ad-restore" ]]; then
+  if find ./ | grep samba-backup*.tar.bz2 ; then
+    sambabackup=$(find $PWD/ | grep samba-backup*.tar.bz2 | tail -1)
+  else
+    echo "No samba backup found in $PWD. Please place a samba online backup into $PWD. Canceling..."
+    exit 1
+  fi
+fi
+
 if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
   LXC_MEM=$LXC_MEM_MIN
 fi
@@ -184,6 +193,11 @@ pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
 pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
 pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
 
+if [[ $service == "zmb-ad-restore" ]]; then
+    pct exec $LXC_NBR -- mkdir -p /backup/online
+    pct push $LXC_NBR "$PWD/samba-backup-*.tar.bz2" /backup/online/
+fi
+
 if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
 
 echo "Installing basic container setup..."
@@ -195,6 +209,9 @@ pct shutdown $LXC_NBR
 if [[ $service == "zmb-ad" ]]; then
   ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
   pct set $LXC_NBR -nameserver ${LXC_IP%/*}
+elif [[ $service == "zmb-ad-restore" ]]; then
+  ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
+  pct set $LXC_NBR -nameserver ${LXC_IP%/*}
 elif [[ $service == "zmb-ad-join" ]]; then
   pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
 fi
diff --git a/src/zmb-ad-restore/constants-service.conf b/src/zmb-ad-restore/constants-service.conf
new file mode 100644
index 0000000..1042bbc
--- /dev/null
+++ b/src/zmb-ad-restore/constants-service.conf
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="backup"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
+
+# add optional features to samba ad dc
+
+# CURRENTLY SUPPORTED:
+# wsdd = add windows service discovery
+# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
+# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
+
+# Example:
+# OPTIONAL_FEATURES=(wsdd)
+# OPTIONAL_FEATURES=(wsdd splitdns)
+OPTIONAL_FEATURES=(wsdd)
+
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"
\ No newline at end of file
diff --git a/src/zmb-ad-restore/install-service.sh b/src/zmb-ad-restore/install-service.sh
new file mode 100644
index 0000000..b3c14c8
--- /dev/null
+++ b/src/zmb-ad-restore/install-service.sh
@@ -0,0 +1,195 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+ZMB_DNS_BACKEND="SAMBA_INTERNAL"
+
+for f in ${OPTIONAL_FEATURES[@]}; do
+  if [[ "$f" == "wsdd" ]]; then
+    ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "splitdns" ]]; then
+    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
+  elif [[ "$f" == "bind9dlz" ]]; then
+    ZMB_DNS_BACKEND="BIND9_DLZ"
+    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
+    ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
+  else
+    echo "Unsupported optional feature $f"
+  fi
+done
+
+# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
+
+# update packages
+apt update
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
+# install required packages
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
+
+mkdir -p /etc/chrony/conf.d
+mkdir -p /etc/systemd/system/chrony.service.d
+
+cat << EOF > /etc/default/chrony
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-x -F 1"
+EOF
+
+cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+
+cat << EOF > /etc/chrony/conf.d/samba.conf
+bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
+server de.pool.ntp.org iburst
+server europe.pool.ntp.org iburst
+allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
+ntpsigndsocket /var/lib/samba/ntp_signd
+EOF
+
+if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
+  cat << EOF > /etc/nginx/sites-available/default
+server {
+    listen 80 default_server;
+    server_name _;
+    return 301 http://www.$LXC_DOMAIN\$request_uri;
+}
+EOF
+fi
+
+if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
+  # configure bind dns service
+  cat << EOF > /etc/default/bind9
+#
+# run resolvconf?
+RESOLVCONF=no
+
+# startup options for the server
+OPTIONS="-4 -u bind"
+EOF
+
+  cat << EOF > /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+dlz "$LXC_DOMAIN" {
+  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
+};
+EOF
+
+  cat << EOF > /etc/bind/named.conf.options
+options {
+  directory "/var/cache/bind";
+
+  forwarders {
+    $LXC_DNS;
+  };
+
+  allow-query {  any;};
+  dnssec-validation no;
+
+  auth-nxdomain no;    # conform to RFC1035
+  listen-on-v6 { any; };
+  listen-on { any; };
+
+  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
+  minimal-responses yes;
+};
+EOF
+
+  mkdir -p /var/lib/samba/bind-dns/dns
+fi
+
+# stop + disable samba services and remove default config
+systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
+rm -f /etc/samba/smb.conf
+rm -f /etc/krb5.conf
+
+rm -r /var/lib/samba/*
+
+backupfile=$(find /backup/online -name samba-backup* | tail -1)
+samba-tool domain backup restore --backup-file=${backupfile} --newservername=${LXC_HOSTNAME} --targetdir=/var/lib/samba/ 
+
+ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
+
+# disable password expiry for administrator
+samba-tool user setexpiry Administrator --noexpiry
+
+systemctl unmask samba-ad-dc
+systemctl enable samba-ad-dc
+systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+
+# configure ad backup
+cat << EOF > /usr/local/bin/smb-backup
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+rc=0
+keep=\$1
+
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
+
+prune () {
+  backup_type=\$1
+  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
+    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
+  fi
+}
+
+echo "\$(date) Starting samba-ad-dc online backup"
+if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
+  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
+  prune online
+else
+  echo "\$(date) samba-ad-dc online backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+echo "\$(date) Starting samba-ad-dc offline backup"
+if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
+  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
+  prune offline
+else
+  echo "S(date) samba-ad-dc offline backup failed"
+  rc=\$((\$rc + 1))
+fi
+
+exit \$rc
+EOF
+chmod +x /usr/local/bin/smb-backup
+
+cat << EOF > /etc/cron.d/smb-backup
+23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+EOF
+
+cat << EOF > /etc/logrotate.d/smb-backup
+/var/log/smb-backup.log {
+        weekly
+        rotate 12
+        compress
+        delaycompress
+        missingok
+        notifempty
+        create 644 root root
+}
+EOF
+
+exit 0
\ No newline at end of file
diff --git a/src/zmb-cups/install-service.sh b/src/zmb-cups/install-service.sh
index 726b191..cafb44b 100644
--- a/src/zmb-cups/install-service.sh
+++ b/src/zmb-cups/install-service.sh
@@ -96,13 +96,13 @@ systemctl restart winbind nmbd
 
 mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
 cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+chown -R root:"${ZMB_DOMAIN_ADMINS}" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
 chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
+setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS}":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS}":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\${ZMB_DOMAIN_ADMINS}" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
 systemctl disable --now cups-browsed.service
 
 cupsctl --remote-admin

From d50b7a93c25705a4f868bd4c32412b7fbbb48330 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Mon, 6 Jan 2025 21:32:36 +0100
Subject: [PATCH 002/105] Update constants-service.conf

Change Omada to Debian bookworm
---
 src/omada/constants-service.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/omada/constants-service.conf b/src/omada/constants-service.conf
index 83aedc6..4f9f90b 100644
--- a/src/omada/constants-service.conf
+++ b/src/omada/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-11-standard"
+LXC_TEMPLATE_VERSION="debian-12-standard"
 
 # Create sharefs mountpoint
 LXC_MP=0
@@ -30,4 +30,4 @@ LXC_KEYCTL="0"
 LXC_MEM_MIN=2048
 
 # service dependent meta tags
-SERVICE_TAGS="mongodb-server,java"
\ No newline at end of file
+SERVICE_TAGS="mongodb-server,java"

From 3fe94152ccbcbcfd48f366d5cd85a2c3e7c281de Mon Sep 17 00:00:00 2001
From: DerFossiBaer <56678897+DerFossiBaer@users.noreply.github.com>
Date: Mon, 6 Jan 2025 23:05:43 +0100
Subject: [PATCH 003/105] Update install-service.sh

With Omada 5.15 mongodb 7.0 and default jre are possible.
---
 src/omada/install-service.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/omada/install-service.sh b/src/omada/install-service.sh
index 7e88549..5692314 100644
--- a/src/omada/install-service.sh
+++ b/src/omada/install-service.sh
@@ -10,14 +10,14 @@ set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
-wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
+# wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
 wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
-wget -O - https://pgp.mongodb.com/server-4.4.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-4.4.gpg
+wget -O - https://pgp.mongodb.com/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
 echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list
-echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
-echo "deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
+# echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
+echo "deb [signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
 
 apt update
 
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq temurin-8-jre jsvc mongodb-org
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac
\ No newline at end of file
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc mongodb-org
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac

From 23c4166e182e32fea288e5f7bf89c455e4ff3425 Mon Sep 17 00:00:00 2001
From: DerFossiBaer <56678897+DerFossiBaer@users.noreply.github.com>
Date: Tue, 7 Jan 2025 16:05:46 +0100
Subject: [PATCH 004/105] Update constants-service.conf

Due to oom-killers set MEM to 4096MB
---
 src/omada/constants-service.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/omada/constants-service.conf b/src/omada/constants-service.conf
index 4f9f90b..5194b1f 100644
--- a/src/omada/constants-service.conf
+++ b/src/omada/constants-service.conf
@@ -27,7 +27,7 @@ LXC_NESTING="1"
 LXC_KEYCTL="0"
 
 # Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=2048
+LXC_MEM_MIN=4096
 
 # service dependent meta tags
 SERVICE_TAGS="mongodb-server,java"

From a10e16633a07b9b5d104f5a15fdbdfa1447ed911 Mon Sep 17 00:00:00 2001
From: DerFossiBaer <56678897+DerFossiBaer@users.noreply.github.com>
Date: Wed, 29 Jan 2025 17:58:14 +0100
Subject: [PATCH 005/105] Update constants-service.conf

change php to 8.3

added postgresql version
---
 src/nextcloud/constants-service.conf | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/nextcloud/constants-service.conf b/src/nextcloud/constants-service.conf
index 684f4c1..e4665e2 100644
--- a/src/nextcloud/constants-service.conf
+++ b/src/nextcloud/constants-service.conf
@@ -30,7 +30,10 @@ LXC_KEYCTL="0"
 NEXTCLOUD_VERSION="latest"
 
 # Defines the php version to install
-NEXTCLOUD_PHP_VERSION="8.2"
+NEXTCLOUD_PHP_VERSION="8.3"
+
+# Defines the postgresql version to install
+POSTGRES_VERSION=16 
 
 # Defines the IP from the SQL server
 NEXTCLOUD_DB_IP="127.0.0.1"
@@ -51,4 +54,4 @@ NEXTCLOUD_DB_PWD="$(random_password)"
 LXC_MEM_MIN=4096
 
 # service dependent meta tags
-SERVICE_TAGS="php-fpm,nginx,postgresql"
\ No newline at end of file
+SERVICE_TAGS="php-fpm,nginx,postgresql"

From 6876e6f459ed3dd1a21b02982d96762e048bafe4 Mon Sep 17 00:00:00 2001
From: DerFossiBaer <56678897+DerFossiBaer@users.noreply.github.com>
Date: Wed, 29 Jan 2025 18:02:48 +0100
Subject: [PATCH 006/105] Update install-service.sh

nearly completely new

installation is now generated in functions, witch are added at the end of the script.
---
 src/nextcloud/install-service.sh | 811 ++++++++++++++++++-------------
 1 file changed, 464 insertions(+), 347 deletions(-)

diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh
index 516819a..3d58678 100644
--- a/src/nextcloud/install-service.sh
+++ b/src/nextcloud/install-service.sh
@@ -5,130 +5,67 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
-
-NEXTCLOUD_ADMIN_PWD=$(random_password)
-
 source /root/zamba.conf
 source /root/constants-service.conf
 
+NEXTCLOUD_ADMIN_PWD=$(random_password)
+NEXTCLOUD_REDIS_PWD=$(random_password)
 HOSTNAME=$(hostname -f)
 
-wget -q -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/sury-php.gpg >/dev/null
-echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
-
-wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.gpg >/dev/null
-echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
-
-wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg >/dev/null
-echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
-
-apt update
-
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
-postgresql-15 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
-
-timedatectl set-timezone $LXC_TIMEZONE
-mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
-chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
-
-#### Create database for nextcloud ####
-
-su - postgres <<EOF
-psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
-psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
-echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
-EOF
-
-#### Adjust php settings ####
-
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
-cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
-cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
-sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/pm.max_children =.*/pm.max_children = 120/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/pm.start_servers =.*/pm.start_servers = 12/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 6/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 18/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
-sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
-sed -i "s/memory_limit = 128M/memory_limit = 1024M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=16/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
-echo -e '\napc.enable_cli=1' >> /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
-sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
-
-#### Adjust nginx settings ####
-
-mkdir -p /etc/nginx/ssl
+#### Modify Nginx for Nextcloud ####
+mod_nginx() {
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
 generate_dhparam
 
 mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 
-
 cat > /etc/nginx/nginx.conf <<EOF
 user www-data;
 worker_processes auto;
 pid /var/run/nginx.pid;
 events {
-worker_connections 1024;
-multi_accept on; use epoll;
+  worker_connections 2048;
+  multi_accept on;
+  use epoll;
 }
 http {
-server_names_hash_bucket_size 64;
-access_log /var/log/nginx/access.log;
-error_log /var/log/nginx/error.log warn;
-set_real_ip_from 127.0.0.1;
-#optional, Sie können das eigene Subnetz ergänzen, bspw.:
-# set_real_ip_from $LXC_IP;
-real_ip_header X-Forwarded-For;
-real_ip_recursive on;
-include /etc/nginx/mime.types;
-types {
-        text/javascript mjs;
-    }
-default_type application/octet-stream;
-sendfile on;
-send_timeout 3600;
-tcp_nopush on;
-tcp_nodelay on;
-open_file_cache max=500 inactive=10m;
-open_file_cache_errors on;
-keepalive_timeout 65;
-reset_timedout_connection on;
-server_tokens off;
-resolver 127.0.0.53 valid=30s;
-resolver_timeout 5s;
-include /etc/nginx/conf.d/*.conf;
+  log_format criegerde escape=json
+  '{'
+    '"time_local":"\$time_local",'
+    '"remote_addr":"\$remote_addr",'
+    '"remote_user":"\$remote_user",'
+    '"request":"\$request",'
+    '"status": "\$status",'
+    '"body_bytes_sent":"\$body_bytes_sent",'
+    '"request_time":"\$request_time",'
+    '"http_referrer":"\$http_referer",'
+    '"http_user_agent":"\$http_user_agent"'
+  '}';
+  server_names_hash_bucket_size 64;
+  access_log /var/log/nginx/access.log;
+  error_log /var/log/nginx/error.log warn;
+  set_real_ip_from 127.0.0.1;
+  # optional, set reverse proxy ip, if used:
+  # set_real_ip_from $NEXTCLOUD_REVPROX;
+  real_ip_header X-Forwarded-For;
+  real_ip_recursive on;
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+  sendfile on;
+  send_timeout 3600;
+  tcp_nopush on;
+  tcp_nodelay on;
+  open_file_cache max=500 inactive=10m;
+  open_file_cache_errors on;
+  keepalive_timeout 65;
+  reset_timedout_connection on;
+  server_tokens off;
+  resolver $NEXTCLOUD_REVPROX valid=30s;
+  resolver_timeout 5s;
+  include /etc/nginx/conf.d/*.conf;
 }
 EOF
 
@@ -137,171 +74,311 @@ touch /etc/nginx/conf.d/default.conf
 
 cat > /etc/nginx/conf.d/http.conf << EOF
 upstream php-handler {
-server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
+  server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
 }
 map \$arg_v \$asset_immutable {
-    "" "";
-    default "immutable";
+  "" "";
+  default "immutable";
 }
 server {
-listen 80 default_server;
-listen [::]:80 default_server;
-server_name $NEXTCLOUD_FQDN;
-root /var/www;
-location / {
-return 301 https://\$host\$request_uri;
-}
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  server_name $NEXTCLOUD_FQDN;
+  root /var/www;
+  location ^~ /.well-known/acme-challenge {
+    default_type text/plain;
+    root /var/www/letsencrypt;
+  }
+  location / {
+    return 301 https://\$host\$request_uri;
+  }  
 }
 EOF
 
 cat > /etc/nginx/conf.d/nextcloud.conf << EOF
+limit_req_zone \$binary_remote_addr zone=NextcloudRateLimit:10m rate=2r/s;
 server {
-listen 443      ssl http2;
-listen [::]:443 ssl http2;
-server_name $NEXTCLOUD_FQDN;
-ssl_certificate /etc/ssl/certs/nextcloud.crt;
-ssl_certificate_key /etc/ssl/private/nextcloud.key;
-ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
-#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
-#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
-#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
-#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
-#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
-ssl_dhparam /etc/nginx/dhparam.pem;
-ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:50m;
-ssl_session_tickets off;
-ssl_protocols TLSv1.3 TLSv1.2;
-ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
-ssl_ecdh_curve X448:secp521r1:secp384r1;
-ssl_prefer_server_ciphers on;
-ssl_stapling on;
-ssl_stapling_verify on;
-client_max_body_size 5120M;
-client_body_timeout 300s;
-client_body_buffer_size 512k;
-fastcgi_buffers 64 4K;
-gzip on;
-gzip_vary on;
-gzip_comp_level 4;
-gzip_min_length 256;
-gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-gzip_types application/atom+xml text/javascript application/wasm application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
-add_header Permissions-Policy                   "interest-cohort=()";
-add_header Referrer-Policy                      "no-referrer"   always;
-add_header X-Content-Type-Options               "nosniff"       always;
-add_header X-Download-Options                   "noopen"        always;
-add_header X-Frame-Options                      "SAMEORIGIN"    always;
-add_header X-Permitted-Cross-Domain-Policies    "none"          always;
-add_header X-Robots-Tag                         "noindex, nofollow"          always;
-add_header X-XSS-Protection                     "1; mode=block" always;
-fastcgi_hide_header X-Powered-By;
-fastcgi_read_timeout 3600;
-fastcgi_send_timeout 3600;
-fastcgi_connect_timeout 3600;
-root /var/www/nextcloud;
-index index.php index.html /index.php\$request_uri;
-expires 1m;
-location = / {
-if ( \$http_user_agent ~ ^DavClnt ) {
-return 302 /remote.php/webdav/\$is_args\$args;
-}
-}
-location = /robots.txt {
-allow all;
-log_not_found off;
-access_log off;
-}
-location ^~ /apps/rainloop/app/data {
-deny all;
-}
-location ^~ /.well-known {
-location = /.well-known/carddav     { return 301 /remote.php/dav/; }
-location = /.well-known/caldav      { return 301 /remote.php/dav/; }
-location ^~ /.well-known            { return 301 /index.php/\$uri; }
-try_files \$uri \$uri/ =404;
-}
-location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/)  { return 404; }
-location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
-location ~ \.php(?:\$|/) {
-rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
-fastcgi_split_path_info ^(.+?\.php)(/.*)\$;
-set \$path_info \$fastcgi_path_info;
-try_files \$fastcgi_script_name =404;
-include fastcgi_params;
-fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
-fastcgi_param PATH_INFO \$path_info;
-fastcgi_param HTTPS on;
-fastcgi_param modHeadersAvailable true;
-fastcgi_param front_controller_active true;
-fastcgi_pass php-handler;
-fastcgi_intercept_errors on;
-fastcgi_request_buffering off;
-}
-location ~ \.(?:css|js|mjs|svg|gif|ico|wasm|tflite|map)\$ {
-try_files \$uri /index.php\$request_uri;
-expires 6M;
-access_log off;
+  listen 443 ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+  #listen 443 quic reuseport;
+  #listen [::]:443 quic reuseport;
+  #http3 on;
+  #http3_hq on;
+  #quic_retry on;
+  server_name $NEXTCLOUD_FQDN;
+  ssl_certificate /etc/ssl/certs/nextcloud.crt;
+  ssl_certificate_key /etc/ssl/private/nextcloud.key;
+  ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
+  #ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
+  #ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
+  #ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
+  #ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
+  #ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
+  ssl_dhparam /etc/nginx/dhparam.pem;
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.3 TLSv1.2;
+  ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
+  ssl_prefer_server_ciphers on;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  client_max_body_size 10G;
+  client_body_timeout 3600s;
+  client_body_buffer_size 512k;
+  fastcgi_buffers 64 4K;
+  gzip on;
+  gzip_vary on;
+  gzip_comp_level 4;
+  gzip_min_length 256;
+  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+  gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+  add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
+  add_header Permissions-Policy                   "interest-cohort=()";
+  add_header Referrer-Policy                      "no-referrer"   always;
+  add_header X-Content-Type-Options               "nosniff"       always;
+  add_header X-Download-Options                   "noopen"        always;
+  add_header X-Frame-Options                      "SAMEORIGIN"    always;
+  add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+  add_header X-Robots-Tag                         "noindex, nofollow" always;
+  add_header X-XSS-Protection                     "1; mode=block" always;
+  add_header Alt-Svc                              'h3=":\$server_port"; ma=86400';
+  add_header x-quic                               'h3';
+  add_header Alt-Svc                              'h3-29=":\$server_port"';
+  fastcgi_hide_header X-Powered-By;
+  include mime.types;
+  types {
+    text/javascript mjs;
+  }
+  root /var/www/nextcloud;
+  index index.php index.html /index.php\$request_uri;
+  location = / {
+    if ( \$http_user_agent ~ ^DavClnt ) {
+      return 302 /remote.php/webdav/\$is_args\$args;
+    }
+  }
+  location = /robots.txt {
+    allow all;
+    log_not_found off;
+    access_log off;
+  }
+  location ^~ /.well-known {
+    location = /.well-known/carddav { return 301 /remote.php/dav/; }
+    location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+    location /.well-known/acme-challenge { try_files \$uri \$uri/ =404; }
+    location /.well-known/pki-validation { try_files \$uri \$uri/ =404; }
+    return 301 /index.php\$request_uri;
+  }
+  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+  location ~ \.php(?:$|/) {
+    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php\$request_uri;
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    set \$path_info \$fastcgi_path_info;
+    try_files \$fastcgi_script_name =404;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+    fastcgi_param PATH_INFO \$path_info;
+    fastcgi_param HTTPS on;
+    fastcgi_param modHeadersAvailable true;
+    fastcgi_param front_controller_active true;
+    fastcgi_pass php-handler;
+    fastcgi_intercept_errors on;
+    fastcgi_request_buffering off;
+    fastcgi_read_timeout 3600;
+    fastcgi_send_timeout 3600;
+    fastcgi_connect_timeout 3600;
+    fastcgi_max_temp_file_size 0;
+  }
+  location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
+    try_files \$uri /index.php\$request_uri;
+    add_header Cache-Control                     "public, max-age=15768000, \$asset_immutable";
+    add_header Permissions-Policy                "interest-cohort=()";
+    add_header Referrer-Policy                   "no-referrer"       always;
+    add_header X-Content-Type-Options            "nosniff"           always;
+    add_header X-Frame-Options                   "SAMEORIGIN"        always;
+    add_header X-Permitted-Cross-Domain-Policies "none"              always;
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
+    add_header X-XSS-Protection                  "1; mode=block"     always;
+    add_header Alt-Svc                           'h3=":\$server_port"; ma=86400';
+    add_header x-quic                            'h3';
+    add_header Alt-Svc                           'h3-29=":\$server_port"';
+    access_log off;
+    expires 6M;
+    access_log off;
     location ~ \.wasm$ {
-            default_type application/wasm;
-        }
-}
-location ~ \.woff2?\$ {
-try_files \$uri /index.php\$request_uri;
-expires 7d;
-access_log off;
-}
-location / {
-try_files \$uri \$uri/ /index.php\$request_uri;
-}
-location /push/ {
-proxy_pass http://localhost:7867/;
-proxy_http_version 1.1;
-proxy_set_header Upgrade \$http_upgrade;
-proxy_set_header Connection "Upgrade";
-proxy_set_header Host \$host;
-proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-}
+      default_type application/wasm;
+    }
+  }
+  location ~ \.(otf|woff2?)$ {
+    try_files \$uri /index.php\$request_uri;
+    expires 7d;
+    access_log off;
+  }
+  location /remote {
+    return 301 /remote.php\$request_uri;
+  }
+  location /login {
+    limit_req zone=NextcloudRateLimit burst=5 nodelay;
+    limit_req_status 429;
+    try_files \$uri \$uri/ /index.php\$request_uri;
+  }
+  location / {
+    try_files \$uri \$uri/ /index.php\$request_uri;
+  }
+  location ^~ /push/ {
+    proxy_pass http://127.0.0.1:7867/;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade \$http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host \$host;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+  }
 }
 EOF
+}
 
-systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm nginx
+#### Modify php settings for Nextcloud ####
+mod_php() {
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
+cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini.bak
+cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
 
-#### Adjust redis settings ####
+sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_children =.*/pm.max_children = 200/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.start_servers =.*/pm.start_servers = 100/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 60/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 140/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
+sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
 
+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+sed -i "s/;cgi.fix_pathinfo.*/cgi.fix_pathinfo=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
+
+sed -i "s/memory_limit = 128M/memory_limit = 1G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.validate_timestamps=.*/opcache.validate_timestamps=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=256/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=64/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=100000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+sed -i "s/;opcache.huge_code_pages=.*/opcache.huge_code_pages=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
+
+sed -i "s|;emergency_restart_threshold.*|emergency_restart_threshold = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
+sed -i "s|;emergency_restart_interval.*|emergency_restart_interval = 1m|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
+sed -i "s|;process_control_timeout.*|process_control_timeout = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
+
+sed -i '$aapc.enable_cli=1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
+
+sed -i 's/opcache.jit=off/opcache.jit=on/' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
+sed -i '$aopcache.jit=1255' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
+sed -i '$aopcache.jit_buffer_size=256M' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
+
+sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
+sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
+
+sed -i '$apgsql.allow_persistent = On' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.auto_reset_persistent = Off' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.max_persistent = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.max_links = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.ignore_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+sed -i '$apgsql.log_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
+}
+
+#### Modify Postgresql for Nextcloud ####
+mod_postgresql() {
+su - postgres <<EOF
+    psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
+    psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
+    echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
+EOF
+    cat > /etc/postgresql/$POSTGRES_VERSION/main/conf.d/nextcloud.conf <<EOF
+    max_connections = 200
+    shared_buffers = 1GB
+    effective_cache_size = 3GB
+    maintenance_work_mem = 256MB
+    checkpoint_completion_target = 0.9
+    wal_buffers = 16MB
+    default_statistics_target = 100
+    random_page_cost = 1.1
+    effective_io_concurrency = 200
+    work_mem = 2621kB
+    min_wal_size = 1GB
+    max_wal_size = 4GB
+    max_worker_processes = 4
+    max_parallel_workers_per_gather = 2
+    max_parallel_workers = 4
+    max_parallel_maintenance_workers = 2
+EOF
+}
+
+#### Install and modify Redis-server ####
+inst_redis() {
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends redis-server
+}
+mod_redis() {
 cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
 sed -i "s/port 6379/port 0/" /etc/redis/redis.conf
 sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
 sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
-sed -i "s/# maxclients 10000/maxclients 512/" /etc/redis/redis.conf
+sed -i "s/# maxclients 10000/maxclients 10240/" /etc/redis/redis.conf
+sed -i "s/# requirepass foobared/requirepass $NEXTCLOUD_REDIS_PWD/" /etc/redis/redis.conf
 usermod -aG redis www-data
-
-#### Adjust sysctl.conf settings ####
-
 cp /etc/sysctl.conf /etc/sysctl.conf.bak
-echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
-systemctl restart redis
+sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf
+}
 
-#### HIER MÜSSTE EIN REBOOT REIN ####
-
-
-#### Install nextcloud ####
+#### Install some more packages
+inst_packages() {
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-6.q16-6-extra
+timedatectl set-timezone $LXC_TIMEZONE
+mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www /etc/letsencrypt
+chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
+}
 
+#### Install and modify Nextcloud ####
+inst_nextcloud() {
 cd /usr/local/src
-
 wget https://download.nextcloud.com/server/releases/latest.tar.bz2
 wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5
 
-md5sum -c latest.tar.bz2.md5 < latest.tar.bz2
-
-tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2
+md5sum -c --ignore-missing latest.tar.bz2.md5 < latest.tar.bz2
+tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2*
 
 cat > /root/permissions.sh << EOF
 #!/bin/bash
 find /var/www/ -type f -print0 | xargs -0 chmod 0640
 find /var/www/ -type d -print0 | xargs -0 chmod 0750
-chown -R www-data:www-data /var/www 
+if [ -d "/var/www/nextcloud/apps/notify_push" ]; then
+chmod ug+x /var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push
+fi
+chmod -R 770 /etc/letsencrypt 
+chown -R www-data:www-data /var/www
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
 chmod 0644 /var/www/nextcloud/.htaccess
 chmod 0644 /var/www/nextcloud/.user.ini
@@ -310,39 +387,14 @@ EOF
 
 chmod +x /root/permissions.sh
 /root/permissions.sh
-
-#### install fail2ban ####
-
-cat <<EOF >/etc/fail2ban/filter.d/nextcloud.conf
-[Definition]
-_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
-failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
-            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
-datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
-EOF
-
-cat > /etc/fail2ban/jail.d/nextcloud.local << EOF
-[nextcloud]
-backend = auto
-enabled = true
-port = 80,443
-protocol = tcp
-filter = nextcloud
-maxretry = 5
-bantime = 3600
-findtime = 36000
-logpath = /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log 
-EOF
-
-systemctl restart fail2ban
+}
 
 #### Create configuration script for nextcloud, which will be executet as user www-data
+mod_nextcloudconfig() {
 
-cat > /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh << DFOE
+systemctl stop nginx
 
-#!/bin/bash 
-
-php /var/www/nextcloud/occ maintenance:install --database pgsql \
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ maintenance:install --database pgsql \
 --database-host $NEXTCLOUD_DB_IP \
 --database-port $NEXTCLOUD_DB_PORT \
 --database-name $NEXTCLOUD_DB_NAME \
@@ -352,110 +404,175 @@ php /var/www/nextcloud/occ maintenance:install --database pgsql \
 --admin-pass $NEXTCLOUD_ADMIN_PWD \
 --data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
 
-php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$NEXTCLOUD_FQDN
-php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://$NEXTCLOUD_FQDN
-
-cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
-sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
 sed -i '/);/d' /var/www/nextcloud/config/config.php
+sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
+
 
 cat >> /var/www/nextcloud/config/config.php << EOF
-'activity_expire_days' => 14,
-'auth.bruteforce.protection.enabled' => true,
-'blacklisted_files' => 
-array (
-0 => '.htaccess',
-1 => 'Thumbs.db',
-2 => 'thumbs.db',
-),
-'cron_log' => true,
-'default_phone_region' => 'DE',
-'enable_previews' => true,
-'enabledPreviewProviders' => 
-array (
-0 => 'OC\Preview\PNG',
-1 => 'OC\Preview\JPEG',
-2 => 'OC\Preview\GIF',
-3 => 'OC\Preview\BMP',
-4 => 'OC\Preview\XBitmap',
-5 => 'OC\Preview\Movie',
-6 => 'OC\Preview\PDF',
-7 => 'OC\Preview\MP3',
-8 => 'OC\Preview\TXT',
-9 => 'OC\Preview\MarkDown',
-),
-'filesystem_check_changes' => 0,
-'filelocking.enabled' => 'true',
-'htaccess.RewriteBase' => '/',
-'integrity.check.disabled' => false,
-'knowledgebaseenabled' => false,
-'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log',
-'loglevel' => 2,
-'logtimezone' => '$LXC_TIMEZONE',
-'log_rotate_size' => 104857600,
-'maintenance' => false,
-'memcache.local' => '\OC\Memcache\APCu',
-'memcache.locking' => '\OC\Memcache\Redis',
-'overwriteprotocol' => 'https',
-'preview_max_x' => 1024,
-'preview_max_y' => 768,
-'preview_max_scale_factor' => 1,
-'redis' => 
-array (
-'host' => '/var/run/redis/redis-server.sock',
-'port' => 0,
-'timeout' => 0.0,
-),
-'quota_include_external_storage' => false,
-'share_folder' => '/Freigaben',
-'skeletondirectory' => '',
-'theme' => '',
-'trashbin_retention_obligation' => 'auto, 7',
-'updater.release.channel' => 'stable',
-'trusted_proxies' => 
-array (
-'$NEXTCLOUD_REVPROX',
-'127.0.0.1',
-'::1',
-),
+  'activity_expire_days' => 14,
+  'allow_local_remote_servers' => true,
+  'auth.bruteforce.protection.enabled' => true,
+  'forbidden_filenames' =>
+  array (
+    0 => '.htaccess',
+    1 => 'Thumbs.db',
+    2 => 'thumbs.db',
+    ),
+  'cron_log' => true,
+  'default_phone_region' => 'DE',
+  'enable_previews' => true,
+  'enabledPreviewProviders' =>
+  array (
+    0 => 'OC\\Preview\\PNG',
+    1 => 'OC\\Preview\\JPEG',
+    2 => 'OC\\Preview\\GIF',
+    3 => 'OC\\Preview\\BMP',
+    4 => 'OC\\Preview\\XBitmap',
+    5 => 'OC\\Preview\\Movie',
+    6 => 'OC\\Preview\\PDF',
+    7 => 'OC\\Preview\\MP3',
+    8 => 'OC\\Preview\\TXT',
+    9 => 'OC\\Preview\\MarkDown',
+    10 => 'OC\\Preview\\HEIC',
+    11 => 'OC\\Preview\\Movie',
+    12 => 'OC\\Preview\\MKV',
+    13 => 'OC\\Preview\\MP4',
+    14 => 'OC\\Preview\\AVI',
+    ),
+  'filesystem_check_changes' => 0,
+  'filelocking.enabled' => 'true',
+  'htaccess.RewriteBase' => '/',
+  'integrity.check.disabled' => false,
+  'knowledgebaseenabled' => false,
+  'logfile' => '/$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log',
+  'loglevel' => 2,
+  'logtimezone' => '$LXC_TIMEZONE',
+  'log_rotate_size' => 104857600,
+  'memcache.local' => '\OC\Memcache\APCu',
+  'memcache.locking' => '\OC\Memcache\Redis',
+  'overwriteprotocol' => 'https',
+  'preview_max_x' => 1024,
+  'preview_max_y' => 768,
+  'preview_max_scale_factor' => 1,
+  'profile.enabled' => false,
+  'redis' => 
+  array (
+    'host' => '/run/redis/redis-server.sock',
+    'port' => 0,
+    'password' => '$NEXTCLOUD_REDIS_PWD',
+    'timeout' => 0.0,
+  ),
+  'quota_include_external_storage' => false,
+  'share_folder' => '/Freigaben',
+  'skeletondirectory' => '',
+  'theme' => '',
+  'trashbin_retention_obligation' => 'auto, 7',
+  'updater.release.channel' => 'stable',
+  'maintenance_window_start' => 1,
+  'maintenance' => false,
+  'mail_smtpmode' => 'sendmail',
+  'mail_sendmailmode' => 'smtp',
+  'mail_from_address' => '$NEXTCLOUD_ADMIN_USR',
+  'mail_domain' => '$NEXTCLOUD_FQDN',
+  'overwrite.cli.url' => 'https://$NEXTCLOUD_FQDN',
+  'overwritehost' => '$NEXTCLOUD_FQDN',
+  'trusted_domains' => 
+  array (
+    0 => '$LXC_IP',
+    1 => '$NEXTCLOUD_FQDN',
+  ),
+
 );
 EOF
 
-sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
-php /var/www/nextcloud/occ app:disable survey_client
-php /var/www/nextcloud/occ app:disable firstrunwizard
-php /var/www/nextcloud/occ app:enable admin_audit
-php /var/www/nextcloud/occ app:enable notify_push
-php /var/www/nextcloud/occ app:enable files_pdfviewer
-php /var/www/nextcloud/occ background:cron
-DFOE
-
 /root/permissions.sh
 
-su -s /bin/bash www-data <<EOF
-bash /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh
-EOF
+sudo -u www-data /usr/bin/cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable survey_client
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable firstrunwizard
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable admin_audit
+#sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable notify_push
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ background:cron
+sudo -u www-data /usr/bin/php /var/www/nextcloud/occ db:add-missing-indices
+sudo -u www-data nohup /usr/bin/php /var/www/nextcloud/occ maintenance:repair --include-expensive &
+sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
 
-#### Create file for high performance backend
+echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
+
+systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm
+systemctl start nginx
 
 cat > /etc/systemd/system/notify_push.service << EOF
 [Unit]
 Description = Push daemon for Nextcloud clients
+After=nginx.service php$NEXTCLOUD_PHP_VERSION-fpm.service system-postgresql.slice redis-server.service
+
 [Service]
 Environment=PORT=7867
 Environment=NEXTCLOUD_URL=https://$NEXTCLOUD_FQDN
 Environment=ALLOW_SELF_SIGNED=true
 ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php
 User=www-data
+
 [Install]
 WantedBy = multi-user.target
 EOF
 
 systemctl daemon-reload
-systemctl enable --now notify_push
+systemctl enable notify_push
+}
 
-echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
+#### Modifying Crowdsec ####
+mod_crowdsec() {
+cscli collections install crowdsecurity/nginx
+cscli collections install crowdsecurity/nextcloud
+cscli collections install crowdsecurity/sshd
+
+cat >> /etc/crowdsec/acquis.yaml << EOF
+filenames:
+ - /var/log/nextcloud/nextcloud.log
+labels:
+  type: Nextcloud
+---
+EOF
+systemctl reload crowdsec
+}
+#### Install the system !####
+echo "=> Installing Nginx ..."
+inst_nginx
+echo "=> Modifying Nginx config for Nextcloud ..."
+mod_nginx
+
+echo "=> Installing PHP $NEXTCLOUD_PHP_VERSION ..."
+inst_php
+echo "=> Modifying PHP config for Nextcloud ..."
+mod_php
+
+echo "=> Installing Postgresql $POSTGRES_VERSION ..."
+inst_postgresql
+echo "=> Modifying Postgresql config for Nextcloud ..."
+mod_postgresql
+
+echo "=> Installing Redis-server ..."
+inst_redis
+echo "=> Modifying Redis-server for Nextcloud ..."
+mod_redis
+
+echo "=> Installing some more packages ..."
+inst_packages
+
+echo "=> Installing Nextcloud ..."
+inst_nextcloud
+echo "=> Modifying Nextcloud ..."
+mod_nextcloudconfig
+
+echo "=> Installing Crowdsec ..."
+inst_crowdsec
+echo "=> Modifying Crowdsec ..."
+mod_crowdsec
 
 echo -e "\n######################################################################\n\n    Please note this user and password for the nextcloud login:\n        '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n                Enjoy your Nextcloud intallation.\n\n######################################################################"
-
 shutdown -r now

From 12a9c39873156180bccb23387a7ca610727f9474 Mon Sep 17 00:00:00 2001
From: DerFossiBaer <56678897+DerFossiBaer@users.noreply.github.com>
Date: Wed, 29 Jan 2025 18:07:04 +0100
Subject: [PATCH 007/105] Update functions.sh

Added some functions for installations
---
 src/functions.sh | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/functions.sh b/src/functions.sh
index 9ece872..dd0c346 100644
--- a/src/functions.sh
+++ b/src/functions.sh
@@ -9,7 +9,7 @@ random_password() {
 }
 
 generate_dhparam() {
-    openssl dhparam -out /etc/nginx/dhparam.pem 2048
+    openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 2048
     cat << EOF > /etc/cron.monthly/generate-dhparams
 #!/bin/bash
 openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1
@@ -27,5 +27,26 @@ apt_repo() {
 
     wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
     echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
-
-}
\ No newline at end of file
+}
+#### Set repo and install Nginx ####
+inst_nginx() {
+    apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx
+}
+#### Set repo and install PHP ####
+inst_php() {
+    curl -sSLo /usr/share/keyrings/sury_php.gpg https://packages.sury.org/php/apt.gpg
+    echo "deb [signed-by=/usr/share/keyrings/sury_php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury_php.list
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline}
+}
+#### Set repo and install Postgresql ####
+inst_postgresql() {
+    apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION
+}
+#### Set repo and install Crowdsec ####
+inst_crowdsec() {
+    apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" " https://packagecloud.io/crowdsec/crowdsec/any any main"
+    apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec
+    DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables
+}

From 472cb5b777886b496c6222b647bc003a21b92ba9 Mon Sep 17 00:00:00 2001
From: DerFossiBaer <56678897+DerFossiBaer@users.noreply.github.com>
Date: Wed, 29 Jan 2025 18:09:08 +0100
Subject: [PATCH 008/105] Update install-service.sh

---
 src/nextcloud/install-service.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh
index 3d58678..885cc66 100644
--- a/src/nextcloud/install-service.sh
+++ b/src/nextcloud/install-service.sh
@@ -527,6 +527,7 @@ systemctl enable notify_push
 
 #### Modifying Crowdsec ####
 mod_crowdsec() {
+systemctl restart crowdsec
 cscli collections install crowdsecurity/nginx
 cscli collections install crowdsecurity/nextcloud
 cscli collections install crowdsecurity/sshd

From f481a7a7f4de28aa2ea8d43bbd7a1b9f734a417f Mon Sep 17 00:00:00 2001
From: DerFossiBaer <56678897+DerFossiBaer@users.noreply.github.com>
Date: Wed, 29 Jan 2025 18:11:54 +0100
Subject: [PATCH 009/105] Update install-service.sh

---
 src/nextcloud/install-service.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh
index 885cc66..821765e 100644
--- a/src/nextcloud/install-service.sh
+++ b/src/nextcloud/install-service.sh
@@ -32,7 +32,7 @@ events {
   use epoll;
 }
 http {
-  log_format criegerde escape=json
+  log_format bashclub escape=json
   '{'
     '"time_local":"\$time_local",'
     '"remote_addr":"\$remote_addr",'

From 26cef69e6b8a09318966ff6c7075ccb98017fa33 Mon Sep 17 00:00:00 2001
From: DerFossiBaer <56678897+DerFossiBaer@users.noreply.github.com>
Date: Thu, 30 Jan 2025 12:57:51 +0100
Subject: [PATCH 010/105] Update install-service.sh

---
 src/nextcloud/install-service.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh
index 821765e..6f241d4 100644
--- a/src/nextcloud/install-service.sh
+++ b/src/nextcloud/install-service.sh
@@ -14,6 +14,7 @@ source /root/constants-service.conf
 NEXTCLOUD_ADMIN_PWD=$(random_password)
 NEXTCLOUD_REDIS_PWD=$(random_password)
 HOSTNAME=$(hostname -f)
+HOST_IP=$(hostname -i)
 
 #### Modify Nginx for Nextcloud ####
 mod_nginx() {
@@ -480,7 +481,7 @@ cat >> /var/www/nextcloud/config/config.php << EOF
   'overwritehost' => '$NEXTCLOUD_FQDN',
   'trusted_domains' => 
   array (
-    0 => '$LXC_IP',
+    0 => '$HOST_IP',
     1 => '$NEXTCLOUD_FQDN',
   ),
 

From 3bbd1d98b553265999d9b7dcc77b28aa3616339e Mon Sep 17 00:00:00 2001
From: thorstenspille <thorsten@spille-edv.de>
Date: Mon, 28 Apr 2025 12:41:26 +0200
Subject: [PATCH 011/105] update mailcow.conf, fix backup storage

---
 src/mailcow/install-service.sh | 43 +++++++++++++++++++++++++---------
 1 file changed, 32 insertions(+), 11 deletions(-)

diff --git a/src/mailcow/install-service.sh b/src/mailcow/install-service.sh
index e058097..2ede5fe 100644
--- a/src/mailcow/install-service.sh
+++ b/src/mailcow/install-service.sh
@@ -139,7 +139,6 @@ POPS_PORT=995
 SIEVE_PORT=4190
 DOVEADM_PORT=127.0.0.1:19991
 SQL_PORT=127.0.0.1:13306
-SOLR_PORT=127.0.0.1:18983
 REDIS_PORT=127.0.0.1:7654
 
 # Your timezone
@@ -225,15 +224,6 @@ SKIP_CLAMD=n
 
 SKIP_SOGO=n
 
-# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
-
-SKIP_SOLR=n
-
-# Solr heap size in MB, there is no recommendation, please see Solr docs.
-# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
-
-SOLR_HEAP=1024
-
 # Allow admins to log into SOGo as email user (without any password)
 
 ALLOW_ADMIN_EMAIL_LOGIN=n
@@ -344,6 +334,37 @@ WEBAUTHN_ONLY_TRUSTED_VENDORS=n
 # Otherwise it will work normally.
 SPAMHAUS_DQS_KEY=
 
+# Obtain certificates for autodiscover.* and autoconfig.* domains.
+# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.
+# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs
+# between services. So acme-mailcow obtains for maildomains and all web-things get handled
+# in the reverse proxy.
+AUTODISCOVER_SAN=y
+# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n
+SKIP_UNBOUND_HEALTHCHECK=n
+# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n
+# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost
+DISABLE_NETFILTER_ISOLATION_RULE=n
+
+# ------------------------------
+# REDIS configuration
+# ------------------------------
+
+REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
+# Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.
+# Flatcurve is used as FTS Engine. It is supposed to be pretty efficient in CPU and RAM consumption.
+# Please always monitor your Resource consumption!
+FTS_HEAP=128
+# Controls how many processes the Dovecot indexing process can spawn at max.
+# Too many indexing processes can use a lot of CPU and Disk I/O
+# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations
+FTS_PROCS=1
+# Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.
+# Dovecot inside mailcow use Flatcurve as FTS Backend.
+SKIP_FTS=y
+# Redirect HTTP connections to HTTPS - y/n
+HTTP_REDIRECT=y
+
 EOF
 
 cat << EOF > data/conf/nginx/redirect.conf
@@ -372,7 +393,7 @@ cat << EOF > /etc/cron.daily/mailcowbackup
 set -e
 
 OUT="\$(mktemp)"
-export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup"
+export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT"
 SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
 PARAMETERS="backup all"
 OPTIONS="--delete-days 7"

From 73a70918d4d1e7943da6a1257629d0715cbdfc44 Mon Sep 17 00:00:00 2001
From: thorstenspille <thorsten@spille-edv.de>
Date: Mon, 28 Apr 2025 12:41:58 +0200
Subject: [PATCH 012/105] fix smb backup jobs for dcs

---
 src/zmb-ad-join/install-service.sh | 2 +-
 src/zmb-ad/install-service.sh      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh
index 60173bf..9fdfa1f 100644
--- a/src/zmb-ad-join/install-service.sh
+++ b/src/zmb-ad-join/install-service.sh
@@ -205,7 +205,7 @@ EOF
 chmod +x /usr/local/bin/smb-backup
 
 cat << EOF > /etc/cron.d/smb-backup
-23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
 EOF
 
 cat << EOF > /etc/logrotate.d/smb-backup
diff --git a/src/zmb-ad/install-service.sh b/src/zmb-ad/install-service.sh
index 583d41b..fbc3340 100644
--- a/src/zmb-ad/install-service.sh
+++ b/src/zmb-ad/install-service.sh
@@ -176,7 +176,7 @@ EOF
 chmod +x /usr/local/bin/smb-backup
 
 cat << EOF > /etc/cron.d/smb-backup
-23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
+0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
 EOF
 
 cat << EOF > /etc/logrotate.d/smb-backup

From d64a81b185e5fcbccb606e199d97e0be2911856f Mon Sep 17 00:00:00 2001
From: thorstenspille <thorsten@spille-edv.de>
Date: Mon, 28 Apr 2025 12:42:37 +0200
Subject: [PATCH 013/105] Fix permissions on zmb-cups

---
 src/zmb-cups/install-service.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/zmb-cups/install-service.sh b/src/zmb-cups/install-service.sh
index cafb44b..636a723 100644
--- a/src/zmb-cups/install-service.sh
+++ b/src/zmb-cups/install-service.sh
@@ -96,13 +96,13 @@ systemctl restart winbind nmbd
 
 mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
 cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-chown -R root:"${ZMB_DOMAIN_ADMINS}" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+chown -R root:"${ZMB_DOMAIN_ADMINS@L}" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
 chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
 setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS}":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS}":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
-echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\${ZMB_DOMAIN_ADMINS}" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
+setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
+echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\${ZMB_DOMAIN_ADMINS@L}" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
 systemctl disable --now cups-browsed.service
 
 cupsctl --remote-admin

From ab363d579318f5538e88e059f0a69361818a7f64 Mon Sep 17 00:00:00 2001
From: thorstenspille <thorsten@spille-edv.de>
Date: Mon, 28 Apr 2025 12:43:14 +0200
Subject: [PATCH 014/105] mailcow: fis backup path

---
 src/mailcow/constants-service.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/mailcow/constants-service.conf b/src/mailcow/constants-service.conf
index 2a4ef89..2097c74 100644
--- a/src/mailcow/constants-service.conf
+++ b/src/mailcow/constants-service.conf
@@ -13,7 +13,7 @@ LXC_TEMPLATE_VERSION="debian-12-standard"
 # Create sharefs mountpoint
 LXC_MP=1
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
+LXC_SHAREFS_MOUNTPOINT="backup"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 

From 8f182ac9f81d237a20e20e3a9b08f4bb15783478 Mon Sep 17 00:00:00 2001
From: thorstenspille <thorsten@spille-edv.de>
Date: Mon, 28 Apr 2025 12:43:42 +0200
Subject: [PATCH 015/105] add permissions for domain admins group

---
 src/zmb-member/install-service.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/zmb-member/install-service.sh b/src/zmb-member/install-service.sh
index ae909ad..0cc07d6 100644
--- a/src/zmb-member/install-service.sh
+++ b/src/zmb-member/install-service.sh
@@ -99,9 +99,9 @@ wbinfo -g
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
 # originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
-chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
-setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
-setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
+setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
 
 systemctl restart smbd nmbd winbind wsdd

From 203e4bdc28619122b9487a0841abb56d9d24a68c Mon Sep 17 00:00:00 2001
From: thorstenspille <thorsten@spille-edv.de>
Date: Mon, 28 Apr 2025 12:44:27 +0200
Subject: [PATCH 016/105] fix description  for variable

---
 conf/zamba.conf.example | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example
index fa1d436..7a3736a 100644
--- a/conf/zamba.conf.example
+++ b/conf/zamba.conf.example
@@ -111,7 +111,7 @@ ZMB_ADMIN_USER="administrator"
 # `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
 ZMB_ADMIN_PASS='Start!123'
 
-# Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups)
+# Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case)
 ZMB_DOMAIN_ADMINS="domain admins"
 
 # Defines the name of your Zamba share

From f0de34102bf9143bbffdcc8ed923f181df5f3ce1 Mon Sep 17 00:00:00 2001
From: thorstenspille <thorsten@spille-edv.de>
Date: Mon, 28 Apr 2025 13:09:55 +0200
Subject: [PATCH 017/105] replace backup cronjob

---
 src/mailcow/install-service.sh | 33 ++++++---------------------------
 1 file changed, 6 insertions(+), 27 deletions(-)

diff --git a/src/mailcow/install-service.sh b/src/mailcow/install-service.sh
index 2ede5fe..197ad25 100644
--- a/src/mailcow/install-service.sh
+++ b/src/mailcow/install-service.sh
@@ -17,7 +17,7 @@ chmod a+r /etc/apt/keyrings/docker.gpg
 # Add the repository to Apt sources:
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
 apt-get update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq rsync docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
 
 SECRET=$(random_password)
@@ -385,32 +385,11 @@ server {
 EOF
 
 cat << EOF > /etc/cron.daily/mailcowbackup
-#!/bin/sh
-
-# Backup mailcow data
-# https://docs.mailcow.email/backup_restore/b_n_r-backup/
-
-set -e
-
-OUT="\$(mktemp)"
-export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT"
-SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
-PARAMETERS="backup all"
-OPTIONS="--delete-days 7"
-mkdir -p \$MAILCOW_BACKUP_LOCATION
-
-# run command
-set +e
-"\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT"
-RESULT=\$?
-
-if [ \$RESULT -ne 0 ]
-    then
-            echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:"
-            echo "RESULT=\$RESULT"
-            echo "STDOUT / STDERR:"
-            cat "\$OUT"
-fi
+#!/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+25 1 * * * rsync -aH --delete /opt/mailcow-dockerized /${LXC_SHAREFS_MOUNTPOINT}/mailcow-dockerized
+40 2 * * * rsync -aH --delete /var/lib/docker/volumes /${LXC_SHAREFS_MOUNTPOINT}/var_lib_docker_volumes
+5 4 * * * cd /opt/mailcow-dockerized/; BACKUP_LOCATION=/${LXC_SHAREFS_MOUNTPOINT}/db_crypt_redis /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3
 EOF
 
 chmod +x /etc/cron.daily/mailcowbackup

From df45fc5e399e3af46f64598ce5acabeefdbaa9a4 Mon Sep 17 00:00:00 2001
From: Chriz <christian@sysops.de>
Date: Wed, 21 May 2025 19:10:30 +0200
Subject: [PATCH 018/105] Update install-service.sh

missing php-ldap
---
 src/nextcloud/install-service.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/nextcloud/install-service.sh b/src/nextcloud/install-service.sh
index 6f241d4..8e50e50 100644
--- a/src/nextcloud/install-service.sh
+++ b/src/nextcloud/install-service.sh
@@ -356,7 +356,7 @@ sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf
 
 #### Install some more packages
 inst_packages() {
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-6.q16-6-extra
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-6.q16-6-extra
 timedatectl set-timezone $LXC_TIMEZONE
 mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www /etc/letsencrypt
 chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www

From 8d22b06bd59c7349b74986dc82c8c11f27e29baa Mon Sep 17 00:00:00 2001
From: Chriz <christian@sysops.de>
Date: Thu, 22 May 2025 15:56:06 +0200
Subject: [PATCH 019/105] Update nextcloud-update

updated tested version with php 8.2
---
 scripts/nextcloud-update | 52 +++++++++++++++++++++++++++++++---------
 1 file changed, 41 insertions(+), 11 deletions(-)

diff --git a/scripts/nextcloud-update b/scripts/nextcloud-update
index 33e4a1b..fa17c9a 100644
--- a/scripts/nextcloud-update
+++ b/scripts/nextcloud-update
@@ -1,17 +1,47 @@
 #!/bin/bash
-#
-# Update nextcloud
-# place in /etc/cron.daily and make executable with chmod +x  /etc/cron.daily/nextcloud-update
+
+# Update Nextcloud
+# Place in /etc/cron.daily and make executable with: chmod +x /etc/cron.daily/nextcloud-update
+
 user=www-data
-phpversion=php8.0
+phpversion=php8.2
 path=/var/www/nextcloud
+logfile="/var/log/nextcloud-update.log"
 
-alias ncc="sudo -u $user $phpversion $path/occ"
-alias updater="sudo -u $user $phpversion $path/updater/updater.phar"
+ncc() {
+  sudo -u "$user" "$phpversion" "$path/occ" "$@"
+}
 
-updater --no-backup --no-interaction
+updater() {
+  sudo -u "$user" "$phpversion" "$path/updater/updater.phar" "$@"
+}
 
-subcommands=("db:add-missing-primary-keys" "db:add-missing-indices" "db:add-missing-columns" "db:convert-filecache-bigint" "files:scan-app-data" "--quiet --all app:update" "upgrade")
-for cmd in ${subcommands[@]}; do
-  ncc -n $cmd
-done
+{
+  echo "===== $(date): Nextcloud Update Start ====="
+
+  updater --no-backup --no-interaction
+
+  subcommands=(
+    "db:add-missing-primary-keys"
+    "db:add-missing-indices"
+    "db:add-missing-columns"
+    "db:convert-filecache-bigint"
+    "files:scan-app-data"
+    "upgrade"
+  )
+
+  for cmd in "${subcommands[@]}"; do
+    echo "Running: occ $cmd"
+    ncc -n $cmd
+  done
+
+  # App Updates
+  echo "Updating apps..."
+  apps=$(ncc app:list | grep -Po 'Enabled:\s*\K.*' | tr -d ' ' | tr ',' '\n')
+  for app in $apps; do
+    echo "Updating app: $app"
+    ncc app:update "$app"
+  done
+
+  echo "===== $(date): Nextcloud Update Finished ====="
+} >> "$logfile" 2>&1

From 077735aa03aa235a8117eb5132421ec7f863eda4 Mon Sep 17 00:00:00 2001
From: Chriz <christian@sysops.de>
Date: Wed, 4 Jun 2025 10:47:50 +0200
Subject: [PATCH 020/105] Create check_zambaconf_trmm.sh

TRMM check if you forgot to delete your zamba.conf with Passwords!
---
 check_zambaconf_trmm.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 check_zambaconf_trmm.sh

diff --git a/check_zambaconf_trmm.sh b/check_zambaconf_trmm.sh
new file mode 100644
index 0000000..7bd3f8a
--- /dev/null
+++ b/check_zambaconf_trmm.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+export LC_ALL=C
+
+ZAMBA_CONF="/root/zamba-lxc-toolbox/conf/zamba.conf"
+
+if [[ -f "$ZAMBA_CONF" ]]; then
+    echo "❌ Problem: zamba.conf ist vorhanden: $ZAMBA_CONF"
+    exit 2
+else
+    echo "✅ OK: zamba.conf ist nicht vorhanden"
+    exit 0
+fi

From c9fd96a681d0f6127142059455a06ac4f05cf799 Mon Sep 17 00:00:00 2001
From: Chriz <christian@sysops.de>
Date: Wed, 4 Jun 2025 11:01:30 +0200
Subject: [PATCH 021/105] Update check_zambaconf_trmm.sh

delete after three days
---
 check_zambaconf_trmm.sh | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/check_zambaconf_trmm.sh b/check_zambaconf_trmm.sh
index 7bd3f8a..7db19ef 100644
--- a/check_zambaconf_trmm.sh
+++ b/check_zambaconf_trmm.sh
@@ -1,12 +1,18 @@
 #!/bin/bash
 
 export LC_ALL=C
-
 ZAMBA_CONF="/root/zamba-lxc-toolbox/conf/zamba.conf"
 
 if [[ -f "$ZAMBA_CONF" ]]; then
-    echo "❌ Problem: zamba.conf ist vorhanden: $ZAMBA_CONF"
-    exit 2
+    # Prüfen, ob die Datei älter als 3 Tage ist
+    if find "$ZAMBA_CONF" -mtime +3 >/dev/null 2>&1; then
+        echo "⚠️ zamba.conf ist älter als 3 Tage – Datei wird gelöscht: $ZAMBA_CONF"
+        rm -f "$ZAMBA_CONF"
+        exit 0
+    else
+        echo "❌ Problem: zamba.conf ist vorhanden und jünger als 3 Tage: $ZAMBA_CONF"
+        exit 2
+    fi
 else
     echo "✅ OK: zamba.conf ist nicht vorhanden"
     exit 0

From c8c898f04706df32bb0f3e1089118f10f0aecc71 Mon Sep 17 00:00:00 2001
From: Chriz <christian@sysops.de>
Date: Thu, 5 Jun 2025 22:05:15 +0200
Subject: [PATCH 022/105] Update check_zambaconf_trmm.sh

also recognizes forgotten zamba.confs in lxcs root
---
 check_zambaconf_trmm.sh | 34 +++++++++++++++++++++-------------
 1 file changed, 21 insertions(+), 13 deletions(-)

diff --git a/check_zambaconf_trmm.sh b/check_zambaconf_trmm.sh
index 7db19ef..83a5c6b 100644
--- a/check_zambaconf_trmm.sh
+++ b/check_zambaconf_trmm.sh
@@ -1,19 +1,27 @@
 #!/bin/bash
 
 export LC_ALL=C
-ZAMBA_CONF="/root/zamba-lxc-toolbox/conf/zamba.conf"
+EXIT_CODE=0
 
-if [[ -f "$ZAMBA_CONF" ]]; then
-    # Prüfen, ob die Datei älter als 3 Tage ist
-    if find "$ZAMBA_CONF" -mtime +3 >/dev/null 2>&1; then
-        echo "⚠️ zamba.conf ist älter als 3 Tage – Datei wird gelöscht: $ZAMBA_CONF"
-        rm -f "$ZAMBA_CONF"
-        exit 0
+# Alle .conf-Dateien im Verzeichnis /root/zamba-lxc-toolbox/conf/
+CONF_DIR="/root/zamba-lxc-toolbox/conf"
+CONF_FILES=("$CONF_DIR"/*.conf)
+
+# Zusätzlich die einzelne Datei /root/zamba.conf
+CONF_FILES+=("/root/zamba.conf")
+
+for CONF in "${CONF_FILES[@]}"; do
+    if [[ -f "$CONF" ]]; then
+        if [[ $(find "$CONF" -mtime +3) ]]; then
+            echo "⚠️ Datei ist älter als 3 Tage – wird gelöscht: $CONF"
+            rm -f "$CONF"
+        else
+            echo "❌ Problem: Datei ist vorhanden und jünger als 3 Tage: $CONF"
+            EXIT_CODE=2
+        fi
     else
-        echo "❌ Problem: zamba.conf ist vorhanden und jünger als 3 Tage: $ZAMBA_CONF"
-        exit 2
+        echo "✅ OK: Datei nicht vorhanden: $CONF"
     fi
-else
-    echo "✅ OK: zamba.conf ist nicht vorhanden"
-    exit 0
-fi
+done
+
+exit $EXIT_CODE

From 49d96dd3eb0f5d31665a3be74010e960254970e3 Mon Sep 17 00:00:00 2001
From: Chriz <christian@sysops.de>
Date: Thu, 5 Jun 2025 22:32:26 +0200
Subject: [PATCH 023/105] Update and rename check_zambaconf_trmm.sh to
 check_zambaconfonpve_trmm.sh

---
 check_zambaconf_trmm.sh      | 27 ---------------------------
 check_zambaconfonpve_trmm.sh | 19 +++++++++++++++++++
 2 files changed, 19 insertions(+), 27 deletions(-)
 delete mode 100644 check_zambaconf_trmm.sh
 create mode 100644 check_zambaconfonpve_trmm.sh

diff --git a/check_zambaconf_trmm.sh b/check_zambaconf_trmm.sh
deleted file mode 100644
index 83a5c6b..0000000
--- a/check_zambaconf_trmm.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/bash
-
-export LC_ALL=C
-EXIT_CODE=0
-
-# Alle .conf-Dateien im Verzeichnis /root/zamba-lxc-toolbox/conf/
-CONF_DIR="/root/zamba-lxc-toolbox/conf"
-CONF_FILES=("$CONF_DIR"/*.conf)
-
-# Zusätzlich die einzelne Datei /root/zamba.conf
-CONF_FILES+=("/root/zamba.conf")
-
-for CONF in "${CONF_FILES[@]}"; do
-    if [[ -f "$CONF" ]]; then
-        if [[ $(find "$CONF" -mtime +3) ]]; then
-            echo "⚠️ Datei ist älter als 3 Tage – wird gelöscht: $CONF"
-            rm -f "$CONF"
-        else
-            echo "❌ Problem: Datei ist vorhanden und jünger als 3 Tage: $CONF"
-            EXIT_CODE=2
-        fi
-    else
-        echo "✅ OK: Datei nicht vorhanden: $CONF"
-    fi
-done
-
-exit $EXIT_CODE
diff --git a/check_zambaconfonpve_trmm.sh b/check_zambaconfonpve_trmm.sh
new file mode 100644
index 0000000..7db19ef
--- /dev/null
+++ b/check_zambaconfonpve_trmm.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+export LC_ALL=C
+ZAMBA_CONF="/root/zamba-lxc-toolbox/conf/zamba.conf"
+
+if [[ -f "$ZAMBA_CONF" ]]; then
+    # Prüfen, ob die Datei älter als 3 Tage ist
+    if find "$ZAMBA_CONF" -mtime +3 >/dev/null 2>&1; then
+        echo "⚠️ zamba.conf ist älter als 3 Tage – Datei wird gelöscht: $ZAMBA_CONF"
+        rm -f "$ZAMBA_CONF"
+        exit 0
+    else
+        echo "❌ Problem: zamba.conf ist vorhanden und jünger als 3 Tage: $ZAMBA_CONF"
+        exit 2
+    fi
+else
+    echo "✅ OK: zamba.conf ist nicht vorhanden"
+    exit 0
+fi

From 0141dc86acfa32de16f7abaf034d91a7066af6a5 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Thu, 26 Jun 2025 09:55:58 +0200
Subject: [PATCH 024/105] Update nextcloud-update

---
 scripts/nextcloud-update | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/nextcloud-update b/scripts/nextcloud-update
index fa17c9a..501cc60 100644
--- a/scripts/nextcloud-update
+++ b/scripts/nextcloud-update
@@ -4,7 +4,7 @@
 # Place in /etc/cron.daily and make executable with: chmod +x /etc/cron.daily/nextcloud-update
 
 user=www-data
-phpversion=php8.2
+phpversion=php8.3
 path=/var/www/nextcloud
 logfile="/var/log/nextcloud-update.log"
 

From 2de97ff2d6c9c89091e56393dbec47db26eb857f Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 11:51:39 +0200
Subject: [PATCH 025/105] Create install-service.sh

add icinga2
---
 src/icinga2/install-service.sh | 349 +++++++++++++++++++++++++++++++++
 1 file changed, 349 insertions(+)
 create mode 100644 src/icinga2/install-service.sh

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
new file mode 100644
index 0000000..da3b358
--- /dev/null
+++ b/src/icinga2/install-service.sh
@@ -0,0 +1,349 @@
+#!/bin/bash
+#
+# Zamba LXC Toolbox - Service Installer
+# Service: icinga-stack
+#
+# Description: Installs and configures a full Icinga2 monitoring stack.
+# This script is designed to be easily adaptable for future OS releases.
+#
+
+# --- OS & Version Configuration ---
+# This section contains variables that may need to be updated for a new OS release.
+
+# Automatically detect the OS codename (e.g., "bookworm", "trixie")
+# This should work without changes on future Debian versions.
+OS_CODENAME=$(source /etc/os-release && echo "$VERSION_CODENAME")
+
+# Define the PHP version for the current OS release.
+# For Debian 12 (Bookworm), this is 8.2.
+# For a future Debian 13 (Trixie), you would likely change this to "8.3".
+PHP_VERSION="8.2"
+
+
+# --- Service Functions ---
+
+_install() {
+    zamba_header "Phase 1: Installation der Pakete"
+    
+    zamba_log "System wird aktualisiert und Basispakete werden installiert."
+    export DEBIAN_FRONTEND=noninteractive
+    zamba_run_cmd apt-get update
+    zamba_run_cmd apt-get install -y wget gpg apt-transport-https curl sudo lsb-release
+
+    zamba_log "Repositories für Icinga, InfluxDB und Grafana werden hinzugefügt."
+    # Icinga Repo
+    if [ ! -f /etc/apt/sources.list.d/icinga.list ]; then
+        zamba_run_cmd curl -fsSL https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
+        echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-${OS_CODENAME} main" > /etc/apt/sources.list.d/icinga.list
+        zamba_log "Icinga Repository für ${OS_CODENAME} hinzugefügt."
+    else
+        zamba_log "Icinga Repository existiert bereits."
+    fi
+
+    # InfluxDB Repo
+    if [ ! -f /etc/apt/sources.list.d/influxdata.list ]; then
+        zamba_run_cmd curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
+        echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian ${OS_CODENAME} stable" > /etc/apt/sources.list.d/influxdata.list
+        zamba_log "InfluxDB Repository für ${OS_CODENAME} hinzugefügt."
+    else
+        zamba_log "InfluxDB Repository existiert bereits."
+    fi
+
+    # Grafana Repo
+    if [ ! -f /etc/apt/sources.list.d/grafana.list ]; then
+        zamba_run_cmd wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor -o /usr/share/keyrings/grafana-archive-keyring.gpg
+        echo "deb [signed-by=/usr/share/keyrings/grafana-archive-keyring.gpg] https://apt.grafana.com stable main" > /etc/apt/sources.list.d/grafana.list
+        zamba_log "Grafana Repository hinzugefügt."
+    else
+        zamba_log "Grafana Repository existiert bereits."
+    fi
+    
+    zamba_log "Paketlisten werden erneut aktualisiert."
+    zamba_run_cmd apt-get update
+
+    zamba_log "Hauptkomponenten werden installiert (PHP Version: ${PHP_VERSION})."
+    zamba_run_cmd apt-get install -y \
+        icinga2 icinga2-ido-pgsql \
+        nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-pgsql php${PHP_VERSION}-intl php${PHP_VERSION}-imagick php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap \
+        postgresql \
+        influxdb2 \
+        grafana \
+        icingaweb2 icingacli
+
+    zamba_log "Icinga Director Modul wird installiert."
+    if [ ! -d /usr/share/icingaweb2/modules/director ]; then
+        ICINGA_DIRECTOR_VERSION=$(curl -s "https://api.github.com/repos/Icinga/icingaweb2-module-director/releases/latest" | grep -Po '"tag_name": "v\K[0-9.]+')
+        zamba_run_cmd wget -O /tmp/director.tar.gz "https://github.com/Icinga/icingaweb2-module-director/archive/refs/tags/v${ICINGA_DIRECTOR_VERSION}.tar.gz"
+        zamba_run_cmd tar -C /usr/share/icingaweb2/modules -xzf /tmp/director.tar.gz
+        zamba_run_cmd mv /usr/share/icingaweb2/modules/icingaweb2-module-director-* /usr/share/icingaweb2/modules/director
+        zamba_run_cmd rm /tmp/director.tar.gz
+        zamba_log "Icinga Director v${ICINGA_DIRECTOR_VERSION} installiert."
+    else
+        zamba_log "Icinga Director ist bereits installiert."
+    fi
+
+    zamba_log "Systemd Services werden aktiviert."
+    zamba_run_cmd systemctl enable --now icinga2 postgresql nginx php${PHP_VERSION}-fpm influxdb2 grafana-server
+}
+
+_configure() {
+    zamba_header "Phase 2: Konfiguration der Komponenten"
+
+    # 1. Passwörter und Credentials generieren und speichern
+    zamba_log "Passwörter und API-Keys werden generiert und in ${CRED_FILE} gespeichert."
+    ICINGAWEB_DB_PASS=$(zamba_generate_password 24)
+    DIRECTOR_DB_PASS=$(zamba_generate_password 24)
+    ICINGA_IDO_DB_PASS=$(zamba_generate_password 24)
+    ICINGA_API_USER_PASS=$(zamba_generate_password 24)
+    ICINGAWEB_ADMIN_PASS=$(zamba_generate_password 16)
+    GRAFANA_ADMIN_PASS=$(zamba_generate_password 16)
+    INFLUX_ADMIN_TOKEN=$(zamba_generate_password 40)
+    INFLUX_ICINGA_TOKEN=$(zamba_generate_password 40)
+    
+    mkdir -p "$(dirname "$CRED_FILE")"
+    chmod 700 "$(dirname "$CRED_FILE")"
+    {
+      echo "# --- Icinga Monitoring Stack Credentials ---"
+      echo "# Automatisch generiert am $(date)"
+      echo "# OS: Debian ${OS_CODENAME}"
+      echo ""
+      echo "## Icinga Web 2"
+      echo "URL: https://${ZAMBA_HOSTNAME}/icingaweb2"
+      echo "Benutzer: icingaadmin"
+      echo "Passwort: ${ICINGAWEB_ADMIN_PASS}"
+      echo ""
+      echo "## Grafana"
+      echo "URL: https://${ZAMBA_HOSTNAME}/grafana"
+      echo "Benutzer: admin"
+      echo "Passwort: ${GRAFANA_ADMIN_PASS}"
+      echo ""
+      echo "## InfluxDB 2 (für API-Nutzung)"
+      echo "URL: http://localhost:8086"
+      echo "Admin Token: ${INFLUX_ADMIN_TOKEN}"
+      echo "Icinga Token: ${INFLUX_ICINGA_TOKEN}"
+      echo "Organisation: icinga"
+      echo "Bucket: icinga"
+      echo ""
+      echo "## Icinga2 Director API"
+      echo "Benutzer: director"
+      echo "Passwort: ${ICINGA_API_USER_PASS}"
+    } > "$CRED_FILE"
+    chmod 600 "$CRED_FILE"
+
+    # 2. PostgreSQL konfigurieren
+    zamba_log "PostgreSQL wird konfiguriert."
+    sudo -u postgres psql -c "CREATE ROLE icingaweb2 WITH LOGIN PASSWORD '${ICINGAWEB_DB_PASS}';" &>/dev/null || zamba_log "Postgres-Rolle 'icingaweb2' existiert bereits."
+    sudo -u postgres psql -c "CREATE ROLE director WITH LOGIN PASSWORD '${DIRECTOR_DB_PASS}';" &>/dev/null || zamba_log "Postgres-Rolle 'director' existiert bereits."
+    sudo -u postgres psql -c "CREATE ROLE icinga_ido WITH LOGIN PASSWORD '${ICINGA_IDO_DB_PASS}';" &>/dev/null || zamba_log "Postgres-Rolle 'icinga_ido' existiert bereits."
+    sudo -u postgres createdb -O icingaweb2 icingaweb2 &>/dev/null || zamba_log "Postgres-DB 'icingaweb2' existiert bereits."
+    sudo -u postgres createdb -O director director &>/dev/null || zamba_log "Postgres-DB 'director' existiert bereits."
+    sudo -u postgres createdb -O icinga_ido icinga_ido &>/dev/null || zamba_log "Postgres-DB 'icinga_ido' existiert bereits."
+    sudo -u postgres psql -d icinga_ido -c "GRANT ALL ON SCHEMA public TO icinga_ido;"
+
+    # 3. Icinga2 konfigurieren
+    zamba_log "Icinga2 (ido-pgsql, api, influxdb2-writer) wird konfiguriert."
+    zamba_run_cmd icinga2 feature enable ido-pgsql api influxdb2-writer >/dev/null
+    
+    zamba_run_cmd bash -c "cat > /etc/icinga2/features-available/ido-pgsql.conf" <<EOF
+object IdoPgsqlConnection "ido-pgsql" {
+  user = "icinga_ido",
+  password = "${ICINGA_IDO_DB_PASS}",
+  host = "localhost",
+  database = "icinga_ido"
+}
+EOF
+    zamba_run_cmd bash -c "cat > /etc/icinga2/conf.d/api-users.conf" <<EOF
+object ApiUser "director" {
+  password = "${ICINGA_API_USER_PASS}"
+  permissions = [ "object/modify/*", "object/query/*", "status/query", "actions/*", "events/*" ]
+}
+EOF
+    zamba_run_cmd bash -c "cat > /etc/icinga2/features-available/influxdb2-writer.conf" <<EOF
+object Influxdb2Writer "influxdb2-writer" {
+  host = "http://127.0.0.1:8086"
+  organization = "icinga"
+  bucket = "icinga"
+  token = "${INFLUX_ICINGA_TOKEN}"
+  flush_interval = 10s
+  flush_threshold = 1024
+}
+EOF
+
+    # 4. Icinga Web 2 & Director konfigurieren
+    zamba_log "Icinga Web 2 und Director werden konfiguriert."
+    zamba_run_cmd icingacli module enable director
+    mkdir -p /etc/icingaweb2
+    zamba_run_cmd bash -c "cat > /etc/icingaweb2/resources.ini" <<EOF
+[icingaweb_db]
+type = "db"
+db = "pgsql"
+host = "localhost"
+port = "5432"
+dbname = "icingaweb2"
+username = "icingaweb2"
+password = "${ICINGAWEB_DB_PASS}"
+
+[director_db]
+type = "db"
+db = "pgsql"
+host = "localhost"
+port = "5432"
+dbname = "director"
+username = "director"
+password = "${DIRECTOR_DB_PASS}"
+
+[icinga_ido]
+type = "db"
+db = "pgsql"
+host = "localhost"
+port = "5432"
+dbname = "icinga_ido"
+username = "icinga_ido"
+password = "${ICINGA_IDO_DB_PASS}"
+EOF
+    
+    # 5. InfluxDB 2 konfigurieren
+    zamba_log "InfluxDB 2 wird konfiguriert."
+    zamba_run_cmd influx setup --skip-verify --username admin --password "$GRAFANA_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
+    zamba_run_cmd influx auth create --org icinga --all-access-org icinga --token "$INFLUX_ICINGA_TOKEN"
+    
+    # 6. Grafana konfigurieren
+    zamba_log "Grafana wird konfiguriert."
+    zamba_run_cmd grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
+    
+    mkdir -p /etc/grafana/provisioning/datasources
+    zamba_run_cmd bash -c "cat > /etc/grafana/provisioning/datasources/influxdb.yaml" <<EOF
+apiVersion: 1
+datasources:
+- name: InfluxDB-Icinga
+  type: influxdb
+  access: proxy
+  url: http://localhost:8086
+  jsonData:
+    version: Flux
+    organization: icinga
+    defaultBucket: icinga
+    tlsSkipVerify: true
+  secureJsonData:
+    token: "${INFLUX_ICINGA_TOKEN}"
+EOF
+    zamba_run_cmd chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
+    
+    # 7. Nginx konfigurieren
+    zamba_log "Nginx als Reverse Proxy wird konfiguriert."
+    mkdir -p /etc/nginx/ssl
+    if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
+        zamba_run_cmd ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+        zamba_run_cmd ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+    fi
+    
+    zamba_run_cmd bash -c "cat > /etc/nginx/sites-available/icinga-stack" <<EOF
+server {
+    listen 80;
+    listen [::]:80;
+    server_name ${ZAMBA_HOSTNAME};
+    return 301 https://\$host\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name ${ZAMBA_HOSTNAME};
+
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
+
+    root /usr/share/icingaweb2/public;
+    index index.php;
+
+    location / {
+        try_files \$uri \$uri/ /index.php\$is_args\$args;
+    }
+
+    location ~ \.php$ {
+        include fastcgi_params;
+        fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
+        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
+        fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
+        fastcgi_param REMOTE_USER \$remote_user;
+    }
+
+    location /grafana {
+        proxy_pass http://localhost:3000;
+        proxy_set_header Host \$http_host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+    }
+}
+EOF
+    zamba_run_cmd ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
+    rm -f /etc/nginx/sites-enabled/default
+
+    # PHP-FPM für Nginx anpassen
+    zamba_run_cmd sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' "/etc/php/${PHP_VERSION}/fpm/php.ini"
+    zamba_run_cmd sed -i "s|;date.timezone =|date.timezone = $(cat /etc/timezone)|" "/etc/php/${PHP_VERSION}/fpm/php.ini"
+}
+
+_setup() {
+    zamba_header "Phase 3: Setup und finaler Neustart"
+    
+    # 1. Schemas importieren
+    zamba_log "Datenbank-Schemas werden importiert."
+    sudo -u postgres psql -d icinga_ido -c "SELECT current_user;" # Warmup
+    PGPASSWORD="${ICINGA_IDO_DB_PASS}" psql -h localhost -U icinga_ido -d icinga_ido -f /usr/share/icinga2-ido-pgsql/schema/pgsql.sql &>/dev/null
+    PGPASSWORD="${ICINGAWEB_DB_PASS}" psql -h localhost -U icingaweb2 -d icingaweb2 -f /usr/share/icingaweb2/etc/schema/pgsql.schema.sql &>/dev/null
+    
+    # 2. Icinga Web 2 Setup
+    zamba_log "Icinga Web 2 Setup wird ausgeführt."
+    ICINGAWEB_SETUP_TOKEN=$(icingacli setup token create)
+    icingacli setup config webserver nginx --document-root /usr/share/icingaweb2/public
+    icingacli setup --unattended --module icingaweb2 --setup-token "$ICINGAWEB_SETUP_TOKEN" \
+        --db-type pgsql --db-host localhost --db-port 5432 --db-name icingaweb2 \
+        --db-user icingaweb2 --db-pass "$ICINGAWEB_DB_PASS"
+    icingacli setup --unattended --module monitoring --setup-token "$ICINGAWEB_SETUP_TOKEN" \
+        --backend-type ido --resource icinga_ido
+    icingacli user add icingaadmin --password "$ICINGAWEB_ADMIN_PASS" --role "Administrators"
+
+    # 3. Director Setup
+    zamba_log "Icinga Director Setup wird ausgeführt."
+    icingacli director kickstart --endpoint localhost --user director --password "${ICINGA_API_USER_PASS}"
+    icingacli director config set 'endpoint' 'localhost' --user 'director' --password "${ICINGA_API_USER_PASS}"
+    icingacli director migration run
+    icingacli director automation run
+
+    # 4. Services neu starten, um alle Konfigurationen zu laden
+    zamba_log "Alle Services werden neu gestartet."
+    zamba_run_cmd systemctl restart postgresql
+    zamba_run_cmd systemctl restart icinga2
+    zamba_run_cmd systemctl restart php${PHP_VERSION}-fpm
+    zamba_run_cmd systemctl restart nginx
+    zamba_run_cmd systemctl restart grafana-server
+    
+    zamba_log "Warte auf Icinga2 API..."
+    sleep 15
+    zamba_log "Director Konfiguration wird angewendet."
+    zamba_run_cmd icingacli director config deploy
+}
+
+_info() {
+    zamba_header "Installation des Icinga Monitoring Stacks abgeschlossen"
+    echo ""
+    echo "Die Konfiguration wurde erfolgreich abgeschlossen."
+    echo "Alle notwendigen Passwörter, Logins und API-Keys wurden generiert."
+    echo ""
+    echo "Sie finden alle Zugangsdaten in der folgenden Datei:"
+    echo -e "  \e[1;33m${CRED_FILE}\e[0m"
+    echo ""
+    echo "Wichtige URLs:"
+    echo -e "  Icinga Web 2: \e[1;34mhttps://${ZAMBA_HOSTNAME}/icingaweb2\e[0m"
+    echo -e "  Grafana:      \e[1;34mhttps://${ZAMBA_HOSTNAME}/grafana\e[0m"
+    echo ""
+    echo "Hinweis zu TLS: Der Server verwendet aktuell ein selbst-signiertes 'snakeoil'-Zertifikat."
+    echo "Ersetzen Sie die Symlinks in /etc/nginx/ssl/ mit Ihren echten Zertifikaten und starten Sie Nginx neu:"
+    echo "  systemctl restart nginx"
+    echo ""
+}
+

From e4fce2835f6c1c553a47b4d63814510c73f7be76 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 11:52:54 +0200
Subject: [PATCH 026/105] Create constants-service.conf

---
 src/icinga2/constants-service.conf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 src/icinga2/constants-service.conf

diff --git a/src/icinga2/constants-service.conf b/src/icinga2/constants-service.conf
new file mode 100644
index 0000000..017134b
--- /dev/null
+++ b/src/icinga2/constants-service.conf
@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Zamba LXC Toolbox - Service Constants
+# Service: icinga-stack
+#
+
+# --- Service Metadata ---
+ZAMBA_SERVICE_NAME="Icinga2 Monitoring Stack"
+ZAMBA_SERVICE_DESC="Installiert Icinga2, Icingaweb2, Director, Nginx, PostgreSQL, InfluxDB2 und Grafana."
+
+# --- Service Configuration ---
+# Path to store the generated credentials for the admin
+CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
+
+# Define the PHP version for the current OS release.
+# For Debian 12 (Bookworm), this is 8.2.
+# For a future Debian 13 (Trixie), you would likely change this to "8.3".
+PHP_VERSION="8.2"

From 2b78abbd0e4c9a53323aeb00c7c8db7399f10b22 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 11:53:36 +0200
Subject: [PATCH 027/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index da3b358..7cff18a 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -14,12 +14,6 @@
 # This should work without changes on future Debian versions.
 OS_CODENAME=$(source /etc/os-release && echo "$VERSION_CODENAME")
 
-# Define the PHP version for the current OS release.
-# For Debian 12 (Bookworm), this is 8.2.
-# For a future Debian 13 (Trixie), you would likely change this to "8.3".
-PHP_VERSION="8.2"
-
-
 # --- Service Functions ---
 
 _install() {

From 86d79f0ac2405f03878246acedbe0ea09edb5fa7 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 12:03:21 +0200
Subject: [PATCH 028/105] Update constants-service.conf

---
 src/icinga2/constants-service.conf | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/src/icinga2/constants-service.conf b/src/icinga2/constants-service.conf
index 017134b..3bfe5d8 100644
--- a/src/icinga2/constants-service.conf
+++ b/src/icinga2/constants-service.conf
@@ -1,8 +1,30 @@
 #!/bin/bash
-#
-# Zamba LXC Toolbox - Service Constants
-# Service: icinga-stack
-#
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Defines the recordsize of mp0
+LXC_MP_RECORDSIZE="16K"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# enable keyctl feature
+LXC_KEYCTL="0"
 
 # --- Service Metadata ---
 ZAMBA_SERVICE_NAME="Icinga2 Monitoring Stack"

From af6ef532d9d788bed1c50fe1568957004cdf9441 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 12:04:01 +0200
Subject: [PATCH 029/105] Update constants-service.conf

---
 src/icinga2/constants-service.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/icinga2/constants-service.conf b/src/icinga2/constants-service.conf
index 3bfe5d8..ed875bf 100644
--- a/src/icinga2/constants-service.conf
+++ b/src/icinga2/constants-service.conf
@@ -26,6 +26,9 @@ LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
+
 # --- Service Metadata ---
 ZAMBA_SERVICE_NAME="Icinga2 Monitoring Stack"
 ZAMBA_SERVICE_DESC="Installiert Icinga2, Icingaweb2, Director, Nginx, PostgreSQL, InfluxDB2 und Grafana."

From 94becd6d54ce3a8c0f651fafdeede15a77b778cf Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 12:04:42 +0200
Subject: [PATCH 030/105] Update constants-service.conf

---
 src/icinga2/constants-service.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/icinga2/constants-service.conf b/src/icinga2/constants-service.conf
index ed875bf..d1a47a4 100644
--- a/src/icinga2/constants-service.conf
+++ b/src/icinga2/constants-service.conf
@@ -41,3 +41,6 @@ CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
 # For Debian 12 (Bookworm), this is 8.2.
 # For a future Debian 13 (Trixie), you would likely change this to "8.3".
 PHP_VERSION="8.2"
+
+# service dependent meta tags
+SERVICE_TAGS="nginx,postgresql,influxdb2,grafana"

From 301c1bc446f7295420138350f4a1b2cf53171016 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 12:33:27 +0200
Subject: [PATCH 031/105] Update constants-service.conf

---
 src/icinga2/constants-service.conf | 90 ++++++++++++++++++------------
 1 file changed, 53 insertions(+), 37 deletions(-)

diff --git a/src/icinga2/constants-service.conf b/src/icinga2/constants-service.conf
index d1a47a4..6c87f99 100644
--- a/src/icinga2/constants-service.conf
+++ b/src/icinga2/constants-service.conf
@@ -1,46 +1,62 @@
 #!/bin/bash
-
-# Authors:
-# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
-# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
-# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
-
-# This file contains the project constants on service level
-
-# Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
-
-# Create sharefs mountpoint
-LXC_MP=0
-# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
-LXC_SHAREFS_MOUNTPOINT="tank"
-# Defines the recordsize of mp0
-LXC_MP_RECORDSIZE="16K"
-
-# Create unprivileged container
-LXC_UNPRIVILEGED="1"
-
-# enable nesting feature
-LXC_NESTING="1"
-
-# enable keyctl feature
-LXC_KEYCTL="0"
-
-# Sets the minimum amount of RAM the service needs for operation
-LXC_MEM_MIN=1024
+#
+# Zamba LXC Toolbox - Service Constants
+# Service: icinga-stack
+#
+# Description: Enthält alle anwendungsspezifischen Konstanten und
+#              Variablen, die für OS-Upgrades relevant sind.
+#
 
 # --- Service Metadata ---
 ZAMBA_SERVICE_NAME="Icinga2 Monitoring Stack"
 ZAMBA_SERVICE_DESC="Installiert Icinga2, Icingaweb2, Director, Nginx, PostgreSQL, InfluxDB2 und Grafana."
+# Tags zur besseren Filterung und Verwaltung des Containers
+SERVICE_TAGS="monitoring,icinga,grafana,influxdb,nginx,postgresql"
 
-# --- Service Configuration ---
-# Path to store the generated credentials for the admin
+
+# --- LXC Container Configuration ---
+# Diese Parameter steuern die Erstellung des LXC Containers durch das Zamba Framework.
+
+# Debian Version, die als Basis für den Container dient
+LXC_TEMPLATE_VERSION="debian-12-standard"
+
+# Erstellt einen unprivilegierten Container für erhöhte Sicherheit
+LXC_UNPRIVILEGED="1"
+
+# Erlaubt das Ausführen von z.B. Docker innerhalb dieses Containers
+LXC_NESTING="1"
+
+# Wird für bestimmte Sicherheits-Features benötigt, hier nicht erforderlich
+LXC_KEYCTL="0"
+
+# Erstellt einen Mountpoint (mp0) für geteilte Dateisysteme
+LXC_MP=1
+# Name des ZFS-Dateisystems, das als Mountpoint dient
+LXC_SHAREFS_MOUNTPOINT="tank"
+# Optimierte Recordsize für Datenbanken und kleine Dateien
+LXC_MP_RECORDSIZE="16K"
+
+# Minimal benötigter Arbeitsspeicher in MB.
+# 2048 MB wird für den Betrieb des gesamten Stacks (Icinga, DBs, Grafana) empfohlen.
+LXC_MEM_MIN=2048
+
+
+# --- Service-spezifische Konfiguration ---
+
+# Pfad zur Speicherung der generierten Zugangsdaten
 CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
 
-# Define the PHP version for the current OS release.
-# For Debian 12 (Bookworm), this is 8.2.
-# For a future Debian 13 (Trixie), you would likely change this to "8.3".
-PHP_VERSION="8.2"
 
-# service dependent meta tags
-SERVICE_TAGS="nginx,postgresql,influxdb2,grafana"
+# --- OS-Versions-spezifische Variablen ---
+# Diese Variablen müssen bei einem Upgrade des Basis-Betriebssystems
+# (z.B. von Debian 12 auf 13) angepasst werden.
+
+# Der Codename des Betriebssystems (wird für die Repository-Pfade benötigt)
+# Dieser Wert wird normalerweise vom Framework (z.B. aus /etc/os-release) bereitgestellt.
+# Falls nicht, wird hier ein Fallback gesetzt.
+OS_CODENAME="${OS_CODENAME:-bookworm}"
+
+# Die Standard-PHP-Version für die jeweilige Debian-Version.
+# Debian 12 (Bookworm) -> "8.2"
+# Debian 13 (Trixie) -> voraussichtlich "8.3"
+PHP_VERSION="8.2"

From 2aa944e9d06493bbc1c6580d2896725979bf86f8 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 12:43:19 +0200
Subject: [PATCH 032/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 229 +++++++++++++++++++--------------
 1 file changed, 134 insertions(+), 95 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 7cff18a..b7a7950 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -3,60 +3,66 @@
 # Zamba LXC Toolbox - Service Installer
 # Service: icinga-stack
 #
-# Description: Installs and configures a full Icinga2 monitoring stack.
-# This script is designed to be easily adaptable for future OS releases.
+# Description: Führt die Installation und Konfiguration des Icinga2 Stacks durch.
+# Dieses Skript ist eigenständig und verwendet nur Standard-OS-Befehle.
 #
 
-# --- OS & Version Configuration ---
-# This section contains variables that may need to be updated for a new OS release.
+# --- Internal Helper Functions ---
+# Diese Funktion ist skript-spezifisch und nicht Teil eines Frameworks.
+_generate_local_password() {
+    # Erzeugt eine sichere, zufällige Zeichenkette.
+    # $1: Länge der Zeichenkette
+    openssl rand -base64 "$1"
+}
 
-# Automatically detect the OS codename (e.g., "bookworm", "trixie")
-# This should work without changes on future Debian versions.
-OS_CODENAME=$(source /etc/os-release && echo "$VERSION_CODENAME")
 
-# --- Service Functions ---
+# --- Service Functions (_install, _configure, _setup, _info) ---
 
 _install() {
-    zamba_header "Phase 1: Installation der Pakete"
+    echo ""
+    echo "================================================="
+    echo "  Phase 1: Installation der Pakete"
+    echo "================================================="
+    echo ""
     
-    zamba_log "System wird aktualisiert und Basispakete werden installiert."
+    echo "[INFO] System wird aktualisiert und Basispakete werden installiert."
     export DEBIAN_FRONTEND=noninteractive
-    zamba_run_cmd apt-get update
-    zamba_run_cmd apt-get install -y wget gpg apt-transport-https curl sudo lsb-release
+    apt-get update
+    apt-get install -y wget gpg apt-transport-https curl sudo lsb-release
 
-    zamba_log "Repositories für Icinga, InfluxDB und Grafana werden hinzugefügt."
+    echo "[INFO] Repositories für Icinga, InfluxDB und Grafana werden hinzugefügt."
     # Icinga Repo
     if [ ! -f /etc/apt/sources.list.d/icinga.list ]; then
-        zamba_run_cmd curl -fsSL https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
+        curl -fsSL https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
         echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-${OS_CODENAME} main" > /etc/apt/sources.list.d/icinga.list
-        zamba_log "Icinga Repository für ${OS_CODENAME} hinzugefügt."
+        echo "[INFO] Icinga Repository für ${OS_CODENAME} hinzugefügt."
     else
-        zamba_log "Icinga Repository existiert bereits."
+        echo "[INFO] Icinga Repository existiert bereits."
     fi
 
     # InfluxDB Repo
     if [ ! -f /etc/apt/sources.list.d/influxdata.list ]; then
-        zamba_run_cmd curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
+        curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
         echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian ${OS_CODENAME} stable" > /etc/apt/sources.list.d/influxdata.list
-        zamba_log "InfluxDB Repository für ${OS_CODENAME} hinzugefügt."
+        echo "[INFO] InfluxDB Repository für ${OS_CODENAME} hinzugefügt."
     else
-        zamba_log "InfluxDB Repository existiert bereits."
+        echo "[INFO] InfluxDB Repository existiert bereits."
     fi
 
     # Grafana Repo
     if [ ! -f /etc/apt/sources.list.d/grafana.list ]; then
-        zamba_run_cmd wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor -o /usr/share/keyrings/grafana-archive-keyring.gpg
+        wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor -o /usr/share/keyrings/grafana-archive-keyring.gpg
         echo "deb [signed-by=/usr/share/keyrings/grafana-archive-keyring.gpg] https://apt.grafana.com stable main" > /etc/apt/sources.list.d/grafana.list
-        zamba_log "Grafana Repository hinzugefügt."
+        echo "[INFO] Grafana Repository hinzugefügt."
     else
-        zamba_log "Grafana Repository existiert bereits."
+        echo "[INFO] Grafana Repository existiert bereits."
     fi
     
-    zamba_log "Paketlisten werden erneut aktualisiert."
-    zamba_run_cmd apt-get update
+    echo "[INFO] Paketlisten werden erneut aktualisiert."
+    apt-get update
 
-    zamba_log "Hauptkomponenten werden installiert (PHP Version: ${PHP_VERSION})."
-    zamba_run_cmd apt-get install -y \
+    echo "[INFO] Hauptkomponenten werden installiert (PHP Version: ${PHP_VERSION})."
+    apt-get install -y \
         icinga2 icinga2-ido-pgsql \
         nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-pgsql php${PHP_VERSION}-intl php${PHP_VERSION}-imagick php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap \
         postgresql \
@@ -64,35 +70,39 @@ _install() {
         grafana \
         icingaweb2 icingacli
 
-    zamba_log "Icinga Director Modul wird installiert."
+    echo "[INFO] Icinga Director Modul wird installiert."
     if [ ! -d /usr/share/icingaweb2/modules/director ]; then
         ICINGA_DIRECTOR_VERSION=$(curl -s "https://api.github.com/repos/Icinga/icingaweb2-module-director/releases/latest" | grep -Po '"tag_name": "v\K[0-9.]+')
-        zamba_run_cmd wget -O /tmp/director.tar.gz "https://github.com/Icinga/icingaweb2-module-director/archive/refs/tags/v${ICINGA_DIRECTOR_VERSION}.tar.gz"
-        zamba_run_cmd tar -C /usr/share/icingaweb2/modules -xzf /tmp/director.tar.gz
-        zamba_run_cmd mv /usr/share/icingaweb2/modules/icingaweb2-module-director-* /usr/share/icingaweb2/modules/director
-        zamba_run_cmd rm /tmp/director.tar.gz
-        zamba_log "Icinga Director v${ICINGA_DIRECTOR_VERSION} installiert."
+        wget -O /tmp/director.tar.gz "https://github.com/Icinga/icingaweb2-module-director/archive/refs/tags/v${ICINGA_DIRECTOR_VERSION}.tar.gz"
+        tar -C /usr/share/icingaweb2/modules -xzf /tmp/director.tar.gz
+        mv /usr/share/icingaweb2/modules/icingaweb2-module-director-* /usr/share/icingaweb2/modules/director
+        rm /tmp/director.tar.gz
+        echo "[INFO] Icinga Director v${ICINGA_DIRECTOR_VERSION} installiert."
     else
-        zamba_log "Icinga Director ist bereits installiert."
+        echo "[INFO] Icinga Director ist bereits installiert."
     fi
 
-    zamba_log "Systemd Services werden aktiviert."
-    zamba_run_cmd systemctl enable --now icinga2 postgresql nginx php${PHP_VERSION}-fpm influxdb2 grafana-server
+    echo "[INFO] Systemd Services werden aktiviert."
+    systemctl enable --now icinga2 postgresql nginx php${PHP_VERSION}-fpm influxdb2 grafana-server
 }
 
 _configure() {
-    zamba_header "Phase 2: Konfiguration der Komponenten"
+    echo ""
+    echo "================================================="
+    echo "  Phase 2: Konfiguration der Komponenten"
+    echo "================================================="
+    echo ""
 
     # 1. Passwörter und Credentials generieren und speichern
-    zamba_log "Passwörter und API-Keys werden generiert und in ${CRED_FILE} gespeichert."
-    ICINGAWEB_DB_PASS=$(zamba_generate_password 24)
-    DIRECTOR_DB_PASS=$(zamba_generate_password 24)
-    ICINGA_IDO_DB_PASS=$(zamba_generate_password 24)
-    ICINGA_API_USER_PASS=$(zamba_generate_password 24)
-    ICINGAWEB_ADMIN_PASS=$(zamba_generate_password 16)
-    GRAFANA_ADMIN_PASS=$(zamba_generate_password 16)
-    INFLUX_ADMIN_TOKEN=$(zamba_generate_password 40)
-    INFLUX_ICINGA_TOKEN=$(zamba_generate_password 40)
+    echo "[INFO] Passwörter und API-Keys werden generiert und in ${CRED_FILE} gespeichert."
+    ICINGAWEB_DB_PASS=$(_generate_local_password 24)
+    DIRECTOR_DB_PASS=$(_generate_local_password 24)
+    ICINGA_IDO_DB_PASS=$(_generate_local_password 24)
+    ICINGA_API_USER_PASS=$(_generate_local_password 24)
+    ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
+    GRAFANA_ADMIN_PASS=$(_generate_local_password 16)
+    INFLUX_ADMIN_TOKEN=$(_generate_local_password 40)
+    INFLUX_ICINGA_TOKEN=$(_generate_local_password 40)
     
     mkdir -p "$(dirname "$CRED_FILE")"
     chmod 700 "$(dirname "$CRED_FILE")"
@@ -102,12 +112,12 @@ _configure() {
       echo "# OS: Debian ${OS_CODENAME}"
       echo ""
       echo "## Icinga Web 2"
-      echo "URL: https://${ZAMBA_HOSTNAME}/icingaweb2"
+      echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
       echo "Benutzer: icingaadmin"
       echo "Passwort: ${ICINGAWEB_ADMIN_PASS}"
       echo ""
       echo "## Grafana"
-      echo "URL: https://${ZAMBA_HOSTNAME}/grafana"
+      echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/grafana"
       echo "Benutzer: admin"
       echo "Passwort: ${GRAFANA_ADMIN_PASS}"
       echo ""
@@ -125,20 +135,20 @@ _configure() {
     chmod 600 "$CRED_FILE"
 
     # 2. PostgreSQL konfigurieren
-    zamba_log "PostgreSQL wird konfiguriert."
-    sudo -u postgres psql -c "CREATE ROLE icingaweb2 WITH LOGIN PASSWORD '${ICINGAWEB_DB_PASS}';" &>/dev/null || zamba_log "Postgres-Rolle 'icingaweb2' existiert bereits."
-    sudo -u postgres psql -c "CREATE ROLE director WITH LOGIN PASSWORD '${DIRECTOR_DB_PASS}';" &>/dev/null || zamba_log "Postgres-Rolle 'director' existiert bereits."
-    sudo -u postgres psql -c "CREATE ROLE icinga_ido WITH LOGIN PASSWORD '${ICINGA_IDO_DB_PASS}';" &>/dev/null || zamba_log "Postgres-Rolle 'icinga_ido' existiert bereits."
-    sudo -u postgres createdb -O icingaweb2 icingaweb2 &>/dev/null || zamba_log "Postgres-DB 'icingaweb2' existiert bereits."
-    sudo -u postgres createdb -O director director &>/dev/null || zamba_log "Postgres-DB 'director' existiert bereits."
-    sudo -u postgres createdb -O icinga_ido icinga_ido &>/dev/null || zamba_log "Postgres-DB 'icinga_ido' existiert bereits."
+    echo "[INFO] PostgreSQL wird konfiguriert."
+    sudo -u postgres psql -c "CREATE ROLE icingaweb2 WITH LOGIN PASSWORD '${ICINGAWEB_DB_PASS}';" &>/dev/null || echo "[INFO] Postgres-Rolle 'icingaweb2' existiert bereits."
+    sudo -u postgres psql -c "CREATE ROLE director WITH LOGIN PASSWORD '${DIRECTOR_DB_PASS}';" &>/dev/null || echo "[INFO] Postgres-Rolle 'director' existiert bereits."
+    sudo -u postgres psql -c "CREATE ROLE icinga_ido WITH LOGIN PASSWORD '${ICINGA_IDO_DB_PASS}';" &>/dev/null || echo "[INFO] Postgres-Rolle 'icinga_ido' existiert bereits."
+    sudo -u postgres createdb -O icingaweb2 icingaweb2 &>/dev/null || echo "[INFO] Postgres-DB 'icingaweb2' existiert bereits."
+    sudo -u postgres createdb -O director director &>/dev/null || echo "[INFO] Postgres-DB 'director' existiert bereits."
+    sudo -u postgres createdb -O icinga_ido icinga_ido &>/dev/null || echo "[INFO] Postgres-DB 'icinga_ido' existiert bereits."
     sudo -u postgres psql -d icinga_ido -c "GRANT ALL ON SCHEMA public TO icinga_ido;"
 
     # 3. Icinga2 konfigurieren
-    zamba_log "Icinga2 (ido-pgsql, api, influxdb2-writer) wird konfiguriert."
-    zamba_run_cmd icinga2 feature enable ido-pgsql api influxdb2-writer >/dev/null
+    echo "[INFO] Icinga2 (ido-pgsql, api, influxdb2-writer) wird konfiguriert."
+    icinga2 feature enable ido-pgsql api influxdb2-writer >/dev/null
     
-    zamba_run_cmd bash -c "cat > /etc/icinga2/features-available/ido-pgsql.conf" <<EOF
+    bash -c "cat > /etc/icinga2/features-available/ido-pgsql.conf" <<EOF
 object IdoPgsqlConnection "ido-pgsql" {
   user = "icinga_ido",
   password = "${ICINGA_IDO_DB_PASS}",
@@ -146,13 +156,13 @@ object IdoPgsqlConnection "ido-pgsql" {
   database = "icinga_ido"
 }
 EOF
-    zamba_run_cmd bash -c "cat > /etc/icinga2/conf.d/api-users.conf" <<EOF
+    bash -c "cat > /etc/icinga2/conf.d/api-users.conf" <<EOF
 object ApiUser "director" {
   password = "${ICINGA_API_USER_PASS}"
   permissions = [ "object/modify/*", "object/query/*", "status/query", "actions/*", "events/*" ]
 }
 EOF
-    zamba_run_cmd bash -c "cat > /etc/icinga2/features-available/influxdb2-writer.conf" <<EOF
+    bash -c "cat > /etc/icinga2/features-available/influxdb2-writer.conf" <<EOF
 object Influxdb2Writer "influxdb2-writer" {
   host = "http://127.0.0.1:8086"
   organization = "icinga"
@@ -164,10 +174,10 @@ object Influxdb2Writer "influxdb2-writer" {
 EOF
 
     # 4. Icinga Web 2 & Director konfigurieren
-    zamba_log "Icinga Web 2 und Director werden konfiguriert."
-    zamba_run_cmd icingacli module enable director
+    echo "[INFO] Icinga Web 2 und Director werden konfiguriert."
+    icingacli module enable director
     mkdir -p /etc/icingaweb2
-    zamba_run_cmd bash -c "cat > /etc/icingaweb2/resources.ini" <<EOF
+    bash -c "cat > /etc/icingaweb2/resources.ini" <<EOF
 [icingaweb_db]
 type = "db"
 db = "pgsql"
@@ -197,16 +207,16 @@ password = "${ICINGA_IDO_DB_PASS}"
 EOF
     
     # 5. InfluxDB 2 konfigurieren
-    zamba_log "InfluxDB 2 wird konfiguriert."
-    zamba_run_cmd influx setup --skip-verify --username admin --password "$GRAFANA_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
-    zamba_run_cmd influx auth create --org icinga --all-access-org icinga --token "$INFLUX_ICINGA_TOKEN"
+    echo "[INFO] InfluxDB 2 wird konfiguriert."
+    influx setup --skip-verify --username admin --password "$GRAFANA_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
+    influx auth create --org icinga --all-access-org icinga --token "$INFLUX_ICINGA_TOKEN"
     
     # 6. Grafana konfigurieren
-    zamba_log "Grafana wird konfiguriert."
-    zamba_run_cmd grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
+    echo "[INFO] Grafana wird konfiguriert."
+    grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
     
     mkdir -p /etc/grafana/provisioning/datasources
-    zamba_run_cmd bash -c "cat > /etc/grafana/provisioning/datasources/influxdb.yaml" <<EOF
+    bash -c "cat > /etc/grafana/provisioning/datasources/influxdb.yaml" <<EOF
 apiVersion: 1
 datasources:
 - name: InfluxDB-Icinga
@@ -221,28 +231,28 @@ datasources:
   secureJsonData:
     token: "${INFLUX_ICINGA_TOKEN}"
 EOF
-    zamba_run_cmd chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
+    chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
     
     # 7. Nginx konfigurieren
-    zamba_log "Nginx als Reverse Proxy wird konfiguriert."
+    echo "[INFO] Nginx als Reverse Proxy wird konfiguriert."
     mkdir -p /etc/nginx/ssl
     if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
-        zamba_run_cmd ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
-        zamba_run_cmd ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+        ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+        ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
     fi
     
-    zamba_run_cmd bash -c "cat > /etc/nginx/sites-available/icinga-stack" <<EOF
+    bash -c "cat > /etc/nginx/sites-available/icinga-stack" <<EOF
 server {
     listen 80;
     listen [::]:80;
-    server_name ${ZAMBA_HOSTNAME};
+    server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
     return 301 https://\$host\$request_uri;
 }
 
 server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
-    server_name ${ZAMBA_HOSTNAME};
+    server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
 
     ssl_certificate /etc/nginx/ssl/fullchain.pem;
     ssl_certificate_key /etc/nginx/ssl/privkey.pem;
@@ -273,25 +283,29 @@ server {
     }
 }
 EOF
-    zamba_run_cmd ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
+    ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
     rm -f /etc/nginx/sites-enabled/default
 
     # PHP-FPM für Nginx anpassen
-    zamba_run_cmd sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' "/etc/php/${PHP_VERSION}/fpm/php.ini"
-    zamba_run_cmd sed -i "s|;date.timezone =|date.timezone = $(cat /etc/timezone)|" "/etc/php/${PHP_VERSION}/fpm/php.ini"
+    sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' "/etc/php/${PHP_VERSION}/fpm/php.ini"
+    sed -i "s|;date.timezone =|date.timezone = $(cat /etc/timezone)|" "/etc/php/${PHP_VERSION}/fpm/php.ini"
 }
 
 _setup() {
-    zamba_header "Phase 3: Setup und finaler Neustart"
+    echo ""
+    echo "================================================="
+    echo "  Phase 3: Setup und finaler Neustart"
+    echo "================================================="
+    echo ""
     
     # 1. Schemas importieren
-    zamba_log "Datenbank-Schemas werden importiert."
+    echo "[INFO] Datenbank-Schemas werden importiert."
     sudo -u postgres psql -d icinga_ido -c "SELECT current_user;" # Warmup
     PGPASSWORD="${ICINGA_IDO_DB_PASS}" psql -h localhost -U icinga_ido -d icinga_ido -f /usr/share/icinga2-ido-pgsql/schema/pgsql.sql &>/dev/null
     PGPASSWORD="${ICINGAWEB_DB_PASS}" psql -h localhost -U icingaweb2 -d icingaweb2 -f /usr/share/icingaweb2/etc/schema/pgsql.schema.sql &>/dev/null
     
     # 2. Icinga Web 2 Setup
-    zamba_log "Icinga Web 2 Setup wird ausgeführt."
+    echo "[INFO] Icinga Web 2 Setup wird ausgeführt."
     ICINGAWEB_SETUP_TOKEN=$(icingacli setup token create)
     icingacli setup config webserver nginx --document-root /usr/share/icingaweb2/public
     icingacli setup --unattended --module icingaweb2 --setup-token "$ICINGAWEB_SETUP_TOKEN" \
@@ -302,38 +316,41 @@ _setup() {
     icingacli user add icingaadmin --password "$ICINGAWEB_ADMIN_PASS" --role "Administrators"
 
     # 3. Director Setup
-    zamba_log "Icinga Director Setup wird ausgeführt."
+    echo "[INFO] Icinga Director Setup wird ausgeführt."
     icingacli director kickstart --endpoint localhost --user director --password "${ICINGA_API_USER_PASS}"
     icingacli director config set 'endpoint' 'localhost' --user 'director' --password "${ICINGA_API_USER_PASS}"
     icingacli director migration run
     icingacli director automation run
 
     # 4. Services neu starten, um alle Konfigurationen zu laden
-    zamba_log "Alle Services werden neu gestartet."
-    zamba_run_cmd systemctl restart postgresql
-    zamba_run_cmd systemctl restart icinga2
-    zamba_run_cmd systemctl restart php${PHP_VERSION}-fpm
-    zamba_run_cmd systemctl restart nginx
-    zamba_run_cmd systemctl restart grafana-server
+    echo "[INFO] Alle Services werden neu gestartet."
+    systemctl restart postgresql
+    systemctl restart icinga2
+    systemctl restart php${PHP_VERSION}-fpm
+    systemctl restart nginx
+    systemctl restart grafana-server
     
-    zamba_log "Warte auf Icinga2 API..."
+    echo "[INFO] Warte auf Icinga2 API..."
     sleep 15
-    zamba_log "Director Konfiguration wird angewendet."
-    zamba_run_cmd icingacli director config deploy
+    echo "[INFO] Director Konfiguration wird angewendet."
+    icingacli director config deploy
 }
 
 _info() {
-    zamba_header "Installation des Icinga Monitoring Stacks abgeschlossen"
+    echo ""
+    echo "================================================="
+    echo "  Installation des Icinga Monitoring Stacks abgeschlossen"
+    echo "================================================="
     echo ""
     echo "Die Konfiguration wurde erfolgreich abgeschlossen."
     echo "Alle notwendigen Passwörter, Logins und API-Keys wurden generiert."
     echo ""
     echo "Sie finden alle Zugangsdaten in der folgenden Datei:"
-    echo -e "  \e[1;33m${CRED_FILE}\e[0m"
+    echo "  ${CRED_FILE}"
     echo ""
     echo "Wichtige URLs:"
-    echo -e "  Icinga Web 2: \e[1;34mhttps://${ZAMBA_HOSTNAME}/icingaweb2\e[0m"
-    echo -e "  Grafana:      \e[1;34mhttps://${ZAMBA_HOSTNAME}/grafana\e[0m"
+    echo "  Icinga Web 2: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
+    echo "  Grafana:      https://${ZAMBA_HOSTNAME:-$(hostname -f)}/grafana"
     echo ""
     echo "Hinweis zu TLS: Der Server verwendet aktuell ein selbst-signiertes 'snakeoil'-Zertifikat."
     echo "Ersetzen Sie die Symlinks in /etc/nginx/ssl/ mit Ihren echten Zertifikaten und starten Sie Nginx neu:"
@@ -341,3 +358,25 @@ _info() {
     echo ""
 }
 
+# --- Main Execution Logic ---
+# This part is executed by the Zamba LXC Toolbox framework,
+# which calls the _install, _configure, _setup, and _info functions in order.
+# For standalone testing, you could uncomment the lines below.
+
+# if [ "$EUID" -ne 0 ]; then
+#   echo "[ERROR] Dieses Skript muss als Root ausgeführt werden."
+#   exit 1
+# fi
+#
+# # Load constants if running standalone
+# ZAMBA_HOSTNAME=$(hostname -f)
+# source ./constants-service.conf
+#
+# set -e # Exit on first error
+# _install
+# _configure
+# _setup
+# _info
+# set +e
+#
+# exit 0

From 0e6639ca3fade92f75735d4a7bccd0718fe1b4fc Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 12:56:54 +0200
Subject: [PATCH 033/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index b7a7950..346d291 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -368,15 +368,17 @@ _info() {
 #   exit 1
 # fi
 #
+source zamba.conf
+source constants-service.conf
 # # Load constants if running standalone
-# ZAMBA_HOSTNAME=$(hostname -f)
-# source ./constants-service.conf
+ZAMBA_HOSTNAME=$(hostname -f)
+source ./constants-service.conf
 #
 # set -e # Exit on first error
-# _install
-# _configure
-# _setup
-# _info
-# set +e
+_install
+_configure
+_setup
+_info
+set +e
 #
-# exit 0
+exit 0

From 035de4e2961e9bde06999bf24ee17f80465ce064 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 13:15:39 +0200
Subject: [PATCH 034/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 125 +++++++++++++++++++--------------
 1 file changed, 71 insertions(+), 54 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 346d291..41afb4e 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -70,20 +70,29 @@ _install() {
         grafana \
         icingaweb2 icingacli
 
-    echo "[INFO] Icinga Director Modul wird installiert."
-    if [ ! -d /usr/share/icingaweb2/modules/director ]; then
-        ICINGA_DIRECTOR_VERSION=$(curl -s "https://api.github.com/repos/Icinga/icingaweb2-module-director/releases/latest" | grep -Po '"tag_name": "v\K[0-9.]+')
-        wget -O /tmp/director.tar.gz "https://github.com/Icinga/icingaweb2-module-director/archive/refs/tags/v${ICINGA_DIRECTOR_VERSION}.tar.gz"
-        tar -C /usr/share/icingaweb2/modules -xzf /tmp/director.tar.gz
-        mv /usr/share/icingaweb2/modules/icingaweb2-module-director-* /usr/share/icingaweb2/modules/director
-        rm /tmp/director.tar.gz
-        echo "[INFO] Icinga Director v${ICINGA_DIRECTOR_VERSION} installiert."
-    else
-        echo "[INFO] Icinga Director ist bereits installiert."
-    fi
+    echo "[INFO] Icinga Web 2 Module (Abhängigkeiten für Director) werden installiert."
+    # Funktion zum Herunterladen und Entpacken von Modulen
+    install_icinga_module() {
+        local module_name="$1"
+        local repo_name="$2"
+        if [ ! -d "/usr/share/icingaweb2/modules/${module_name}" ]; then
+            echo "[INFO] Installiere Modul: ${module_name}"
+            local version=$(curl -s "https://api.github.com/repos/Icinga/${repo_name}/releases/latest" | grep -Po '"tag_name": "v\K[0-9.]+')
+            wget -O "/tmp/${module_name}.tar.gz" "https://github.com/Icinga/${repo_name}/archive/refs/tags/v${version}.tar.gz"
+            tar -C /usr/share/icingaweb2/modules -xzf "/tmp/${module_name}.tar.gz"
+            mv "/usr/share/icingaweb2/modules/${repo_name}-"* "/usr/share/icingaweb2/modules/${module_name}"
+            rm "/tmp/${module_name}.tar.gz"
+        else
+            echo "[INFO] Modul ${module_name} ist bereits installiert."
+        fi
+    }
+    
+    install_icinga_module "ipl" "icingaweb2-module-ipl"
+    install_icinga_module "reactbundle" "icingaweb2-module-reactbundle"
+    install_icinga_module "director" "icingaweb2-module-director"
 
     echo "[INFO] Systemd Services werden aktiviert."
-    systemctl enable --now icinga2 postgresql nginx php${PHP_VERSION}-fpm influxdb2 grafana-server
+    systemctl enable --now icinga2 postgresql nginx php${PHP_VERSION}-fpm influxdb grafana-server
 }
 
 _configure() {
@@ -144,10 +153,8 @@ _configure() {
     sudo -u postgres createdb -O icinga_ido icinga_ido &>/dev/null || echo "[INFO] Postgres-DB 'icinga_ido' existiert bereits."
     sudo -u postgres psql -d icinga_ido -c "GRANT ALL ON SCHEMA public TO icinga_ido;"
 
-    # 3. Icinga2 konfigurieren
-    echo "[INFO] Icinga2 (ido-pgsql, api, influxdb2-writer) wird konfiguriert."
-    icinga2 feature enable ido-pgsql api influxdb2-writer >/dev/null
-    
+    # 3. Icinga2 Konfigurationsdateien schreiben
+    echo "[INFO] Icinga2 Konfigurationsdateien werden geschrieben."
     bash -c "cat > /etc/icinga2/features-available/ido-pgsql.conf" <<EOF
 object IdoPgsqlConnection "ido-pgsql" {
   user = "icinga_ido",
@@ -173,9 +180,8 @@ object Influxdb2Writer "influxdb2-writer" {
 }
 EOF
 
-    # 4. Icinga Web 2 & Director konfigurieren
-    echo "[INFO] Icinga Web 2 und Director werden konfiguriert."
-    icingacli module enable director
+    # 4. Icinga Web 2 Konfigurationsdateien schreiben
+    echo "[INFO] Icinga Web 2 Konfigurationsdateien werden geschrieben."
     mkdir -p /etc/icingaweb2
     bash -c "cat > /etc/icingaweb2/resources.ini" <<EOF
 [icingaweb_db]
@@ -233,14 +239,29 @@ datasources:
 EOF
     chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
     
-    # 7. Nginx konfigurieren
-    echo "[INFO] Nginx als Reverse Proxy wird konfiguriert."
+    # 7. Nginx und Icinga2 API TLS Konfiguration
+    echo "[INFO] Nginx und Icinga2 API für TLS werden konfiguriert."
     mkdir -p /etc/nginx/ssl
     if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
         ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
         ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
     fi
-    
+
+    # Icinga-Benutzer zur ssl-cert Gruppe hinzufügen, um den Schlüssel lesen zu können
+    usermod -a -G ssl-cert icinga
+
+    # api.conf anpassen, um die Nginx/Snakeoil-Zertifikate zu verwenden
+    bash -c "cat > /etc/icinga2/features-available/api.conf" <<EOF
+object ApiListener "api" {
+  cert_path = "/etc/nginx/ssl/fullchain.pem"
+  key_path = "/etc/nginx/ssl/privkey.pem"
+  ca_path = "/etc/ssl/certs/ca-certificates.crt"
+  
+  accept_config = true
+  accept_commands = true
+}
+EOF
+
     bash -c "cat > /etc/nginx/sites-available/icinga-stack" <<EOF
 server {
     listen 80;
@@ -298,13 +319,31 @@ _setup() {
     echo "================================================="
     echo ""
     
-    # 1. Schemas importieren
+    # 1. Datenbank-Schemas importieren (BEVOR Icinga2 gestartet wird)
     echo "[INFO] Datenbank-Schemas werden importiert."
     sudo -u postgres psql -d icinga_ido -c "SELECT current_user;" # Warmup
     PGPASSWORD="${ICINGA_IDO_DB_PASS}" psql -h localhost -U icinga_ido -d icinga_ido -f /usr/share/icinga2-ido-pgsql/schema/pgsql.sql &>/dev/null
     PGPASSWORD="${ICINGAWEB_DB_PASS}" psql -h localhost -U icingaweb2 -d icingaweb2 -f /usr/share/icingaweb2/etc/schema/pgsql.schema.sql &>/dev/null
     
-    # 2. Icinga Web 2 Setup
+    # 2. Icinga2 Features aktivieren (NACHDEM die DB bereit ist)
+    echo "[INFO] Icinga2 Features werden aktiviert."
+    icinga2 feature enable ido-pgsql api influxdb2-writer >/dev/null
+
+    # 3. Icinga Web 2 Module in korrekter Reihenfolge aktivieren
+    echo "[INFO] Icinga Web 2 Module werden aktiviert."
+    icingacli module enable ipl
+    icingacli module enable reactbundle
+    icingacli module enable director
+
+    # 4. Alle Dienste neu starten
+    echo "[INFO] Alle Services werden neu gestartet, um Konfigurationen zu laden."
+    systemctl restart postgresql
+    systemctl restart icinga2
+    systemctl restart php${PHP_VERSION}-fpm
+    systemctl restart nginx
+    systemctl restart grafana-server
+
+    # 5. Icinga Web 2 Setup ausführen (NACHDEM die Dienste laufen)
     echo "[INFO] Icinga Web 2 Setup wird ausgeführt."
     ICINGAWEB_SETUP_TOKEN=$(icingacli setup token create)
     icingacli setup config webserver nginx --document-root /usr/share/icingaweb2/public
@@ -315,23 +354,14 @@ _setup() {
         --backend-type ido --resource icinga_ido
     icingacli user add icingaadmin --password "$ICINGAWEB_ADMIN_PASS" --role "Administrators"
 
-    # 3. Director Setup
+    # 6. Director Setup ausführen (als letzter Schritt)
+    echo "[INFO] Warte auf Icinga2 API..."
+    sleep 15 # Gibt Icinga2 Zeit, vollständig zu starten
     echo "[INFO] Icinga Director Setup wird ausgeführt."
+    icingacli director migration run # Importiert das Director DB Schema
     icingacli director kickstart --endpoint localhost --user director --password "${ICINGA_API_USER_PASS}"
     icingacli director config set 'endpoint' 'localhost' --user 'director' --password "${ICINGA_API_USER_PASS}"
-    icingacli director migration run
     icingacli director automation run
-
-    # 4. Services neu starten, um alle Konfigurationen zu laden
-    echo "[INFO] Alle Services werden neu gestartet."
-    systemctl restart postgresql
-    systemctl restart icinga2
-    systemctl restart php${PHP_VERSION}-fpm
-    systemctl restart nginx
-    systemctl restart grafana-server
-    
-    echo "[INFO] Warte auf Icinga2 API..."
-    sleep 15
     echo "[INFO] Director Konfiguration wird angewendet."
     icingacli director config deploy
 }
@@ -352,9 +382,9 @@ _info() {
     echo "  Icinga Web 2: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
     echo "  Grafana:      https://${ZAMBA_HOSTNAME:-$(hostname -f)}/grafana"
     echo ""
-    echo "Hinweis zu TLS: Der Server verwendet aktuell ein selbst-signiertes 'snakeoil'-Zertifikat."
-    echo "Ersetzen Sie die Symlinks in /etc/nginx/ssl/ mit Ihren echten Zertifikaten und starten Sie Nginx neu:"
-    echo "  systemctl restart nginx"
+    echo "Hinweis zu TLS: Der Server verwendet aktuell die Icinga2-eigenen, selbst-signierten Zertifikate."
+    echo "Wenn Sie externe Zertifikate (z.B. von Let's Encrypt) verwenden möchten,"
+    echo "passen Sie die Pfade in /etc/nginx/sites-available/icinga-stack und /etc/icinga2/features-available/api.conf an und starten Sie die Dienste neu."
     echo ""
 }
 
@@ -368,17 +398,4 @@ _info() {
 #   exit 1
 # fi
 #
-source zamba.conf
-source constants-service.conf
-# # Load constants if running standalone
-ZAMBA_HOSTNAME=$(hostname -f)
-source ./constants-service.conf
-#
-# set -e # Exit on first error
-_install
-_configure
-_setup
-_info
-set +e
-#
-exit 0
+# # Load constants if runn

From b9c47b835ad87328f6c6667cd62cda1237b4207f Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 13:38:16 +0200
Subject: [PATCH 035/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 42 ++++++++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 9 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 41afb4e..5fc001c 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -389,13 +389,37 @@ _info() {
 }
 
 # --- Main Execution Logic ---
-# This part is executed by the Zamba LXC Toolbox framework,
-# which calls the _install, _configure, _setup, and _info functions in order.
-# For standalone testing, you could uncomment the lines below.
+# Dieser Block wird nur ausgeführt, wenn das Skript direkt aufgerufen wird,
+# nicht wenn es von der Zamba Toolbox als Bibliothek geladen wird.
+# Ideal für Standalone-Tests.
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    
+    if [ "$EUID" -ne 0 ]; then
+      echo "[ERROR] Dieses Skript muss als Root ausgeführt werden."
+      exit 1
+    fi
 
-# if [ "$EUID" -ne 0 ]; then
-#   echo "[ERROR] Dieses Skript muss als Root ausgeführt werden."
-#   exit 1
-# fi
-#
-# # Load constants if runn
+    # Lade Konstanten, wenn das Skript standalone läuft
+    if [ -f ./constants-service.conf ]; then
+        source ./constants-service.conf
+    else
+        echo "[ERROR] Die Datei 'constants-service.conf' wird für den Standalone-Betrieb benötigt."
+        exit 1
+    fi
+    
+    # Setze einen Fallback-Hostnamen, falls ZAMBA_HOSTNAME nicht gesetzt ist
+    ZAMBA_HOSTNAME=${ZAMBA_HOSTNAME:-$(hostname -f)}
+
+    # Aktiviere den Bash Strict Mode für eine sichere Ausführung
+    set -euo pipefail
+
+    # Führe die Installationsphasen nacheinander aus
+    _install
+    _configure
+    _setup
+    _info
+
+    set +euo pipefail
+    
+    exit 0
+fi

From 6f1e4a94c9925560f32887a5b11fd2e07fcc61c2 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 14:12:56 +0200
Subject: [PATCH 036/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 55 ++++++++++++++++++++--------------
 1 file changed, 33 insertions(+), 22 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 5fc001c..b63ae5d 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -92,6 +92,7 @@ _install() {
     install_icinga_module "director" "icingaweb2-module-director"
 
     echo "[INFO] Systemd Services werden aktiviert."
+    # KORREKTUR: Der Service für InfluxDB v2 heißt 'influxdb', nicht 'influxdb2'
     systemctl enable --now icinga2 postgresql nginx php${PHP_VERSION}-fpm influxdb grafana-server
 }
 
@@ -102,8 +103,8 @@ _configure() {
     echo "================================================="
     echo ""
 
-    # 1. Passwörter und Credentials generieren und speichern
-    echo "[INFO] Passwörter und API-Keys werden generiert und in ${CRED_FILE} gespeichert."
+    # 1. Passwörter generieren
+    echo "[INFO] Passwörter und API-Keys werden generiert."
     ICINGAWEB_DB_PASS=$(_generate_local_password 24)
     DIRECTOR_DB_PASS=$(_generate_local_password 24)
     ICINGA_IDO_DB_PASS=$(_generate_local_password 24)
@@ -111,8 +112,33 @@ _configure() {
     ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
     GRAFANA_ADMIN_PASS=$(_generate_local_password 16)
     INFLUX_ADMIN_TOKEN=$(_generate_local_password 40)
-    INFLUX_ICINGA_TOKEN=$(_generate_local_password 40)
     
+    # 2. PostgreSQL konfigurieren
+    echo "[INFO] PostgreSQL wird konfiguriert."
+    sudo -u postgres psql -c "CREATE ROLE icingaweb2 WITH LOGIN PASSWORD '${ICINGAWEB_DB_PASS}';" &>/dev/null || echo "[INFO] Postgres-Rolle 'icingaweb2' existiert bereits."
+    sudo -u postgres psql -c "CREATE ROLE director WITH LOGIN PASSWORD '${DIRECTOR_DB_PASS}';" &>/dev/null || echo "[INFO] Postgres-Rolle 'director' existiert bereits."
+    sudo -u postgres psql -c "CREATE ROLE icinga_ido WITH LOGIN PASSWORD '${ICINGA_IDO_DB_PASS}';" &>/dev/null || echo "[INFO] Postgres-Rolle 'icinga_ido' existiert bereits."
+    sudo -u postgres createdb -O icingaweb2 icingaweb2 &>/dev/null || echo "[INFO] Postgres-DB 'icingaweb2' existiert bereits."
+    sudo -u postgres createdb -O director director &>/dev/null || echo "[INFO] Postgres-DB 'director' existiert bereits."
+    sudo -u postgres createdb -O icinga_ido icinga_ido &>/dev/null || echo "[INFO] Postgres-DB 'icinga_ido' existiert bereits."
+    sudo -u postgres psql -d icinga_ido -c "GRANT ALL ON SCHEMA public TO icinga_ido;"
+
+    # 3. InfluxDB 2 konfigurieren und Icinga-Token generieren
+    echo "[INFO] InfluxDB 2 wird konfiguriert."
+    influx setup --skip-verify --username admin --password "$GRAFANA_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
+    
+    echo "[INFO] Erstelle dedizierten InfluxDB Token für Icinga und Grafana."
+    # KORREKTUR: Der Parameter war '--all-access-org', korrekt ist '--all-access'.
+    # Die Logik wurde angepasst, um das von InfluxDB generierte Token zu verwenden.
+    INFLUX_ICINGA_TOKEN=$(influx auth create --org icinga --all-access --json | grep -oP '"token": "\K[^"]+')
+    if [ -z "$INFLUX_ICINGA_TOKEN" ]; then
+        echo "[ERROR] Konnte InfluxDB Token für Icinga nicht erstellen." >&2
+        exit 1
+    fi
+    echo "[INFO] InfluxDB Token erfolgreich erstellt."
+
+    # 4. Credentials-Datei schreiben (jetzt sind alle Werte bekannt)
+    echo "[INFO] Zugangsdaten werden in ${CRED_FILE} gespeichert."
     mkdir -p "$(dirname "$CRED_FILE")"
     chmod 700 "$(dirname "$CRED_FILE")"
     {
@@ -143,17 +169,7 @@ _configure() {
     } > "$CRED_FILE"
     chmod 600 "$CRED_FILE"
 
-    # 2. PostgreSQL konfigurieren
-    echo "[INFO] PostgreSQL wird konfiguriert."
-    sudo -u postgres psql -c "CREATE ROLE icingaweb2 WITH LOGIN PASSWORD '${ICINGAWEB_DB_PASS}';" &>/dev/null || echo "[INFO] Postgres-Rolle 'icingaweb2' existiert bereits."
-    sudo -u postgres psql -c "CREATE ROLE director WITH LOGIN PASSWORD '${DIRECTOR_DB_PASS}';" &>/dev/null || echo "[INFO] Postgres-Rolle 'director' existiert bereits."
-    sudo -u postgres psql -c "CREATE ROLE icinga_ido WITH LOGIN PASSWORD '${ICINGA_IDO_DB_PASS}';" &>/dev/null || echo "[INFO] Postgres-Rolle 'icinga_ido' existiert bereits."
-    sudo -u postgres createdb -O icingaweb2 icingaweb2 &>/dev/null || echo "[INFO] Postgres-DB 'icingaweb2' existiert bereits."
-    sudo -u postgres createdb -O director director &>/dev/null || echo "[INFO] Postgres-DB 'director' existiert bereits."
-    sudo -u postgres createdb -O icinga_ido icinga_ido &>/dev/null || echo "[INFO] Postgres-DB 'icinga_ido' existiert bereits."
-    sudo -u postgres psql -d icinga_ido -c "GRANT ALL ON SCHEMA public TO icinga_ido;"
-
-    # 3. Icinga2 Konfigurationsdateien schreiben
+    # 5. Icinga2 Konfigurationsdateien schreiben
     echo "[INFO] Icinga2 Konfigurationsdateien werden geschrieben."
     bash -c "cat > /etc/icinga2/features-available/ido-pgsql.conf" <<EOF
 object IdoPgsqlConnection "ido-pgsql" {
@@ -180,7 +196,7 @@ object Influxdb2Writer "influxdb2-writer" {
 }
 EOF
 
-    # 4. Icinga Web 2 Konfigurationsdateien schreiben
+    # 6. Icinga Web 2 Konfigurationsdateien schreiben
     echo "[INFO] Icinga Web 2 Konfigurationsdateien werden geschrieben."
     mkdir -p /etc/icingaweb2
     bash -c "cat > /etc/icingaweb2/resources.ini" <<EOF
@@ -212,12 +228,7 @@ username = "icinga_ido"
 password = "${ICINGA_IDO_DB_PASS}"
 EOF
     
-    # 5. InfluxDB 2 konfigurieren
-    echo "[INFO] InfluxDB 2 wird konfiguriert."
-    influx setup --skip-verify --username admin --password "$GRAFANA_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
-    influx auth create --org icinga --all-access-org icinga --token "$INFLUX_ICINGA_TOKEN"
-    
-    # 6. Grafana konfigurieren
+    # 7. Grafana konfigurieren
     echo "[INFO] Grafana wird konfiguriert."
     grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
     
@@ -239,7 +250,7 @@ datasources:
 EOF
     chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
     
-    # 7. Nginx und Icinga2 API TLS Konfiguration
+    # 8. Nginx und Icinga2 API TLS Konfiguration
     echo "[INFO] Nginx und Icinga2 API für TLS werden konfiguriert."
     mkdir -p /etc/nginx/ssl
     if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then

From 35f166ad2147ed2411f590c4cab250da2a8623bb Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 14:28:34 +0200
Subject: [PATCH 037/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index b63ae5d..a56d154 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -128,8 +128,6 @@ _configure() {
     influx setup --skip-verify --username admin --password "$GRAFANA_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
     
     echo "[INFO] Erstelle dedizierten InfluxDB Token für Icinga und Grafana."
-    # KORREKTUR: Der Parameter war '--all-access-org', korrekt ist '--all-access'.
-    # Die Logik wurde angepasst, um das von InfluxDB generierte Token zu verwenden.
     INFLUX_ICINGA_TOKEN=$(influx auth create --org icinga --all-access --json | grep -oP '"token": "\K[^"]+')
     if [ -z "$INFLUX_ICINGA_TOKEN" ]; then
         echo "[ERROR] Konnte InfluxDB Token für Icinga nicht erstellen." >&2
@@ -258,6 +256,11 @@ EOF
         ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
     fi
 
+    # KORREKTUR: Sicherstellen, dass der 'icinga'-Benutzer existiert, bevor er modifiziert wird.
+    if ! id -u icinga >/dev/null 2>&1; then
+        echo "[WARN] Systembenutzer 'icinga' nicht gefunden. Wird erstellt."
+        useradd --system --shell /usr/sbin/nologin --home-dir /var/lib/icinga2 icinga
+    fi
     # Icinga-Benutzer zur ssl-cert Gruppe hinzufügen, um den Schlüssel lesen zu können
     usermod -a -G ssl-cert icinga
 

From 5b225b8fc54c141cabfa3edd29c0af466d7c4f20 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 14:39:28 +0200
Subject: [PATCH 038/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index a56d154..613d404 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -92,7 +92,7 @@ _install() {
     install_icinga_module "director" "icingaweb2-module-director"
 
     echo "[INFO] Systemd Services werden aktiviert."
-    # KORREKTUR: Der Service für InfluxDB v2 heißt 'influxdb', nicht 'influxdb2'
+    # Der Service für InfluxDB v2 heißt 'influxdb', nicht 'influxdb2'
     systemctl enable --now icinga2 postgresql nginx php${PHP_VERSION}-fpm influxdb grafana-server
 }
 
@@ -228,7 +228,12 @@ EOF
     
     # 7. Grafana konfigurieren
     echo "[INFO] Grafana wird konfiguriert."
+    # KORREKTUR: Grafana-Dienst stoppen, um DB-Sperre zu vermeiden
+    echo "[INFO] Stoppe Grafana-Dienst für Passwort-Reset..."
+    systemctl stop grafana-server
     grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
+    echo "[INFO] Starte Grafana-Dienst neu."
+    systemctl start grafana-server
     
     mkdir -p /etc/grafana/provisioning/datasources
     bash -c "cat > /etc/grafana/provisioning/datasources/influxdb.yaml" <<EOF
@@ -256,7 +261,7 @@ EOF
         ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
     fi
 
-    # KORREKTUR: Sicherstellen, dass der 'icinga'-Benutzer existiert, bevor er modifiziert wird.
+    # Sicherstellen, dass der 'icinga'-Benutzer existiert, bevor er modifiziert wird.
     if ! id -u icinga >/dev/null 2>&1; then
         echo "[WARN] Systembenutzer 'icinga' nicht gefunden. Wird erstellt."
         useradd --system --shell /usr/sbin/nologin --home-dir /var/lib/icinga2 icinga

From 118bf3663c63f8be09c259d16a66bd5b4f89265a Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 14:49:19 +0200
Subject: [PATCH 039/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 54 +++++++++++++++++++++++++++-------
 1 file changed, 43 insertions(+), 11 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 613d404..b12ba72 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -65,7 +65,7 @@ _install() {
     apt-get install -y \
         icinga2 icinga2-ido-pgsql \
         nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-pgsql php${PHP_VERSION}-intl php${PHP_VERSION}-imagick php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap \
-        postgresql \
+        postgresql postgresql-client \
         influxdb2 \
         grafana \
         icingaweb2 icingacli
@@ -228,7 +228,7 @@ EOF
     
     # 7. Grafana konfigurieren
     echo "[INFO] Grafana wird konfiguriert."
-    # KORREKTUR: Grafana-Dienst stoppen, um DB-Sperre zu vermeiden
+    # Grafana-Dienst stoppen, um DB-Sperre zu vermeiden
     echo "[INFO] Stoppe Grafana-Dienst für Passwort-Reset..."
     systemctl stop grafana-server
     grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
@@ -338,23 +338,55 @@ _setup() {
     echo "================================================="
     echo ""
     
-    # 1. Datenbank-Schemas importieren (BEVOR Icinga2 gestartet wird)
+    # 1. Warten, bis PostgreSQL bereit ist
+    echo "[INFO] Warte auf PostgreSQL-Dienst..."
+    while ! pg_isready -q -h localhost -U postgres; do
+        echo "[INFO] PostgreSQL ist noch nicht bereit, warte 2 Sekunden..."
+        sleep 2
+    done
+    echo "[INFO] PostgreSQL ist bereit."
+
+    # 2. Datenbank-Schemas importieren (als postgres-Benutzer für Robustheit)
     echo "[INFO] Datenbank-Schemas werden importiert."
-    sudo -u postgres psql -d icinga_ido -c "SELECT current_user;" # Warmup
-    PGPASSWORD="${ICINGA_IDO_DB_PASS}" psql -h localhost -U icinga_ido -d icinga_ido -f /usr/share/icinga2-ido-pgsql/schema/pgsql.sql &>/dev/null
-    PGPASSWORD="${ICINGAWEB_DB_PASS}" psql -h localhost -U icingaweb2 -d icingaweb2 -f /usr/share/icingaweb2/etc/schema/pgsql.schema.sql &>/dev/null
     
-    # 2. Icinga2 Features aktivieren (NACHDEM die DB bereit ist)
+    local IDO_SCHEMA="/usr/share/icinga2-ido-pgsql/schema/pgsql.sql"
+    local IWEB_SCHEMA="/usr/share/icingaweb2/etc/schema/pgsql.schema.sql"
+
+    if [ ! -f "$IDO_SCHEMA" ]; then
+        echo "[ERROR] IDO-Schema-Datei nicht gefunden: $IDO_SCHEMA" >&2
+        exit 1
+    fi
+    if [ ! -f "$IWEB_SCHEMA" ]; then
+        echo "[ERROR] IcingaWeb-Schema-Datei nicht gefunden: $IWEB_SCHEMA" >&2
+        exit 1
+    fi
+
+    # Prüfen, ob die Tabellen bereits existieren, um Idempotenz zu gewährleisten
+    if sudo -u postgres psql -d icinga_ido -tAc "SELECT 1 FROM information_schema.tables WHERE table_name = 'icinga_dbversion'" | grep -q 1; then
+        echo "[INFO] Icinga IDO-Schema scheint bereits importiert zu sein."
+    else
+        echo "[INFO] Importiere Icinga IDO-Schema..."
+        sudo -u postgres psql -d icinga_ido -f "$IDO_SCHEMA" &>/dev/null
+    fi
+
+    if sudo -u postgres psql -d icingaweb2 -tAc "SELECT 1 FROM information_schema.tables WHERE table_name = 'icingaweb_user'" | grep -q 1; then
+        echo "[INFO] IcingaWeb2-Schema scheint bereits importiert zu sein."
+    else
+        echo "[INFO] Importiere IcingaWeb2-Schema..."
+        sudo -u postgres psql -d icingaweb2 -f "$IWEB_SCHEMA" &>/dev/null
+    fi
+    
+    # 3. Icinga2 Features aktivieren (NACHDEM die DB bereit ist)
     echo "[INFO] Icinga2 Features werden aktiviert."
     icinga2 feature enable ido-pgsql api influxdb2-writer >/dev/null
 
-    # 3. Icinga Web 2 Module in korrekter Reihenfolge aktivieren
+    # 4. Icinga Web 2 Module in korrekter Reihenfolge aktivieren
     echo "[INFO] Icinga Web 2 Module werden aktiviert."
     icingacli module enable ipl
     icingacli module enable reactbundle
     icingacli module enable director
 
-    # 4. Alle Dienste neu starten
+    # 5. Alle Dienste neu starten
     echo "[INFO] Alle Services werden neu gestartet, um Konfigurationen zu laden."
     systemctl restart postgresql
     systemctl restart icinga2
@@ -362,7 +394,7 @@ _setup() {
     systemctl restart nginx
     systemctl restart grafana-server
 
-    # 5. Icinga Web 2 Setup ausführen (NACHDEM die Dienste laufen)
+    # 6. Icinga Web 2 Setup ausführen (NACHDEM die Dienste laufen)
     echo "[INFO] Icinga Web 2 Setup wird ausgeführt."
     ICINGAWEB_SETUP_TOKEN=$(icingacli setup token create)
     icingacli setup config webserver nginx --document-root /usr/share/icingaweb2/public
@@ -373,7 +405,7 @@ _setup() {
         --backend-type ido --resource icinga_ido
     icingacli user add icingaadmin --password "$ICINGAWEB_ADMIN_PASS" --role "Administrators"
 
-    # 6. Director Setup ausführen (als letzter Schritt)
+    # 7. Director Setup ausführen (als letzter Schritt)
     echo "[INFO] Warte auf Icinga2 API..."
     sleep 15 # Gibt Icinga2 Zeit, vollständig zu starten
     echo "[INFO] Icinga Director Setup wird ausgeführt."

From 5464e8cc6e26c9983d3e1add75b5a586b54481f9 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 15:16:16 +0200
Subject: [PATCH 040/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index b12ba72..85ed75f 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -350,14 +350,15 @@ _setup() {
     echo "[INFO] Datenbank-Schemas werden importiert."
     
     local IDO_SCHEMA="/usr/share/icinga2-ido-pgsql/schema/pgsql.sql"
-    local IWEB_SCHEMA="/usr/share/icingaweb2/etc/schema/pgsql.schema.sql"
+    # KORREKTUR: Korrekter Pfad zur komprimierten Schema-Datei
+    local IWEB_SCHEMA_GZ="/usr/share/doc/icingaweb2/schema/pgsql.schema.sql.gz"
 
     if [ ! -f "$IDO_SCHEMA" ]; then
         echo "[ERROR] IDO-Schema-Datei nicht gefunden: $IDO_SCHEMA" >&2
         exit 1
     fi
-    if [ ! -f "$IWEB_SCHEMA" ]; then
-        echo "[ERROR] IcingaWeb-Schema-Datei nicht gefunden: $IWEB_SCHEMA" >&2
+    if [ ! -f "$IWEB_SCHEMA_GZ" ]; then
+        echo "[ERROR] IcingaWeb-Schema-Datei nicht gefunden: $IWEB_SCHEMA_GZ" >&2
         exit 1
     fi
 
@@ -373,7 +374,8 @@ _setup() {
         echo "[INFO] IcingaWeb2-Schema scheint bereits importiert zu sein."
     else
         echo "[INFO] Importiere IcingaWeb2-Schema..."
-        sudo -u postgres psql -d icingaweb2 -f "$IWEB_SCHEMA" &>/dev/null
+        # Entpacke die Datei und leite sie per Pipe an psql weiter
+        gunzip -c "$IWEB_SCHEMA_GZ" | sudo -u postgres psql -d icingaweb2 &>/dev/null
     fi
     
     # 3. Icinga2 Features aktivieren (NACHDEM die DB bereit ist)

From f0bdf0ede858ef637ffc36aaf59f13585d30cf5e Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 15:59:51 +0200
Subject: [PATCH 041/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 85ed75f..7767bd6 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -350,15 +350,15 @@ _setup() {
     echo "[INFO] Datenbank-Schemas werden importiert."
     
     local IDO_SCHEMA="/usr/share/icinga2-ido-pgsql/schema/pgsql.sql"
-    # KORREKTUR: Korrekter Pfad zur komprimierten Schema-Datei
-    local IWEB_SCHEMA_GZ="/usr/share/doc/icingaweb2/schema/pgsql.schema.sql.gz"
+    # KORREKTUR: Korrekter Pfad zur Schema-Datei für Icinga Web 2
+    local IWEB_SCHEMA="/usr/share/icingaweb2/schema/pgsql.schema.sql"
 
     if [ ! -f "$IDO_SCHEMA" ]; then
         echo "[ERROR] IDO-Schema-Datei nicht gefunden: $IDO_SCHEMA" >&2
         exit 1
     fi
-    if [ ! -f "$IWEB_SCHEMA_GZ" ]; then
-        echo "[ERROR] IcingaWeb-Schema-Datei nicht gefunden: $IWEB_SCHEMA_GZ" >&2
+    if [ ! -f "$IWEB_SCHEMA" ]; then
+        echo "[ERROR] IcingaWeb-Schema-Datei nicht gefunden: $IWEB_SCHEMA" >&2
         exit 1
     fi
 
@@ -374,8 +374,7 @@ _setup() {
         echo "[INFO] IcingaWeb2-Schema scheint bereits importiert zu sein."
     else
         echo "[INFO] Importiere IcingaWeb2-Schema..."
-        # Entpacke die Datei und leite sie per Pipe an psql weiter
-        gunzip -c "$IWEB_SCHEMA_GZ" | sudo -u postgres psql -d icingaweb2 &>/dev/null
+        sudo -u postgres psql -d icingaweb2 -f "$IWEB_SCHEMA" &>/dev/null
     fi
     
     # 3. Icinga2 Features aktivieren (NACHDEM die DB bereit ist)

From eb0a084fe122d62d9506f2eee484dfa89f2f11f6 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 16:59:59 +0200
Subject: [PATCH 042/105] Update constants-service.conf

---
 src/icinga2/constants-service.conf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/icinga2/constants-service.conf b/src/icinga2/constants-service.conf
index 6c87f99..0bb5011 100644
--- a/src/icinga2/constants-service.conf
+++ b/src/icinga2/constants-service.conf
@@ -8,10 +8,10 @@
 #
 
 # --- Service Metadata ---
-ZAMBA_SERVICE_NAME="Icinga2 Monitoring Stack"
-ZAMBA_SERVICE_DESC="Installiert Icinga2, Icingaweb2, Director, Nginx, PostgreSQL, InfluxDB2 und Grafana."
+ZAMBA_SERVICE_NAME="Icinga2 Monitoring Stack (MariaDB Edition)"
+ZAMBA_SERVICE_DESC="Installiert Icinga2, Icingaweb2, Director, Nginx, MariaDB, InfluxDB2 und Grafana."
 # Tags zur besseren Filterung und Verwaltung des Containers
-SERVICE_TAGS="monitoring,icinga,grafana,influxdb,nginx,postgresql"
+SERVICE_TAGS="monitoring,icinga,grafana,influxdb,nginx,mariadb"
 
 
 # --- LXC Container Configuration ---

From ae3bccb8ed4f1684b863e9488fa4a00cc665bc80 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 17:00:18 +0200
Subject: [PATCH 043/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 221 +++++++++------------------------
 1 file changed, 57 insertions(+), 164 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 7767bd6..b162a8a 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -3,15 +3,12 @@
 # Zamba LXC Toolbox - Service Installer
 # Service: icinga-stack
 #
-# Description: Führt die Installation und Konfiguration des Icinga2 Stacks durch.
+# Description: Führt die Installation und Konfiguration des Icinga2 Stacks mit MariaDB durch.
 # Dieses Skript ist eigenständig und verwendet nur Standard-OS-Befehle.
 #
 
 # --- Internal Helper Functions ---
-# Diese Funktion ist skript-spezifisch und nicht Teil eines Frameworks.
 _generate_local_password() {
-    # Erzeugt eine sichere, zufällige Zeichenkette.
-    # $1: Länge der Zeichenkette
     openssl rand -base64 "$1"
 }
 
@@ -21,7 +18,7 @@ _generate_local_password() {
 _install() {
     echo ""
     echo "================================================="
-    echo "  Phase 1: Installation der Pakete"
+    echo "  Phase 1: Installation der Pakete (MariaDB Edition)"
     echo "================================================="
     echo ""
     
@@ -35,27 +32,18 @@ _install() {
     if [ ! -f /etc/apt/sources.list.d/icinga.list ]; then
         curl -fsSL https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
         echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-${OS_CODENAME} main" > /etc/apt/sources.list.d/icinga.list
-        echo "[INFO] Icinga Repository für ${OS_CODENAME} hinzugefügt."
-    else
-        echo "[INFO] Icinga Repository existiert bereits."
     fi
 
     # InfluxDB Repo
     if [ ! -f /etc/apt/sources.list.d/influxdata.list ]; then
         curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
         echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian ${OS_CODENAME} stable" > /etc/apt/sources.list.d/influxdata.list
-        echo "[INFO] InfluxDB Repository für ${OS_CODENAME} hinzugefügt."
-    else
-        echo "[INFO] InfluxDB Repository existiert bereits."
     fi
 
     # Grafana Repo
     if [ ! -f /etc/apt/sources.list.d/grafana.list ]; then
         wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor -o /usr/share/keyrings/grafana-archive-keyring.gpg
         echo "deb [signed-by=/usr/share/keyrings/grafana-archive-keyring.gpg] https://apt.grafana.com stable main" > /etc/apt/sources.list.d/grafana.list
-        echo "[INFO] Grafana Repository hinzugefügt."
-    else
-        echo "[INFO] Grafana Repository existiert bereits."
     fi
     
     echo "[INFO] Paketlisten werden erneut aktualisiert."
@@ -63,15 +51,14 @@ _install() {
 
     echo "[INFO] Hauptkomponenten werden installiert (PHP Version: ${PHP_VERSION})."
     apt-get install -y \
-        icinga2 icinga2-ido-pgsql \
-        nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-pgsql php${PHP_VERSION}-intl php${PHP_VERSION}-imagick php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap \
-        postgresql postgresql-client \
+        icinga2 icinga2-ido-mysql \
+        nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-imagick php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap \
+        mariadb-server mariadb-client \
         influxdb2 \
         grafana \
         icingaweb2 icingacli
 
     echo "[INFO] Icinga Web 2 Module (Abhängigkeiten für Director) werden installiert."
-    # Funktion zum Herunterladen und Entpacken von Modulen
     install_icinga_module() {
         local module_name="$1"
         local repo_name="$2"
@@ -82,8 +69,6 @@ _install() {
             tar -C /usr/share/icingaweb2/modules -xzf "/tmp/${module_name}.tar.gz"
             mv "/usr/share/icingaweb2/modules/${repo_name}-"* "/usr/share/icingaweb2/modules/${module_name}"
             rm "/tmp/${module_name}.tar.gz"
-        else
-            echo "[INFO] Modul ${module_name} ist bereits installiert."
         fi
     }
     
@@ -92,14 +77,13 @@ _install() {
     install_icinga_module "director" "icingaweb2-module-director"
 
     echo "[INFO] Systemd Services werden aktiviert."
-    # Der Service für InfluxDB v2 heißt 'influxdb', nicht 'influxdb2'
-    systemctl enable --now icinga2 postgresql nginx php${PHP_VERSION}-fpm influxdb grafana-server
+    systemctl enable --now icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb grafana-server
 }
 
 _configure() {
     echo ""
     echo "================================================="
-    echo "  Phase 2: Konfiguration der Komponenten"
+    echo "  Phase 2: Konfiguration der Komponenten (MariaDB Edition)"
     echo "================================================="
     echo ""
 
@@ -113,64 +97,42 @@ _configure() {
     GRAFANA_ADMIN_PASS=$(_generate_local_password 16)
     INFLUX_ADMIN_TOKEN=$(_generate_local_password 40)
     
-    # 2. PostgreSQL konfigurieren
-    echo "[INFO] PostgreSQL wird konfiguriert."
-    sudo -u postgres psql -c "CREATE ROLE icingaweb2 WITH LOGIN PASSWORD '${ICINGAWEB_DB_PASS}';" &>/dev/null || echo "[INFO] Postgres-Rolle 'icingaweb2' existiert bereits."
-    sudo -u postgres psql -c "CREATE ROLE director WITH LOGIN PASSWORD '${DIRECTOR_DB_PASS}';" &>/dev/null || echo "[INFO] Postgres-Rolle 'director' existiert bereits."
-    sudo -u postgres psql -c "CREATE ROLE icinga_ido WITH LOGIN PASSWORD '${ICINGA_IDO_DB_PASS}';" &>/dev/null || echo "[INFO] Postgres-Rolle 'icinga_ido' existiert bereits."
-    sudo -u postgres createdb -O icingaweb2 icingaweb2 &>/dev/null || echo "[INFO] Postgres-DB 'icingaweb2' existiert bereits."
-    sudo -u postgres createdb -O director director &>/dev/null || echo "[INFO] Postgres-DB 'director' existiert bereits."
-    sudo -u postgres createdb -O icinga_ido icinga_ido &>/dev/null || echo "[INFO] Postgres-DB 'icinga_ido' existiert bereits."
-    sudo -u postgres psql -d icinga_ido -c "GRANT ALL ON SCHEMA public TO icinga_ido;"
+    # 2. MariaDB konfigurieren
+    echo "[INFO] MariaDB wird konfiguriert."
+    mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+    mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+    mysql -e "CREATE DATABASE IF NOT EXISTS icinga_ido CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+    
+    mysql -e "CREATE USER IF NOT EXISTS 'icingaweb2'@'localhost' IDENTIFIED BY '${ICINGAWEB_DB_PASS}';"
+    mysql -e "CREATE USER IF NOT EXISTS 'director'@'localhost' IDENTIFIED BY '${DIRECTOR_DB_PASS}';"
+    mysql -e "CREATE USER IF NOT EXISTS 'icinga_ido'@'localhost' IDENTIFIED BY '${ICINGA_IDO_DB_PASS}';"
 
-    # 3. InfluxDB 2 konfigurieren und Icinga-Token generieren
+    mysql -e "GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';"
+    mysql -e "GRANT ALL PRIVILEGES ON director.* TO 'director'@'localhost';"
+    mysql -e "GRANT ALL PRIVILEGES ON icinga_ido.* TO 'icinga_ido'@'localhost';"
+    mysql -e "FLUSH PRIVILEGES;"
+
+    # 3. InfluxDB 2 konfigurieren
     echo "[INFO] InfluxDB 2 wird konfiguriert."
     influx setup --skip-verify --username admin --password "$GRAFANA_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
-    
-    echo "[INFO] Erstelle dedizierten InfluxDB Token für Icinga und Grafana."
     INFLUX_ICINGA_TOKEN=$(influx auth create --org icinga --all-access --json | grep -oP '"token": "\K[^"]+')
-    if [ -z "$INFLUX_ICINGA_TOKEN" ]; then
-        echo "[ERROR] Konnte InfluxDB Token für Icinga nicht erstellen." >&2
-        exit 1
-    fi
-    echo "[INFO] InfluxDB Token erfolgreich erstellt."
+    if [ -z "$INFLUX_ICINGA_TOKEN" ]; then echo "[ERROR] Konnte InfluxDB Token nicht erstellen." >&2; exit 1; fi
 
-    # 4. Credentials-Datei schreiben (jetzt sind alle Werte bekannt)
+    # 4. Credentials-Datei schreiben
     echo "[INFO] Zugangsdaten werden in ${CRED_FILE} gespeichert."
-    mkdir -p "$(dirname "$CRED_FILE")"
-    chmod 700 "$(dirname "$CRED_FILE")"
+    mkdir -p "$(dirname "$CRED_FILE")" && chmod 700 "$(dirname "$CRED_FILE")"
     {
       echo "# --- Icinga Monitoring Stack Credentials ---"
-      echo "# Automatisch generiert am $(date)"
-      echo "# OS: Debian ${OS_CODENAME}"
-      echo ""
-      echo "## Icinga Web 2"
-      echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
-      echo "Benutzer: icingaadmin"
-      echo "Passwort: ${ICINGAWEB_ADMIN_PASS}"
-      echo ""
-      echo "## Grafana"
-      echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/grafana"
-      echo "Benutzer: admin"
-      echo "Passwort: ${GRAFANA_ADMIN_PASS}"
-      echo ""
-      echo "## InfluxDB 2 (für API-Nutzung)"
-      echo "URL: http://localhost:8086"
-      echo "Admin Token: ${INFLUX_ADMIN_TOKEN}"
-      echo "Icinga Token: ${INFLUX_ICINGA_TOKEN}"
-      echo "Organisation: icinga"
-      echo "Bucket: icinga"
-      echo ""
-      echo "## Icinga2 Director API"
-      echo "Benutzer: director"
-      echo "Passwort: ${ICINGA_API_USER_PASS}"
-    } > "$CRED_FILE"
-    chmod 600 "$CRED_FILE"
+      echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2; Benutzer: icingaadmin; Passwort: ${ICINGAWEB_ADMIN_PASS}"
+      echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/grafana; Benutzer: admin; Passwort: ${GRAFANA_ADMIN_PASS}"
+      echo "InfluxDB Admin Token: ${INFLUX_ADMIN_TOKEN}"
+      echo "Icinga Director API: Benutzer: director; Passwort: ${ICINGA_API_USER_PASS}"
+    } > "$CRED_FILE" && chmod 600 "$CRED_FILE"
 
     # 5. Icinga2 Konfigurationsdateien schreiben
     echo "[INFO] Icinga2 Konfigurationsdateien werden geschrieben."
-    bash -c "cat > /etc/icinga2/features-available/ido-pgsql.conf" <<EOF
-object IdoPgsqlConnection "ido-pgsql" {
+    bash -c "cat > /etc/icinga2/features-available/ido-mysql.conf" <<EOF
+object IdoMysqlConnection "ido-mysql" {
   user = "icinga_ido",
   password = "${ICINGA_IDO_DB_PASS}",
   host = "localhost",
@@ -189,8 +151,6 @@ object Influxdb2Writer "influxdb2-writer" {
   organization = "icinga"
   bucket = "icinga"
   token = "${INFLUX_ICINGA_TOKEN}"
-  flush_interval = 10s
-  flush_threshold = 1024
 }
 EOF
 
@@ -200,27 +160,24 @@ EOF
     bash -c "cat > /etc/icingaweb2/resources.ini" <<EOF
 [icingaweb_db]
 type = "db"
-db = "pgsql"
+db = "mysql"
 host = "localhost"
-port = "5432"
 dbname = "icingaweb2"
 username = "icingaweb2"
 password = "${ICINGAWEB_DB_PASS}"
 
 [director_db]
 type = "db"
-db = "pgsql"
+db = "mysql"
 host = "localhost"
-port = "5432"
 dbname = "director"
 username = "director"
 password = "${DIRECTOR_DB_PASS}"
 
 [icinga_ido]
 type = "db"
-db = "pgsql"
+db = "mysql"
 host = "localhost"
-port = "5432"
 dbname = "icinga_ido"
 username = "icinga_ido"
 password = "${ICINGA_IDO_DB_PASS}"
@@ -228,11 +185,8 @@ EOF
     
     # 7. Grafana konfigurieren
     echo "[INFO] Grafana wird konfiguriert."
-    # Grafana-Dienst stoppen, um DB-Sperre zu vermeiden
-    echo "[INFO] Stoppe Grafana-Dienst für Passwort-Reset..."
     systemctl stop grafana-server
     grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
-    echo "[INFO] Starte Grafana-Dienst neu."
     systemctl start grafana-server
     
     mkdir -p /etc/grafana/provisioning/datasources
@@ -243,13 +197,8 @@ datasources:
   type: influxdb
   access: proxy
   url: http://localhost:8086
-  jsonData:
-    version: Flux
-    organization: icinga
-    defaultBucket: icinga
-    tlsSkipVerify: true
-  secureJsonData:
-    token: "${INFLUX_ICINGA_TOKEN}"
+  jsonData: { version: "Flux", organization: "icinga", defaultBucket: "icinga" }
+  secureJsonData: { token: "${INFLUX_ICINGA_TOKEN}" }
 EOF
     chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
     
@@ -261,21 +210,16 @@ EOF
         ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
     fi
 
-    # Sicherstellen, dass der 'icinga'-Benutzer existiert, bevor er modifiziert wird.
     if ! id -u icinga >/dev/null 2>&1; then
-        echo "[WARN] Systembenutzer 'icinga' nicht gefunden. Wird erstellt."
         useradd --system --shell /usr/sbin/nologin --home-dir /var/lib/icinga2 icinga
     fi
-    # Icinga-Benutzer zur ssl-cert Gruppe hinzufügen, um den Schlüssel lesen zu können
     usermod -a -G ssl-cert icinga
 
-    # api.conf anpassen, um die Nginx/Snakeoil-Zertifikate zu verwenden
     bash -c "cat > /etc/icinga2/features-available/api.conf" <<EOF
 object ApiListener "api" {
   cert_path = "/etc/nginx/ssl/fullchain.pem"
   key_path = "/etc/nginx/ssl/privkey.pem"
   ca_path = "/etc/ssl/certs/ca-certificates.crt"
-  
   accept_config = true
   accept_commands = true
 }
@@ -284,49 +228,32 @@ EOF
     bash -c "cat > /etc/nginx/sites-available/icinga-stack" <<EOF
 server {
     listen 80;
-    listen [::]:80;
     server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
     return 301 https://\$host\$request_uri;
 }
-
 server {
     listen 443 ssl http2;
-    listen [::]:443 ssl http2;
     server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
-
     ssl_certificate /etc/nginx/ssl/fullchain.pem;
     ssl_certificate_key /etc/nginx/ssl/privkey.pem;
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
-
     root /usr/share/icingaweb2/public;
     index index.php;
-
-    location / {
-        try_files \$uri \$uri/ /index.php\$is_args\$args;
-    }
-
+    location / { try_files \$uri \$uri/ /index.php\$is_args\$args; }
     location ~ \.php$ {
         include fastcgi_params;
         fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
         fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
         fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
-        fastcgi_param REMOTE_USER \$remote_user;
     }
-
     location /grafana {
         proxy_pass http://localhost:3000;
         proxy_set_header Host \$http_host;
-        proxy_set_header X-Real-IP \$remote_addr;
-        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto \$scheme;
     }
 }
 EOF
     ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
     rm -f /etc/nginx/sites-enabled/default
 
-    # PHP-FPM für Nginx anpassen
     sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' "/etc/php/${PHP_VERSION}/fpm/php.ini"
     sed -i "s|;date.timezone =|date.timezone = $(cat /etc/timezone)|" "/etc/php/${PHP_VERSION}/fpm/php.ini"
 }
@@ -334,83 +261,67 @@ EOF
 _setup() {
     echo ""
     echo "================================================="
-    echo "  Phase 3: Setup und finaler Neustart"
+    echo "  Phase 3: Setup und finaler Neustart (MariaDB Edition)"
     echo "================================================="
     echo ""
     
-    # 1. Warten, bis PostgreSQL bereit ist
-    echo "[INFO] Warte auf PostgreSQL-Dienst..."
-    while ! pg_isready -q -h localhost -U postgres; do
-        echo "[INFO] PostgreSQL ist noch nicht bereit, warte 2 Sekunden..."
+    echo "[INFO] Warte auf MariaDB-Dienst..."
+    while ! mysqladmin ping -h localhost --silent; do
+        echo "[INFO] MariaDB ist noch nicht bereit, warte 2 Sekunden..."
         sleep 2
     done
-    echo "[INFO] PostgreSQL ist bereit."
+    echo "[INFO] MariaDB ist bereit."
 
-    # 2. Datenbank-Schemas importieren (als postgres-Benutzer für Robustheit)
     echo "[INFO] Datenbank-Schemas werden importiert."
-    
-    local IDO_SCHEMA="/usr/share/icinga2-ido-pgsql/schema/pgsql.sql"
-    # KORREKTUR: Korrekter Pfad zur Schema-Datei für Icinga Web 2
-    local IWEB_SCHEMA="/usr/share/icingaweb2/schema/pgsql.schema.sql"
+    local IDO_SCHEMA="/usr/share/icinga2-ido-mysql/schema/mysql.sql"
+    local IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
 
-    if [ ! -f "$IDO_SCHEMA" ]; then
-        echo "[ERROR] IDO-Schema-Datei nicht gefunden: $IDO_SCHEMA" >&2
-        exit 1
-    fi
-    if [ ! -f "$IWEB_SCHEMA" ]; then
-        echo "[ERROR] IcingaWeb-Schema-Datei nicht gefunden: $IWEB_SCHEMA" >&2
-        exit 1
-    fi
+    if [ ! -f "$IDO_SCHEMA" ]; then echo "[ERROR] IDO-Schema nicht gefunden: $IDO_SCHEMA" >&2; exit 1; fi
+    if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi
 
-    # Prüfen, ob die Tabellen bereits existieren, um Idempotenz zu gewährleisten
-    if sudo -u postgres psql -d icinga_ido -tAc "SELECT 1 FROM information_schema.tables WHERE table_name = 'icinga_dbversion'" | grep -q 1; then
+    if mysql -e "use icinga_ido; show tables;" | grep -q "icinga_dbversion"; then
         echo "[INFO] Icinga IDO-Schema scheint bereits importiert zu sein."
     else
         echo "[INFO] Importiere Icinga IDO-Schema..."
-        sudo -u postgres psql -d icinga_ido -f "$IDO_SCHEMA" &>/dev/null
+        mysql icinga_ido < "$IDO_SCHEMA"
     fi
 
-    if sudo -u postgres psql -d icingaweb2 -tAc "SELECT 1 FROM information_schema.tables WHERE table_name = 'icingaweb_user'" | grep -q 1; then
+    if mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then
         echo "[INFO] IcingaWeb2-Schema scheint bereits importiert zu sein."
     else
         echo "[INFO] Importiere IcingaWeb2-Schema..."
-        sudo -u postgres psql -d icingaweb2 -f "$IWEB_SCHEMA" &>/dev/null
+        mysql icingaweb2 < "$IWEB_SCHEMA"
     fi
     
-    # 3. Icinga2 Features aktivieren (NACHDEM die DB bereit ist)
     echo "[INFO] Icinga2 Features werden aktiviert."
-    icinga2 feature enable ido-pgsql api influxdb2-writer >/dev/null
+    icinga2 feature enable ido-mysql api influxdb2-writer >/dev/null
 
-    # 4. Icinga Web 2 Module in korrekter Reihenfolge aktivieren
     echo "[INFO] Icinga Web 2 Module werden aktiviert."
     icingacli module enable ipl
     icingacli module enable reactbundle
     icingacli module enable director
 
-    # 5. Alle Dienste neu starten
-    echo "[INFO] Alle Services werden neu gestartet, um Konfigurationen zu laden."
-    systemctl restart postgresql
+    echo "[INFO] Alle Services werden neu gestartet."
+    systemctl restart mariadb
     systemctl restart icinga2
     systemctl restart php${PHP_VERSION}-fpm
     systemctl restart nginx
     systemctl restart grafana-server
 
-    # 6. Icinga Web 2 Setup ausführen (NACHDEM die Dienste laufen)
     echo "[INFO] Icinga Web 2 Setup wird ausgeführt."
     ICINGAWEB_SETUP_TOKEN=$(icingacli setup token create)
     icingacli setup config webserver nginx --document-root /usr/share/icingaweb2/public
     icingacli setup --unattended --module icingaweb2 --setup-token "$ICINGAWEB_SETUP_TOKEN" \
-        --db-type pgsql --db-host localhost --db-port 5432 --db-name icingaweb2 \
+        --db-type mysql --db-host localhost --db-name icingaweb2 \
         --db-user icingaweb2 --db-pass "$ICINGAWEB_DB_PASS"
     icingacli setup --unattended --module monitoring --setup-token "$ICINGAWEB_SETUP_TOKEN" \
         --backend-type ido --resource icinga_ido
     icingacli user add icingaadmin --password "$ICINGAWEB_ADMIN_PASS" --role "Administrators"
 
-    # 7. Director Setup ausführen (als letzter Schritt)
     echo "[INFO] Warte auf Icinga2 API..."
-    sleep 15 # Gibt Icinga2 Zeit, vollständig zu starten
+    sleep 15
     echo "[INFO] Icinga Director Setup wird ausgeführt."
-    icingacli director migration run # Importiert das Director DB Schema
+    icingacli director migration run
     icingacli director kickstart --endpoint localhost --user director --password "${ICINGA_API_USER_PASS}"
     icingacli director config set 'endpoint' 'localhost' --user 'director' --password "${ICINGA_API_USER_PASS}"
     icingacli director automation run
@@ -434,44 +345,26 @@ _info() {
     echo "  Icinga Web 2: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
     echo "  Grafana:      https://${ZAMBA_HOSTNAME:-$(hostname -f)}/grafana"
     echo ""
-    echo "Hinweis zu TLS: Der Server verwendet aktuell die Icinga2-eigenen, selbst-signierten Zertifikate."
-    echo "Wenn Sie externe Zertifikate (z.B. von Let's Encrypt) verwenden möchten,"
-    echo "passen Sie die Pfade in /etc/nginx/sites-available/icinga-stack und /etc/icinga2/features-available/api.conf an und starten Sie die Dienste neu."
-    echo ""
 }
 
 # --- Main Execution Logic ---
-# Dieser Block wird nur ausgeführt, wenn das Skript direkt aufgerufen wird,
-# nicht wenn es von der Zamba Toolbox als Bibliothek geladen wird.
-# Ideal für Standalone-Tests.
 if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
-    
     if [ "$EUID" -ne 0 ]; then
       echo "[ERROR] Dieses Skript muss als Root ausgeführt werden."
       exit 1
     fi
-
-    # Lade Konstanten, wenn das Skript standalone läuft
     if [ -f ./constants-service.conf ]; then
         source ./constants-service.conf
     else
         echo "[ERROR] Die Datei 'constants-service.conf' wird für den Standalone-Betrieb benötigt."
         exit 1
     fi
-    
-    # Setze einen Fallback-Hostnamen, falls ZAMBA_HOSTNAME nicht gesetzt ist
     ZAMBA_HOSTNAME=${ZAMBA_HOSTNAME:-$(hostname -f)}
-
-    # Aktiviere den Bash Strict Mode für eine sichere Ausführung
     set -euo pipefail
-
-    # Führe die Installationsphasen nacheinander aus
     _install
     _configure
     _setup
     _info
-
     set +euo pipefail
-    
     exit 0
 fi

From f8e3fe0af2fed72bd8dfb1d92c8fbcb9325e920b Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 17:10:09 +0200
Subject: [PATCH 044/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 26 ++++++++------------------
 1 file changed, 8 insertions(+), 18 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index b162a8a..14d0961 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -74,6 +74,7 @@ _install() {
     
     install_icinga_module "ipl" "icingaweb2-module-ipl"
     install_icinga_module "reactbundle" "icingaweb2-module-reactbundle"
+    install_icinga_module "incubator" "icingaweb2-module-incubator"
     install_icinga_module "director" "icingaweb2-module-director"
 
     echo "[INFO] Systemd Services werden aktiviert."
@@ -202,29 +203,14 @@ datasources:
 EOF
     chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
     
-    # 8. Nginx und Icinga2 API TLS Konfiguration
-    echo "[INFO] Nginx und Icinga2 API für TLS werden konfiguriert."
+    # 8. Nginx TLS Konfiguration
+    echo "[INFO] Nginx für TLS wird konfiguriert."
     mkdir -p /etc/nginx/ssl
     if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
         ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
         ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
     fi
 
-    if ! id -u icinga >/dev/null 2>&1; then
-        useradd --system --shell /usr/sbin/nologin --home-dir /var/lib/icinga2 icinga
-    fi
-    usermod -a -G ssl-cert icinga
-
-    bash -c "cat > /etc/icinga2/features-available/api.conf" <<EOF
-object ApiListener "api" {
-  cert_path = "/etc/nginx/ssl/fullchain.pem"
-  key_path = "/etc/nginx/ssl/privkey.pem"
-  ca_path = "/etc/ssl/certs/ca-certificates.crt"
-  accept_config = true
-  accept_commands = true
-}
-EOF
-
     bash -c "cat > /etc/nginx/sites-available/icinga-stack" <<EOF
 server {
     listen 80;
@@ -265,6 +251,9 @@ _setup() {
     echo "================================================="
     echo ""
     
+    echo "[INFO] Icinga2 API wird initialisiert und Zertifikate werden erstellt."
+    icinga2 api setup
+    
     echo "[INFO] Warte auf MariaDB-Dienst..."
     while ! mysqladmin ping -h localhost --silent; do
         echo "[INFO] MariaDB ist noch nicht bereit, warte 2 Sekunden..."
@@ -296,9 +285,10 @@ _setup() {
     echo "[INFO] Icinga2 Features werden aktiviert."
     icinga2 feature enable ido-mysql api influxdb2-writer >/dev/null
 
-    echo "[INFO] Icinga Web 2 Module werden aktiviert."
+    echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
     icingacli module enable ipl
     icingacli module enable reactbundle
+    icingacli module enable incubator
     icingacli module enable director
 
     echo "[INFO] Alle Services werden neu gestartet."

From 8d89d61de31484232dca9d45b751ddff24d650cb Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 17:18:32 +0200
Subject: [PATCH 045/105] Update install-service.sh

---
 src/icinga2/install-service.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 14d0961..f3d89d6 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -146,12 +146,13 @@ object ApiUser "director" {
   permissions = [ "object/modify/*", "object/query/*", "status/query", "actions/*", "events/*" ]
 }
 EOF
+    # KORREKTUR: 'token' wurde zu 'auth_token' geändert.
     bash -c "cat > /etc/icinga2/features-available/influxdb2-writer.conf" <<EOF
 object Influxdb2Writer "influxdb2-writer" {
   host = "http://127.0.0.1:8086"
   organization = "icinga"
   bucket = "icinga"
-  token = "${INFLUX_ICINGA_TOKEN}"
+  auth_token = "${INFLUX_ICINGA_TOKEN}"
 }
 EOF
 

From 367fa63f4bc2ecda8d215c799c82253475045511 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 17:34:23 +0200
Subject: [PATCH 046/105] fix icingacli error

---
 src/icinga2/install-service.sh | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index f3d89d6..048dd2e 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -146,7 +146,6 @@ object ApiUser "director" {
   permissions = [ "object/modify/*", "object/query/*", "status/query", "actions/*", "events/*" ]
 }
 EOF
-    # KORREKTUR: 'token' wurde zu 'auth_token' geändert.
     bash -c "cat > /etc/icinga2/features-available/influxdb2-writer.conf" <<EOF
 object Influxdb2Writer "influxdb2-writer" {
   host = "http://127.0.0.1:8086"
@@ -302,11 +301,15 @@ _setup() {
     echo "[INFO] Icinga Web 2 Setup wird ausgeführt."
     ICINGAWEB_SETUP_TOKEN=$(icingacli setup token create)
     icingacli setup config webserver nginx --document-root /usr/share/icingaweb2/public
-    icingacli setup --unattended --module icingaweb2 --setup-token "$ICINGAWEB_SETUP_TOKEN" \
+    
+    # KORREKTUR: 'config' wurde zu den setup-Befehlen hinzugefügt.
+    icingacli setup config module --unattended --module icingaweb2 --setup-token "$ICINGAWEB_SETUP_TOKEN" \
         --db-type mysql --db-host localhost --db-name icingaweb2 \
         --db-user icingaweb2 --db-pass "$ICINGAWEB_DB_PASS"
-    icingacli setup --unattended --module monitoring --setup-token "$ICINGAWEB_SETUP_TOKEN" \
+        
+    icingacli setup config module --unattended --module monitoring --setup-token "$ICINGAWEB_SETUP_TOKEN" \
         --backend-type ido --resource icinga_ido
+        
     icingacli user add icingaadmin --password "$ICINGAWEB_ADMIN_PASS" --role "Administrators"
 
     echo "[INFO] Warte auf Icinga2 API..."

From e5bae118a12140da4c2eb92fd837f1e92c123ef0 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 17:49:48 +0200
Subject: [PATCH 047/105] Fix icingacli error

---
 src/icinga2/install-service.sh | 60 ++++++++++++++++++++++------------
 1 file changed, 40 insertions(+), 20 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 048dd2e..714a1ef 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -268,16 +268,12 @@ _setup() {
     if [ ! -f "$IDO_SCHEMA" ]; then echo "[ERROR] IDO-Schema nicht gefunden: $IDO_SCHEMA" >&2; exit 1; fi
     if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi
 
-    if mysql -e "use icinga_ido; show tables;" | grep -q "icinga_dbversion"; then
-        echo "[INFO] Icinga IDO-Schema scheint bereits importiert zu sein."
-    else
+    if ! mysql -e "use icinga_ido; show tables;" | grep -q "icinga_dbversion"; then
         echo "[INFO] Importiere Icinga IDO-Schema..."
         mysql icinga_ido < "$IDO_SCHEMA"
     fi
 
-    if mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then
-        echo "[INFO] IcingaWeb2-Schema scheint bereits importiert zu sein."
-    else
+    if ! mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then
         echo "[INFO] Importiere IcingaWeb2-Schema..."
         mysql icingaweb2 < "$IWEB_SCHEMA"
     fi
@@ -291,6 +287,44 @@ _setup() {
     icingacli module enable incubator
     icingacli module enable director
 
+    # KORREKTUR: Die fehlerhaften 'icingacli setup' Befehle werden durch
+    # das manuelle Erstellen der Konfigurationsdateien ersetzt.
+    echo "[INFO] Erstelle Icinga Web 2 Kernkonfiguration."
+    bash -c "cat > /etc/icingaweb2/config.ini" <<EOF
+[global]
+show_stacktraces = "0"
+config_backend = "db"
+config_resource = "icingaweb_db"
+
+[logging]
+log = "file"
+log_file = "/var/log/icingaweb2/icingaweb2.log"
+level = "ERROR"
+EOF
+
+    bash -c "cat > /etc/icingaweb2/authentication.ini" <<EOF
+[icinga-web-admin]
+backend = "db"
+resource = "icingaweb_db"
+EOF
+
+    bash -c "cat > /etc/icingaweb2/roles.ini" <<EOF
+[Administrators]
+users = "icingaadmin"
+permissions = "*"
+groups = "Administrators"
+EOF
+    
+    mkdir -p /etc/icingaweb2/modules/monitoring
+    bash -c "cat > /etc/icingaweb2/modules/monitoring/config.ini" <<EOF
+[backend]
+type = "ido"
+resource = "icinga_ido"
+EOF
+
+    echo "[INFO] Füge Icinga Web 2 Admin-Benutzer hinzu."
+    icingacli user add icingaadmin --password "$ICINGAWEB_ADMIN_PASS"
+
     echo "[INFO] Alle Services werden neu gestartet."
     systemctl restart mariadb
     systemctl restart icinga2
@@ -298,20 +332,6 @@ _setup() {
     systemctl restart nginx
     systemctl restart grafana-server
 
-    echo "[INFO] Icinga Web 2 Setup wird ausgeführt."
-    ICINGAWEB_SETUP_TOKEN=$(icingacli setup token create)
-    icingacli setup config webserver nginx --document-root /usr/share/icingaweb2/public
-    
-    # KORREKTUR: 'config' wurde zu den setup-Befehlen hinzugefügt.
-    icingacli setup config module --unattended --module icingaweb2 --setup-token "$ICINGAWEB_SETUP_TOKEN" \
-        --db-type mysql --db-host localhost --db-name icingaweb2 \
-        --db-user icingaweb2 --db-pass "$ICINGAWEB_DB_PASS"
-        
-    icingacli setup config module --unattended --module monitoring --setup-token "$ICINGAWEB_SETUP_TOKEN" \
-        --backend-type ido --resource icinga_ido
-        
-    icingacli user add icingaadmin --password "$ICINGAWEB_ADMIN_PASS" --role "Administrators"
-
     echo "[INFO] Warte auf Icinga2 API..."
     sleep 15
     echo "[INFO] Icinga Director Setup wird ausgeführt."

From e58abab5866eab645dc86041e1e5e8f7d5e4d2c4 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 19:06:06 +0200
Subject: [PATCH 048/105] fix icinga user add error

---
 src/icinga2/install-service.sh | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 714a1ef..fcde1f6 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -287,8 +287,6 @@ _setup() {
     icingacli module enable incubator
     icingacli module enable director
 
-    # KORREKTUR: Die fehlerhaften 'icingacli setup' Befehle werden durch
-    # das manuelle Erstellen der Konfigurationsdateien ersetzt.
     echo "[INFO] Erstelle Icinga Web 2 Kernkonfiguration."
     bash -c "cat > /etc/icingaweb2/config.ini" <<EOF
 [global]
@@ -322,9 +320,6 @@ type = "ido"
 resource = "icinga_ido"
 EOF
 
-    echo "[INFO] Füge Icinga Web 2 Admin-Benutzer hinzu."
-    icingacli user add icingaadmin --password "$ICINGAWEB_ADMIN_PASS"
-
     echo "[INFO] Alle Services werden neu gestartet."
     systemctl restart mariadb
     systemctl restart icinga2
@@ -332,6 +327,10 @@ EOF
     systemctl restart nginx
     systemctl restart grafana-server
 
+    # KORREKTUR: Der 'user add' Befehl wird NACH dem Neustart der Dienste ausgeführt.
+    echo "[INFO] Füge Icinga Web 2 Admin-Benutzer hinzu."
+    icingacli user add icingaadmin --password "$ICINGAWEB_ADMIN_PASS"
+
     echo "[INFO] Warte auf Icinga2 API..."
     sleep 15
     echo "[INFO] Icinga Director Setup wird ausgeführt."

From 1c45ec96eccf7fb98607476cac4e4334cf5cd8f5 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 19:21:18 +0200
Subject: [PATCH 049/105] fix user creation

---
 src/icinga2/install-service.sh | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index fcde1f6..ae07d9c 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -327,10 +327,11 @@ EOF
     systemctl restart nginx
     systemctl restart grafana-server
 
-    # KORREKTUR: Der 'user add' Befehl wird NACH dem Neustart der Dienste ausgeführt.
-    echo "[INFO] Füge Icinga Web 2 Admin-Benutzer hinzu."
-    icingacli user add icingaadmin --password "$ICINGAWEB_ADMIN_PASS"
-
+    # KORREKTUR: Füge den Admin-Benutzer direkt in die Datenbank ein.
+    echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein."
+    local PASSWORD_HASH=$(icingacli security account password-hash --password "${ICINGAWEB_ADMIN_PASS}")
+    mysql icingaweb2 -e "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, '${PASSWORD_HASH}') ON DUPLICATE KEY UPDATE password_hash='${PASSWORD_HASH}';"
+    
     echo "[INFO] Warte auf Icinga2 API..."
     sleep 15
     echo "[INFO] Icinga Director Setup wird ausgeführt."

From 6b1ec7c60a5c50f1ca4afa2519e76d8dbdf51296 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 20:50:03 +0200
Subject: [PATCH 050/105] next fix

---
 src/icinga2/install-service.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index ae07d9c..79ad3c3 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -327,9 +327,9 @@ EOF
     systemctl restart nginx
     systemctl restart grafana-server
 
-    # KORREKTUR: Füge den Admin-Benutzer direkt in die Datenbank ein.
+    # KORREKTUR: Erzeuge den Passwort-Hash mit PHP und füge den Benutzer direkt in die DB ein.
     echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein."
-    local PASSWORD_HASH=$(icingacli security account password-hash --password "${ICINGAWEB_ADMIN_PASS}")
+    local PASSWORD_HASH=$(php -r "echo password_hash('${ICINGAWEB_ADMIN_PASS}', PASSWORD_BCRYPT);")
     mysql icingaweb2 -e "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, '${PASSWORD_HASH}') ON DUPLICATE KEY UPDATE password_hash='${PASSWORD_HASH}';"
     
     echo "[INFO] Warte auf Icinga2 API..."

From 2bf7ae3becff421246c4fbb36ebd9efa989040d6 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 21:00:52 +0200
Subject: [PATCH 051/105] bugfix

---
 src/icinga2/install-service.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 79ad3c3..23ed965 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -327,7 +327,6 @@ EOF
     systemctl restart nginx
     systemctl restart grafana-server
 
-    # KORREKTUR: Erzeuge den Passwort-Hash mit PHP und füge den Benutzer direkt in die DB ein.
     echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein."
     local PASSWORD_HASH=$(php -r "echo password_hash('${ICINGAWEB_ADMIN_PASS}', PASSWORD_BCRYPT);")
     mysql icingaweb2 -e "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, '${PASSWORD_HASH}') ON DUPLICATE KEY UPDATE password_hash='${PASSWORD_HASH}';"
@@ -335,8 +334,9 @@ EOF
     echo "[INFO] Warte auf Icinga2 API..."
     sleep 15
     echo "[INFO] Icinga Director Setup wird ausgeführt."
-    icingacli director migration run
+    # KORREKTUR: Reihenfolge der Director-Befehle getauscht
     icingacli director kickstart --endpoint localhost --user director --password "${ICINGA_API_USER_PASS}"
+    icingacli director migration run
     icingacli director config set 'endpoint' 'localhost' --user 'director' --password "${ICINGA_API_USER_PASS}"
     icingacli director automation run
     echo "[INFO] Director Konfiguration wird angewendet."

From c597f1570bc86ecf04f3e94f69f850701e7a7d31 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 21:11:19 +0200
Subject: [PATCH 052/105] bugfix

---
 src/icinga2/install-service.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 23ed965..ca429ee 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -334,8 +334,8 @@ EOF
     echo "[INFO] Warte auf Icinga2 API..."
     sleep 15
     echo "[INFO] Icinga Director Setup wird ausgeführt."
-    # KORREKTUR: Reihenfolge der Director-Befehle getauscht
-    icingacli director kickstart --endpoint localhost --user director --password "${ICINGA_API_USER_PASS}"
+    # KORREKTUR: 'run' wurde zum kickstart-Befehl hinzugefügt.
+    icingacli director kickstart run --endpoint localhost --user director --password "${ICINGA_API_USER_PASS}"
     icingacli director migration run
     icingacli director config set 'endpoint' 'localhost' --user 'director' --password "${ICINGA_API_USER_PASS}"
     icingacli director automation run

From a3937b23a374811970975682f2f0c0744a93214b Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 21:22:24 +0200
Subject: [PATCH 053/105] bug

---
 src/icinga2/install-service.sh | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index ca429ee..7b94fde 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -264,9 +264,12 @@ _setup() {
     echo "[INFO] Datenbank-Schemas werden importiert."
     local IDO_SCHEMA="/usr/share/icinga2-ido-mysql/schema/mysql.sql"
     local IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
+    # KORREKTUR: Pfad zum Director-Schema hinzugefügt
+    local DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
 
     if [ ! -f "$IDO_SCHEMA" ]; then echo "[ERROR] IDO-Schema nicht gefunden: $IDO_SCHEMA" >&2; exit 1; fi
     if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi
+    if [ ! -f "$DIRECTOR_SCHEMA" ]; then echo "[ERROR] Director-Schema nicht gefunden: $DIRECTOR_SCHEMA" >&2; exit 1; fi
 
     if ! mysql -e "use icinga_ido; show tables;" | grep -q "icinga_dbversion"; then
         echo "[INFO] Importiere Icinga IDO-Schema..."
@@ -278,6 +281,12 @@ _setup() {
         mysql icingaweb2 < "$IWEB_SCHEMA"
     fi
     
+    # KORREKTUR: Director-Schema wird manuell importiert.
+    if ! mysql -e "use director; show tables;" | grep -q "director_datafield"; then
+        echo "[INFO] Importiere Icinga Director-Schema..."
+        mysql director < "$DIRECTOR_SCHEMA"
+    fi
+    
     echo "[INFO] Icinga2 Features werden aktiviert."
     icinga2 feature enable ido-mysql api influxdb2-writer >/dev/null
 
@@ -334,8 +343,7 @@ EOF
     echo "[INFO] Warte auf Icinga2 API..."
     sleep 15
     echo "[INFO] Icinga Director Setup wird ausgeführt."
-    # KORREKTUR: 'run' wurde zum kickstart-Befehl hinzugefügt.
-    icingacli director kickstart run --endpoint localhost --user director --password "${ICINGA_API_USER_PASS}"
+    # KORREKTUR: kickstart wird nicht mehr benötigt, da das Schema manuell importiert wurde.
     icingacli director migration run
     icingacli director config set 'endpoint' 'localhost' --user 'director' --password "${ICINGA_API_USER_PASS}"
     icingacli director automation run

From 48e17da745cb1adce9e87e628606ce95e013a38f Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 21:32:47 +0200
Subject: [PATCH 054/105] fix

---
 src/icinga2/install-service.sh | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 7b94fde..0bc2b4f 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -264,7 +264,6 @@ _setup() {
     echo "[INFO] Datenbank-Schemas werden importiert."
     local IDO_SCHEMA="/usr/share/icinga2-ido-mysql/schema/mysql.sql"
     local IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
-    # KORREKTUR: Pfad zum Director-Schema hinzugefügt
     local DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
 
     if [ ! -f "$IDO_SCHEMA" ]; then echo "[ERROR] IDO-Schema nicht gefunden: $IDO_SCHEMA" >&2; exit 1; fi
@@ -281,7 +280,6 @@ _setup() {
         mysql icingaweb2 < "$IWEB_SCHEMA"
     fi
     
-    # KORREKTUR: Director-Schema wird manuell importiert.
     if ! mysql -e "use director; show tables;" | grep -q "director_datafield"; then
         echo "[INFO] Importiere Icinga Director-Schema..."
         mysql director < "$DIRECTOR_SCHEMA"
@@ -343,7 +341,8 @@ EOF
     echo "[INFO] Warte auf Icinga2 API..."
     sleep 15
     echo "[INFO] Icinga Director Setup wird ausgeführt."
-    # KORREKTUR: kickstart wird nicht mehr benötigt, da das Schema manuell importiert wurde.
+    # KORREKTUR: Reihenfolge der Director-Befehle getauscht
+    icingacli director kickstart run --endpoint localhost --user director --password "${ICINGA_API_USER_PASS}"
     icingacli director migration run
     icingacli director config set 'endpoint' 'localhost' --user 'director' --password "${ICINGA_API_USER_PASS}"
     icingacli director automation run

From 9ca71706556bcb344935eca9cb7792c801ad4972 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 21:47:01 +0200
Subject: [PATCH 055/105] fix

---
 src/icinga2/install-service.sh | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 0bc2b4f..98b27ee 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -325,6 +325,18 @@ EOF
 [backend]
 type = "ido"
 resource = "icinga_ido"
+EOF
+
+    # KORREKTUR: Director API-Verbindung wird direkt in die Konfigurationsdatei geschrieben.
+    mkdir -p /etc/icingaweb2/modules/director
+    bash -c "cat > /etc/icingaweb2/modules/director/config.ini" <<EOF
+[db]
+resource = "director_db"
+
+[api]
+endpoint = "localhost"
+user = "director"
+password = "${ICINGA_API_USER_PASS}"
 EOF
 
     echo "[INFO] Alle Services werden neu gestartet."
@@ -341,10 +353,8 @@ EOF
     echo "[INFO] Warte auf Icinga2 API..."
     sleep 15
     echo "[INFO] Icinga Director Setup wird ausgeführt."
-    # KORREKTUR: Reihenfolge der Director-Befehle getauscht
-    icingacli director kickstart run --endpoint localhost --user director --password "${ICINGA_API_USER_PASS}"
+    # KORREKTUR: kickstart wird nicht mehr benötigt.
     icingacli director migration run
-    icingacli director config set 'endpoint' 'localhost' --user 'director' --password "${ICINGA_API_USER_PASS}"
     icingacli director automation run
     echo "[INFO] Director Konfiguration wird angewendet."
     icingacli director config deploy

From dc33f2bef8582422f2cacf65bf1ad4e06c708342 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 22:00:50 +0200
Subject: [PATCH 056/105] fix

---
 src/icinga2/install-service.sh | 38 +++++++++++++++++++---------------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 98b27ee..d72c47c 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -288,12 +288,6 @@ _setup() {
     echo "[INFO] Icinga2 Features werden aktiviert."
     icinga2 feature enable ido-mysql api influxdb2-writer >/dev/null
 
-    echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
-    icingacli module enable ipl
-    icingacli module enable reactbundle
-    icingacli module enable incubator
-    icingacli module enable director
-
     echo "[INFO] Erstelle Icinga Web 2 Kernkonfiguration."
     bash -c "cat > /etc/icingaweb2/config.ini" <<EOF
 [global]
@@ -327,18 +321,18 @@ type = "ido"
 resource = "icinga_ido"
 EOF
 
-    # KORREKTUR: Director API-Verbindung wird direkt in die Konfigurationsdatei geschrieben.
     mkdir -p /etc/icingaweb2/modules/director
     bash -c "cat > /etc/icingaweb2/modules/director/config.ini" <<EOF
 [db]
 resource = "director_db"
-
-[api]
-endpoint = "localhost"
-user = "director"
-password = "${ICINGA_API_USER_PASS}"
 EOF
 
+    echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
+    icingacli module enable ipl
+    icingacli module enable reactbundle
+    icingacli module enable incubator
+    icingacli module enable director
+
     echo "[INFO] Alle Services werden neu gestartet."
     systemctl restart mariadb
     systemctl restart icinga2
@@ -350,12 +344,22 @@ EOF
     local PASSWORD_HASH=$(php -r "echo password_hash('${ICINGAWEB_ADMIN_PASS}', PASSWORD_BCRYPT);")
     mysql icingaweb2 -e "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, '${PASSWORD_HASH}') ON DUPLICATE KEY UPDATE password_hash='${PASSWORD_HASH}';"
     
-    echo "[INFO] Warte auf Icinga2 API..."
-    sleep 15
+    echo "[INFO] Warte auf Icinga Web 2 und API..."
+    # KORREKTUR: Robuste Warteschleife, die prüft, ob der Director bereit ist
+    local counter=0
+    while ! icingacli director migration run >/dev/null 2>&1; do
+        counter=$((counter + 1))
+        if [ "$counter" -gt 15 ]; then
+            echo "[ERROR] Icinga Director wurde nach 30 Sekunden nicht bereit." >&2
+            exit 1
+        fi
+        echo "[INFO] Director ist noch nicht bereit, warte 2 Sekunden... (Versuch ${counter}/15)"
+        sleep 2
+    done
+    echo "[INFO] Icinga Director ist bereit."
+
     echo "[INFO] Icinga Director Setup wird ausgeführt."
-    # KORREKTUR: kickstart wird nicht mehr benötigt.
-    icingacli director migration run
-    icingacli director automation run
+    icingacli director config set 'endpoint' 'localhost' --user 'director' --password "${ICINGA_API_USER_PASS}"
     echo "[INFO] Director Konfiguration wird angewendet."
     icingacli director config deploy
 }

From e39f81be4b31f6e3cf9eea446cd69265ea0eebf8 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 23 Jul 2025 22:35:44 +0200
Subject: [PATCH 057/105] fix

---
 src/icinga2/install-service.sh | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index d72c47c..f368c29 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -345,7 +345,6 @@ EOF
     mysql icingaweb2 -e "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, '${PASSWORD_HASH}') ON DUPLICATE KEY UPDATE password_hash='${PASSWORD_HASH}';"
     
     echo "[INFO] Warte auf Icinga Web 2 und API..."
-    # KORREKTUR: Robuste Warteschleife, die prüft, ob der Director bereit ist
     local counter=0
     while ! icingacli director migration run >/dev/null 2>&1; do
         counter=$((counter + 1))
@@ -359,7 +358,17 @@ EOF
     echo "[INFO] Icinga Director ist bereit."
 
     echo "[INFO] Icinga Director Setup wird ausgeführt."
-    icingacli director config set 'endpoint' 'localhost' --user 'director' --password "${ICINGA_API_USER_PASS}"
+    # KORREKTUR: Der Befehl 'icingacli director config set' ist falsch. Die Konfiguration
+    # wird stattdessen direkt in die Datei geschrieben.
+    bash -c "cat > /etc/icingaweb2/modules/director/kickstart.ini" <<EOF
+[config]
+endpoint = "localhost"
+user = "director"
+password = "${ICINGA_API_USER_PASS}"
+EOF
+    icingacli director kickstart run
+    rm /etc/icingaweb2/modules/director/kickstart.ini
+
     echo "[INFO] Director Konfiguration wird angewendet."
     icingacli director config deploy
 }

From b3d991ff868202ee4e0bd2cdf209c5055a583be4 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Thu, 24 Jul 2025 20:12:51 +0200
Subject: [PATCH 058/105] fix

---
 src/icinga2/install-service.sh | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index f368c29..68029c8 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -153,6 +153,25 @@ object Influxdb2Writer "influxdb2-writer" {
   bucket = "icinga"
   auth_token = "${INFLUX_ICINGA_TOKEN}"
 }
+EOF
+    # KORREKTUR: Essenzielle Zonen-Konfiguration für den Master erstellen
+    echo "[INFO] Erstelle Icinga2 Zonen-Konfiguration."
+    local FQDN=$(hostname -f)
+    bash -c "cat > /etc/icinga2/zones.conf" <<EOF
+object Endpoint "${FQDN}" {
+}
+
+object Zone "master" {
+    endpoints = [ "${FQDN}" ]
+}
+
+object Zone "global-templates" {
+    global = true
+}
+
+object Zone "director-global" {
+    global = true
+}
 EOF
 
     # 6. Icinga Web 2 Konfigurationsdateien schreiben
@@ -358,12 +377,12 @@ EOF
     echo "[INFO] Icinga Director ist bereit."
 
     echo "[INFO] Icinga Director Setup wird ausgeführt."
-    # KORREKTUR: Der Befehl 'icingacli director config set' ist falsch. Die Konfiguration
-    # wird stattdessen direkt in die Datei geschrieben.
     bash -c "cat > /etc/icingaweb2/modules/director/kickstart.ini" <<EOF
 [config]
-endpoint = "localhost"
-user = "director"
+endpoint = "$(hostname -f)"
+host = "127.0.0.1"
+port = "5665"
+username = "director"
 password = "${ICINGA_API_USER_PASS}"
 EOF
     icingacli director kickstart run

From 43a18634336a7421f087aa527acaec764f813825 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Thu, 24 Jul 2025 20:30:44 +0200
Subject: [PATCH 059/105] fix

---
 src/icinga2/install-service.sh | 28 +++++++---------------------
 1 file changed, 7 insertions(+), 21 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 68029c8..27da47f 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -52,30 +52,16 @@ _install() {
     echo "[INFO] Hauptkomponenten werden installiert (PHP Version: ${PHP_VERSION})."
     apt-get install -y \
         icinga2 icinga2-ido-mysql \
-        nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-imagick php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap \
+        nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
         mariadb-server mariadb-client \
         influxdb2 \
         grafana \
-        icingaweb2 icingacli
-
-    echo "[INFO] Icinga Web 2 Module (Abhängigkeiten für Director) werden installiert."
-    install_icinga_module() {
-        local module_name="$1"
-        local repo_name="$2"
-        if [ ! -d "/usr/share/icingaweb2/modules/${module_name}" ]; then
-            echo "[INFO] Installiere Modul: ${module_name}"
-            local version=$(curl -s "https://api.github.com/repos/Icinga/${repo_name}/releases/latest" | grep -Po '"tag_name": "v\K[0-9.]+')
-            wget -O "/tmp/${module_name}.tar.gz" "https://github.com/Icinga/${repo_name}/archive/refs/tags/v${version}.tar.gz"
-            tar -C /usr/share/icingaweb2/modules -xzf "/tmp/${module_name}.tar.gz"
-            mv "/usr/share/icingaweb2/modules/${repo_name}-"* "/usr/share/icingaweb2/modules/${module_name}"
-            rm "/tmp/${module_name}.tar.gz"
-        fi
-    }
-    
-    install_icinga_module "ipl" "icingaweb2-module-ipl"
-    install_icinga_module "reactbundle" "icingaweb2-module-reactbundle"
-    install_icinga_module "incubator" "icingaweb2-module-incubator"
-    install_icinga_module "director" "icingaweb2-module-director"
+        imagemagick \
+        icingaweb2 icingacli \
+        icinga-php-library \
+        icingaweb2-module-reactbundle \
+        icingaweb2-module-incubator \
+        icinga-director
 
     echo "[INFO] Systemd Services werden aktiviert."
     systemctl enable --now icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb grafana-server

From a98469f6be9c32c6b99e9d150e966a85813bfc14 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Thu, 24 Jul 2025 20:43:02 +0200
Subject: [PATCH 060/105] fix

---
 src/icinga2/install-service.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 27da47f..442078a 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -60,7 +60,6 @@ _install() {
         icingaweb2 icingacli \
         icinga-php-library \
         icingaweb2-module-reactbundle \
-        icingaweb2-module-incubator \
         icinga-director
 
     echo "[INFO] Systemd Services werden aktiviert."
@@ -335,7 +334,7 @@ EOF
     echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
     icingacli module enable ipl
     icingacli module enable reactbundle
-    icingacli module enable incubator
+    # incubator wird als Abhängigkeit von director via apt installiert und muss nicht manuell aktiviert werden
     icingacli module enable director
 
     echo "[INFO] Alle Services werden neu gestartet."

From cf190242777fc5188aa352c16129e81135f152cc Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Thu, 24 Jul 2025 20:51:13 +0200
Subject: [PATCH 061/105] fix

---
 src/icinga2/install-service.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 442078a..723c390 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -332,7 +332,6 @@ resource = "director_db"
 EOF
 
     echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
-    icingacli module enable ipl
     icingacli module enable reactbundle
     # incubator wird als Abhängigkeit von director via apt installiert und muss nicht manuell aktiviert werden
     icingacli module enable director

From a5a533d649d8594d40997539d79cd55942482549 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Thu, 24 Jul 2025 21:17:12 +0200
Subject: [PATCH 062/105] icingadb

---
 src/icinga2/constants-service.conf |   6 +-
 src/icinga2/install-service.sh     | 135 ++++++++++++++++-------------
 2 files changed, 76 insertions(+), 65 deletions(-)

diff --git a/src/icinga2/constants-service.conf b/src/icinga2/constants-service.conf
index 0bb5011..9b581fa 100644
--- a/src/icinga2/constants-service.conf
+++ b/src/icinga2/constants-service.conf
@@ -8,10 +8,10 @@
 #
 
 # --- Service Metadata ---
-ZAMBA_SERVICE_NAME="Icinga2 Monitoring Stack (MariaDB Edition)"
-ZAMBA_SERVICE_DESC="Installiert Icinga2, Icingaweb2, Director, Nginx, MariaDB, InfluxDB2 und Grafana."
+ZAMBA_SERVICE_NAME="Icinga2 Stack mit IcingaDB"
+ZAMBA_SERVICE_DESC="Installiert Icinga2, IcingaDB, Icingaweb2, Director, Nginx, MariaDB, Redis, InfluxDB2 und Grafana."
 # Tags zur besseren Filterung und Verwaltung des Containers
-SERVICE_TAGS="monitoring,icinga,grafana,influxdb,nginx,mariadb"
+SERVICE_TAGS="monitoring,icinga,icingadb,grafana,influxdb,nginx,mariadb,redis"
 
 
 # --- LXC Container Configuration ---
diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 723c390..358b310 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -3,8 +3,7 @@
 # Zamba LXC Toolbox - Service Installer
 # Service: icinga-stack
 #
-# Description: Führt die Installation und Konfiguration des Icinga2 Stacks mit MariaDB durch.
-# Dieses Skript ist eigenständig und verwendet nur Standard-OS-Befehle.
+# Description: Führt die Installation und Konfiguration des Icinga2 Stacks mit IcingaDB durch.
 #
 
 # --- Internal Helper Functions ---
@@ -18,7 +17,7 @@ _generate_local_password() {
 _install() {
     echo ""
     echo "================================================="
-    echo "  Phase 1: Installation der Pakete (MariaDB Edition)"
+    echo "  Phase 1: Installation der Pakete (IcingaDB Edition)"
     echo "================================================="
     echo ""
     
@@ -51,25 +50,29 @@ _install() {
 
     echo "[INFO] Hauptkomponenten werden installiert (PHP Version: ${PHP_VERSION})."
     apt-get install -y \
-        icinga2 icinga2-ido-mysql \
+        icinga2 \
         nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
         mariadb-server mariadb-client \
+        redis-server \
         influxdb2 \
         grafana \
         imagemagick \
         icingaweb2 icingacli \
         icinga-php-library \
         icingaweb2-module-reactbundle \
-        icinga-director
+        icinga-director \
+        icingadb \
+        icingadb-redis \
+        icingadb-web
 
     echo "[INFO] Systemd Services werden aktiviert."
-    systemctl enable --now icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb grafana-server
+    systemctl enable --now icinga2 mariadb redis-server nginx php${PHP_VERSION}-fpm influxdb grafana-server icingadb
 }
 
 _configure() {
     echo ""
     echo "================================================="
-    echo "  Phase 2: Konfiguration der Komponenten (MariaDB Edition)"
+    echo "  Phase 2: Konfiguration der Komponenten (IcingaDB Edition)"
     echo "================================================="
     echo ""
 
@@ -77,7 +80,7 @@ _configure() {
     echo "[INFO] Passwörter und API-Keys werden generiert."
     ICINGAWEB_DB_PASS=$(_generate_local_password 24)
     DIRECTOR_DB_PASS=$(_generate_local_password 24)
-    ICINGA_IDO_DB_PASS=$(_generate_local_password 24)
+    ICINGADB_PASS=$(_generate_local_password 24)
     ICINGA_API_USER_PASS=$(_generate_local_password 24)
     ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
     GRAFANA_ADMIN_PASS=$(_generate_local_password 16)
@@ -87,15 +90,15 @@ _configure() {
     echo "[INFO] MariaDB wird konfiguriert."
     mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
     mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
-    mysql -e "CREATE DATABASE IF NOT EXISTS icinga_ido CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+    mysql -e "CREATE DATABASE IF NOT EXISTS icingadb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
     
     mysql -e "CREATE USER IF NOT EXISTS 'icingaweb2'@'localhost' IDENTIFIED BY '${ICINGAWEB_DB_PASS}';"
     mysql -e "CREATE USER IF NOT EXISTS 'director'@'localhost' IDENTIFIED BY '${DIRECTOR_DB_PASS}';"
-    mysql -e "CREATE USER IF NOT EXISTS 'icinga_ido'@'localhost' IDENTIFIED BY '${ICINGA_IDO_DB_PASS}';"
+    mysql -e "CREATE USER IF NOT EXISTS 'icingadb'@'localhost' IDENTIFIED BY '${ICINGADB_PASS}';"
 
     mysql -e "GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';"
     mysql -e "GRANT ALL PRIVILEGES ON director.* TO 'director'@'localhost';"
-    mysql -e "GRANT ALL PRIVILEGES ON icinga_ido.* TO 'icinga_ido'@'localhost';"
+    mysql -e "GRANT ALL PRIVILEGES ON icingadb.* TO 'icingadb'@'localhost';"
     mysql -e "FLUSH PRIVILEGES;"
 
     # 3. InfluxDB 2 konfigurieren
@@ -117,12 +120,12 @@ _configure() {
 
     # 5. Icinga2 Konfigurationsdateien schreiben
     echo "[INFO] Icinga2 Konfigurationsdateien werden geschrieben."
-    bash -c "cat > /etc/icinga2/features-available/ido-mysql.conf" <<EOF
-object IdoMysqlConnection "ido-mysql" {
-  user = "icinga_ido",
-  password = "${ICINGA_IDO_DB_PASS}",
-  host = "localhost",
-  database = "icinga_ido"
+    bash -c "cat > /etc/icinga2/features-available/icingadb.conf" <<EOF
+library "icingadb"
+
+object IcingaDB "icingadb" {
+  host = "127.0.0.1"
+  port = 6379
 }
 EOF
     bash -c "cat > /etc/icinga2/conf.d/api-users.conf" <<EOF
@@ -139,27 +142,29 @@ object Influxdb2Writer "influxdb2-writer" {
   auth_token = "${INFLUX_ICINGA_TOKEN}"
 }
 EOF
-    # KORREKTUR: Essenzielle Zonen-Konfiguration für den Master erstellen
-    echo "[INFO] Erstelle Icinga2 Zonen-Konfiguration."
     local FQDN=$(hostname -f)
     bash -c "cat > /etc/icinga2/zones.conf" <<EOF
-object Endpoint "${FQDN}" {
-}
-
-object Zone "master" {
-    endpoints = [ "${FQDN}" ]
-}
-
-object Zone "global-templates" {
-    global = true
-}
-
-object Zone "director-global" {
-    global = true
-}
+object Endpoint "${FQDN}" {}
+object Zone "master" { endpoints = [ "${FQDN}" ] }
+object Zone "global-templates" { global = true }
+object Zone "director-global" { global = true }
 EOF
 
-    # 6. Icinga Web 2 Konfigurationsdateien schreiben
+    # 6. IcingaDB konfigurieren
+    echo "[INFO] IcingaDB wird konfiguriert."
+    bash -c "cat > /etc/icingadb/config.yml" <<EOF
+database:
+  dsn: icingadb@tcp(127.0.0.1:3306)/icingadb
+  password: ${ICINGADB_PASS}
+redis:
+  host: 127.0.0.1
+  port: 6379
+logging:
+  level: info
+  output: stdout
+EOF
+
+    # 7. Icinga Web 2 Konfigurationsdateien schreiben
     echo "[INFO] Icinga Web 2 Konfigurationsdateien werden geschrieben."
     mkdir -p /etc/icingaweb2
     bash -c "cat > /etc/icingaweb2/resources.ini" <<EOF
@@ -170,6 +175,7 @@ host = "localhost"
 dbname = "icingaweb2"
 username = "icingaweb2"
 password = "${ICINGAWEB_DB_PASS}"
+charset = "utf8mb4"
 
 [director_db]
 type = "db"
@@ -178,17 +184,19 @@ host = "localhost"
 dbname = "director"
 username = "director"
 password = "${DIRECTOR_DB_PASS}"
+charset = "utf8mb4"
 
-[icinga_ido]
+[icingadb]
 type = "db"
 db = "mysql"
 host = "localhost"
-dbname = "icinga_ido"
-username = "icinga_ido"
-password = "${ICINGA_IDO_DB_PASS}"
+dbname = "icingadb"
+username = "icingadb"
+password = "${ICINGADB_PASS}"
+charset = "utf8mb4"
 EOF
     
-    # 7. Grafana konfigurieren
+    # 8. Grafana konfigurieren
     echo "[INFO] Grafana wird konfiguriert."
     systemctl stop grafana-server
     grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
@@ -207,7 +215,7 @@ datasources:
 EOF
     chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
     
-    # 8. Nginx TLS Konfiguration
+    # 9. Nginx TLS Konfiguration
     echo "[INFO] Nginx für TLS wird konfiguriert."
     mkdir -p /etc/nginx/ssl
     if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
@@ -239,6 +247,10 @@ server {
         proxy_pass http://localhost:3000;
         proxy_set_header Host \$http_host;
     }
+    location /icingadb-web {
+        proxy_pass http://localhost:8080/icingadb-web;
+        proxy_set_header Host \$http_host;
+    }
 }
 EOF
     ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
@@ -251,7 +263,7 @@ EOF
 _setup() {
     echo ""
     echo "================================================="
-    echo "  Phase 3: Setup und finaler Neustart (MariaDB Edition)"
+    echo "  Phase 3: Setup und finaler Neustart (IcingaDB Edition)"
     echo "================================================="
     echo ""
     
@@ -259,25 +271,17 @@ _setup() {
     icinga2 api setup
     
     echo "[INFO] Warte auf MariaDB-Dienst..."
-    while ! mysqladmin ping -h localhost --silent; do
-        echo "[INFO] MariaDB ist noch nicht bereit, warte 2 Sekunden..."
-        sleep 2
-    done
+    while ! mysqladmin ping -h localhost --silent; do sleep 2; done
     echo "[INFO] MariaDB ist bereit."
 
     echo "[INFO] Datenbank-Schemas werden importiert."
-    local IDO_SCHEMA="/usr/share/icinga2-ido-mysql/schema/mysql.sql"
     local IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
     local DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
+    local ICINGADB_SCHEMA="/usr/share/icingadb/schema/mysql/schema.sql"
 
-    if [ ! -f "$IDO_SCHEMA" ]; then echo "[ERROR] IDO-Schema nicht gefunden: $IDO_SCHEMA" >&2; exit 1; fi
     if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi
     if [ ! -f "$DIRECTOR_SCHEMA" ]; then echo "[ERROR] Director-Schema nicht gefunden: $DIRECTOR_SCHEMA" >&2; exit 1; fi
-
-    if ! mysql -e "use icinga_ido; show tables;" | grep -q "icinga_dbversion"; then
-        echo "[INFO] Importiere Icinga IDO-Schema..."
-        mysql icinga_ido < "$IDO_SCHEMA"
-    fi
+    if [ ! -f "$ICINGADB_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $ICINGADB_SCHEMA" >&2; exit 1; fi
 
     if ! mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then
         echo "[INFO] Importiere IcingaWeb2-Schema..."
@@ -289,8 +293,13 @@ _setup() {
         mysql director < "$DIRECTOR_SCHEMA"
     fi
     
+    if ! mysql -e "use icingadb; show tables;" | grep -q "icingadb_schema_migration"; then
+        echo "[INFO] Importiere IcingaDB-Schema..."
+        mysql icingadb < "$ICINGADB_SCHEMA"
+    fi
+    
     echo "[INFO] Icinga2 Features werden aktiviert."
-    icinga2 feature enable ido-mysql api influxdb2-writer >/dev/null
+    icinga2 feature enable icingadb api influxdb2-writer >/dev/null
 
     echo "[INFO] Erstelle Icinga Web 2 Kernkonfiguration."
     bash -c "cat > /etc/icingaweb2/config.ini" <<EOF
@@ -298,19 +307,16 @@ _setup() {
 show_stacktraces = "0"
 config_backend = "db"
 config_resource = "icingaweb_db"
-
 [logging]
 log = "file"
 log_file = "/var/log/icingaweb2/icingaweb2.log"
 level = "ERROR"
 EOF
-
     bash -c "cat > /etc/icingaweb2/authentication.ini" <<EOF
 [icinga-web-admin]
 backend = "db"
 resource = "icingaweb_db"
 EOF
-
     bash -c "cat > /etc/icingaweb2/roles.ini" <<EOF
 [Administrators]
 users = "icingaadmin"
@@ -318,13 +324,14 @@ permissions = "*"
 groups = "Administrators"
 EOF
     
+    # KORREKTUR: Monitoring-Modul auf IcingaDB umstellen
     mkdir -p /etc/icingaweb2/modules/monitoring
-    bash -c "cat > /etc/icingaweb2/modules/monitoring/config.ini" <<EOF
-[backend]
-type = "ido"
-resource = "icinga_ido"
+    bash -c "cat > /etc/icingaweb2/modules/monitoring/backends.ini" <<EOF
+[icingadb]
+backend = "icingadb"
+resource = "icingadb"
 EOF
-
+    
     mkdir -p /etc/icingaweb2/modules/director
     bash -c "cat > /etc/icingaweb2/modules/director/config.ini" <<EOF
 [db]
@@ -332,9 +339,11 @@ resource = "director_db"
 EOF
 
     echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
+    icingacli module enable ipl
     icingacli module enable reactbundle
-    # incubator wird als Abhängigkeit von director via apt installiert und muss nicht manuell aktiviert werden
+    icingacli module enable incubator
     icingacli module enable director
+    icingacli module enable icingadb
 
     echo "[INFO] Alle Services werden neu gestartet."
     systemctl restart mariadb
@@ -342,6 +351,7 @@ EOF
     systemctl restart php${PHP_VERSION}-fpm
     systemctl restart nginx
     systemctl restart grafana-server
+    systemctl restart icingadb
 
     echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein."
     local PASSWORD_HASH=$(php -r "echo password_hash('${ICINGAWEB_ADMIN_PASS}', PASSWORD_BCRYPT);")
@@ -390,6 +400,7 @@ _info() {
     echo ""
     echo "Wichtige URLs:"
     echo "  Icinga Web 2: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
+    echo "  IcingaDB Web: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingadb-web"
     echo "  Grafana:      https://${ZAMBA_HOSTNAME:-$(hostname -f)}/grafana"
     echo ""
 }

From 75182cad2a812a57a551585e3bb5af5cf82a4539 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Thu, 24 Jul 2025 21:33:19 +0200
Subject: [PATCH 063/105] redis fix

---
 src/icinga2/install-service.sh | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 358b310..1ca9438 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -101,13 +101,24 @@ _configure() {
     mysql -e "GRANT ALL PRIVILEGES ON icingadb.* TO 'icingadb'@'localhost';"
     mysql -e "FLUSH PRIVILEGES;"
 
-    # 3. InfluxDB 2 konfigurieren
+    # 3. Redis konfigurieren
+    echo "[INFO] Erstelle systemd-Override für Redis-Server."
+    mkdir -p /etc/systemd/system/redis-server.service.d
+    bash -c "cat > /etc/systemd/system/redis-server.service.d/override.conf" <<EOF
+[Service]
+# Deaktiviert die systemd-Benachrichtigung, um Kompatibilitätsprobleme in Containern zu vermeiden.
+# Der Dienst wird weiterhin über seine PID überwacht.
+Supervised=no
+EOF
+    systemctl daemon-reload
+
+    # 4. InfluxDB 2 konfigurieren
     echo "[INFO] InfluxDB 2 wird konfiguriert."
     influx setup --skip-verify --username admin --password "$GRAFANA_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
     INFLUX_ICINGA_TOKEN=$(influx auth create --org icinga --all-access --json | grep -oP '"token": "\K[^"]+')
     if [ -z "$INFLUX_ICINGA_TOKEN" ]; then echo "[ERROR] Konnte InfluxDB Token nicht erstellen." >&2; exit 1; fi
 
-    # 4. Credentials-Datei schreiben
+    # 5. Credentials-Datei schreiben
     echo "[INFO] Zugangsdaten werden in ${CRED_FILE} gespeichert."
     mkdir -p "$(dirname "$CRED_FILE")" && chmod 700 "$(dirname "$CRED_FILE")"
     {
@@ -118,7 +129,7 @@ _configure() {
       echo "Icinga Director API: Benutzer: director; Passwort: ${ICINGA_API_USER_PASS}"
     } > "$CRED_FILE" && chmod 600 "$CRED_FILE"
 
-    # 5. Icinga2 Konfigurationsdateien schreiben
+    # 6. Icinga2 Konfigurationsdateien schreiben
     echo "[INFO] Icinga2 Konfigurationsdateien werden geschrieben."
     bash -c "cat > /etc/icinga2/features-available/icingadb.conf" <<EOF
 library "icingadb"
@@ -150,7 +161,7 @@ object Zone "global-templates" { global = true }
 object Zone "director-global" { global = true }
 EOF
 
-    # 6. IcingaDB konfigurieren
+    # 7. IcingaDB konfigurieren
     echo "[INFO] IcingaDB wird konfiguriert."
     bash -c "cat > /etc/icingadb/config.yml" <<EOF
 database:
@@ -164,7 +175,7 @@ logging:
   output: stdout
 EOF
 
-    # 7. Icinga Web 2 Konfigurationsdateien schreiben
+    # 8. Icinga Web 2 Konfigurationsdateien schreiben
     echo "[INFO] Icinga Web 2 Konfigurationsdateien werden geschrieben."
     mkdir -p /etc/icingaweb2
     bash -c "cat > /etc/icingaweb2/resources.ini" <<EOF
@@ -196,7 +207,7 @@ password = "${ICINGADB_PASS}"
 charset = "utf8mb4"
 EOF
     
-    # 8. Grafana konfigurieren
+    # 9. Grafana konfigurieren
     echo "[INFO] Grafana wird konfiguriert."
     systemctl stop grafana-server
     grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
@@ -215,7 +226,7 @@ datasources:
 EOF
     chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
     
-    # 9. Nginx TLS Konfiguration
+    # 10. Nginx TLS Konfiguration
     echo "[INFO] Nginx für TLS wird konfiguriert."
     mkdir -p /etc/nginx/ssl
     if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
@@ -324,7 +335,6 @@ permissions = "*"
 groups = "Administrators"
 EOF
     
-    # KORREKTUR: Monitoring-Modul auf IcingaDB umstellen
     mkdir -p /etc/icingaweb2/modules/monitoring
     bash -c "cat > /etc/icingaweb2/modules/monitoring/backends.ini" <<EOF
 [icingadb]
@@ -347,6 +357,7 @@ EOF
 
     echo "[INFO] Alle Services werden neu gestartet."
     systemctl restart mariadb
+    systemctl restart redis-server
     systemctl restart icinga2
     systemctl restart php${PHP_VERSION}-fpm
     systemctl restart nginx

From 3671e5439b0a2427fb55fb2e267518e45f91269c Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Thu, 24 Jul 2025 21:53:01 +0200
Subject: [PATCH 064/105] fix redis

---
 src/icinga2/install-service.sh | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 1ca9438..7f65a3e 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -53,7 +53,7 @@ _install() {
         icinga2 \
         nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
         mariadb-server mariadb-client \
-        redis-server \
+        redis-server redis-tools \
         influxdb2 \
         grafana \
         imagemagick \
@@ -64,9 +64,6 @@ _install() {
         icingadb \
         icingadb-redis \
         icingadb-web
-
-    echo "[INFO] Systemd Services werden aktiviert."
-    systemctl enable --now icinga2 mariadb redis-server nginx php${PHP_VERSION}-fpm influxdb grafana-server icingadb
 }
 
 _configure() {
@@ -88,6 +85,10 @@ _configure() {
     
     # 2. MariaDB konfigurieren
     echo "[INFO] MariaDB wird konfiguriert."
+    # Ensure MariaDB is running for configuration
+    systemctl start mariadb
+    while ! mysqladmin ping -h localhost --silent; do sleep 1; done
+    
     mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
     mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
     mysql -e "CREATE DATABASE IF NOT EXISTS icingadb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
@@ -107,13 +108,12 @@ _configure() {
     bash -c "cat > /etc/systemd/system/redis-server.service.d/override.conf" <<EOF
 [Service]
 # Deaktiviert die systemd-Benachrichtigung, um Kompatibilitätsprobleme in Containern zu vermeiden.
-# Der Dienst wird weiterhin über seine PID überwacht.
 Supervised=no
 EOF
-    systemctl daemon-reload
-
+    
     # 4. InfluxDB 2 konfigurieren
     echo "[INFO] InfluxDB 2 wird konfiguriert."
+    systemctl start influxdb
     influx setup --skip-verify --username admin --password "$GRAFANA_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
     INFLUX_ICINGA_TOKEN=$(influx auth create --org icinga --all-access --json | grep -oP '"token": "\K[^"]+')
     if [ -z "$INFLUX_ICINGA_TOKEN" ]; then echo "[ERROR] Konnte InfluxDB Token nicht erstellen." >&2; exit 1; fi
@@ -281,10 +281,24 @@ _setup() {
     echo "[INFO] Icinga2 API wird initialisiert und Zertifikate werden erstellt."
     icinga2 api setup
     
+    echo "[INFO] Aktiviere und starte alle Dienste in der korrekten Reihenfolge."
+    systemctl enable icinga2 mariadb redis-server nginx php${PHP_VERSION}-fpm influxdb grafana-server icingadb
+    systemctl daemon-reload # Um Redis-Override zu laden
+
+    systemctl start mariadb
+    systemctl start redis-server
+
     echo "[INFO] Warte auf MariaDB-Dienst..."
     while ! mysqladmin ping -h localhost --silent; do sleep 2; done
     echo "[INFO] MariaDB ist bereit."
 
+    echo "[INFO] Warte auf Redis-Dienst..."
+    while ! redis-cli ping | grep -q PONG; do sleep 2; done
+    echo "[INFO] Redis ist bereit."
+
+    # Starte restliche Dienste
+    systemctl start icinga2 nginx php${PHP_VERSION}-fpm influxdb grafana-server icingadb
+    
     echo "[INFO] Datenbank-Schemas werden importiert."
     local IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
     local DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
@@ -355,7 +369,7 @@ EOF
     icingacli module enable director
     icingacli module enable icingadb
 
-    echo "[INFO] Alle Services werden neu gestartet."
+    echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu laden."
     systemctl restart mariadb
     systemctl restart redis-server
     systemctl restart icinga2

From d15a44d93b37311f5e788660219ff77dc1ee5585 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Thu, 24 Jul 2025 21:57:40 +0200
Subject: [PATCH 065/105] perfdatagraphs

---
 src/icinga2/install-service.sh | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 7f65a3e..c85fc04 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -26,13 +26,19 @@ _install() {
     apt-get update
     apt-get install -y wget gpg apt-transport-https curl sudo lsb-release
 
-    echo "[INFO] Repositories für Icinga, InfluxDB und Grafana werden hinzugefügt."
+    echo "[INFO] Repositories für Icinga, Netways, InfluxDB und Grafana werden hinzugefügt."
     # Icinga Repo
     if [ ! -f /etc/apt/sources.list.d/icinga.list ]; then
         curl -fsSL https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
         echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-${OS_CODENAME} main" > /etc/apt/sources.list.d/icinga.list
     fi
 
+    # Netways Repo for additional modules
+    if [ ! -f /etc/apt/sources.list.d/netways.list ]; then
+        curl -fsSL https://packages.netways.de/icinga/netways.key | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg
+        echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/icinga/debian/ icinga-${OS_CODENAME} main" > /etc/apt/sources.list.d/netways.list
+    fi
+
     # InfluxDB Repo
     if [ ! -f /etc/apt/sources.list.d/influxdata.list ]; then
         curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
@@ -63,7 +69,9 @@ _install() {
         icinga-director \
         icingadb \
         icingadb-redis \
-        icingadb-web
+        icingadb-web \
+        icingaweb2-module-perfdatagraphs \
+        icingaweb2-module-perfdatagraphs-influxdbv2
 }
 
 _configure() {
@@ -360,6 +368,20 @@ EOF
     bash -c "cat > /etc/icingaweb2/modules/director/config.ini" <<EOF
 [db]
 resource = "director_db"
+EOF
+
+    # Konfiguration für perfdatagraphs
+    mkdir -p /etc/icingaweb2/modules/perfdatagraphs
+    bash -c "cat > /etc/icingaweb2/modules/perfdatagraphs/config.ini" <<EOF
+[influxdb2]
+backend = "influxdb2"
+url = "http://127.0.0.1:8086"
+token = "${INFLUX_ICINGA_TOKEN}"
+organization = "icinga"
+bucket = "icinga"
+
+[default]
+backend = "influxdb2"
 EOF
 
     echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
@@ -368,6 +390,7 @@ EOF
     icingacli module enable incubator
     icingacli module enable director
     icingacli module enable icingadb
+    icingacli module enable perfdatagraphs
 
     echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu laden."
     systemctl restart mariadb

From 20bdad85962cd73c79db8015ce60101b1eb1e80f Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Thu, 24 Jul 2025 22:59:37 +0200
Subject: [PATCH 066/105] fix

---
 src/icinga2/constants-service.conf |  69 ++---
 src/icinga2/install-service.sh     | 470 +++++++++++------------------
 2 files changed, 193 insertions(+), 346 deletions(-)

diff --git a/src/icinga2/constants-service.conf b/src/icinga2/constants-service.conf
index 9b581fa..0da0c0f 100644
--- a/src/icinga2/constants-service.conf
+++ b/src/icinga2/constants-service.conf
@@ -1,62 +1,35 @@
 #!/bin/bash
-#
-# Zamba LXC Toolbox - Service Constants
-# Service: icinga-stack
-#
-# Description: Enthält alle anwendungsspezifischen Konstanten und
-#              Variablen, die für OS-Upgrades relevant sind.
-#
 
-# --- Service Metadata ---
-ZAMBA_SERVICE_NAME="Icinga2 Stack mit IcingaDB"
-ZAMBA_SERVICE_DESC="Installiert Icinga2, IcingaDB, Icingaweb2, Director, Nginx, MariaDB, Redis, InfluxDB2 und Grafana."
-# Tags zur besseren Filterung und Verwaltung des Containers
-SERVICE_TAGS="monitoring,icinga,icingadb,grafana,influxdb,nginx,mariadb,redis"
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+# This file contains the project constants on service level
 
-# --- LXC Container Configuration ---
-# Diese Parameter steuern die Erstellung des LXC Containers durch das Zamba Framework.
-
-# Debian Version, die als Basis für den Container dient
+# Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-12-standard"
 
-# Erstellt einen unprivilegierten Container für erhöhte Sicherheit
-LXC_UNPRIVILEGED="1"
-
-# Erlaubt das Ausführen von z.B. Docker innerhalb dieses Containers
-LXC_NESTING="1"
-
-# Wird für bestimmte Sicherheits-Features benötigt, hier nicht erforderlich
-LXC_KEYCTL="0"
-
-# Erstellt einen Mountpoint (mp0) für geteilte Dateisysteme
-LXC_MP=1
-# Name des ZFS-Dateisystems, das als Mountpoint dient
+# Create sharefs mountpoint
+LXC_MP=0
+# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
-# Optimierte Recordsize für Datenbanken und kleine Dateien
+# Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 
-# Minimal benötigter Arbeitsspeicher in MB.
-# 2048 MB wird für den Betrieb des gesamten Stacks (Icinga, DBs, Grafana) empfohlen.
-LXC_MEM_MIN=2048
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
 
+# enable nesting feature
+LXC_NESTING="1"
 
-# --- Service-spezifische Konfiguration ---
+# enable keyctl feature
+LXC_KEYCTL="0"
 
-# Pfad zur Speicherung der generierten Zugangsdaten
-CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
+# Sets the minimum amount of RAM the service needs for operation
+LXC_MEM_MIN=1024
 
+# service dependent meta tags
+SERVICE_TAGS="php-fpm,nginx,mariadb"
 
-# --- OS-Versions-spezifische Variablen ---
-# Diese Variablen müssen bei einem Upgrade des Basis-Betriebssystems
-# (z.B. von Debian 12 auf 13) angepasst werden.
-
-# Der Codename des Betriebssystems (wird für die Repository-Pfade benötigt)
-# Dieser Wert wird normalerweise vom Framework (z.B. aus /etc/os-release) bereitgestellt.
-# Falls nicht, wird hier ein Fallback gesetzt.
-OS_CODENAME="${OS_CODENAME:-bookworm}"
-
-# Die Standard-PHP-Version für die jeweilige Debian-Version.
-# Debian 12 (Bookworm) -> "8.2"
-# Debian 13 (Trixie) -> voraussichtlich "8.3"
-PHP_VERSION="8.2"
+CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
\ No newline at end of file
diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index c85fc04..8f0ee86 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -1,10 +1,8 @@
-#!/bin/bash
-#
-# Zamba LXC Toolbox - Service Installer
-# Service: icinga-stack
-#
-# Description: Führt die Installation und Konfiguration des Icinga2 Stacks mit IcingaDB durch.
-#
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+source /etc/os-release
 
 # --- Internal Helper Functions ---
 _generate_local_password() {
@@ -12,148 +10,80 @@ _generate_local_password() {
 }
 
 
-# --- Service Functions (_install, _configure, _setup, _info) ---
+curl -fsSL https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-$(lsb_release -cs) main" > /etc/apt/sources.list.d/icinga.list
 
-_install() {
-    echo ""
-    echo "================================================="
-    echo "  Phase 1: Installation der Pakete (IcingaDB Edition)"
-    echo "================================================="
-    echo ""
-    
-    echo "[INFO] System wird aktualisiert und Basispakete werden installiert."
-    export DEBIAN_FRONTEND=noninteractive
-    apt-get update
-    apt-get install -y wget gpg apt-transport-https curl sudo lsb-release
+curl -fsSL https://packages.netways.de/icinga/netways.key | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/icinga/debian/ icinga-$(lsb_release -cs) main" > /etc/apt/sources.list.d/netways.list
 
-    echo "[INFO] Repositories für Icinga, Netways, InfluxDB und Grafana werden hinzugefügt."
-    # Icinga Repo
-    if [ ! -f /etc/apt/sources.list.d/icinga.list ]; then
-        curl -fsSL https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
-        echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-${OS_CODENAME} main" > /etc/apt/sources.list.d/icinga.list
-    fi
+curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/influxdata.list
 
-    # Netways Repo for additional modules
-    if [ ! -f /etc/apt/sources.list.d/netways.list ]; then
-        curl -fsSL https://packages.netways.de/icinga/netways.key | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg
-        echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/icinga/debian/ icinga-${OS_CODENAME} main" > /etc/apt/sources.list.d/netways.list
-    fi
+wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor -o /usr/share/keyrings/grafana-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/grafana-archive-keyring.gpg] https://apt.grafana.com stable main" > /etc/apt/sources.list.d/grafana.list
 
-    # InfluxDB Repo
-    if [ ! -f /etc/apt/sources.list.d/influxdata.list ]; then
-        curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
-        echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian ${OS_CODENAME} stable" > /etc/apt/sources.list.d/influxdata.list
-    fi
+apt update
 
-    # Grafana Repo
-    if [ ! -f /etc/apt/sources.list.d/grafana.list ]; then
-        wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor -o /usr/share/keyrings/grafana-archive-keyring.gpg
-        echo "deb [signed-by=/usr/share/keyrings/grafana-archive-keyring.gpg] https://apt.grafana.com stable main" > /etc/apt/sources.list.d/grafana.list
-    fi
-    
-    echo "[INFO] Paketlisten werden erneut aktualisiert."
-    apt-get update
+apt-get install -y icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
+        mariadb-server mariadb-client influxdb2 grafana imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle \
+        icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2
 
-    echo "[INFO] Hauptkomponenten werden installiert (PHP Version: ${PHP_VERSION})."
-    apt-get install -y \
-        icinga2 \
-        nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
-        mariadb-server mariadb-client \
-        redis-server redis-tools \
-        influxdb2 \
-        grafana \
-        imagemagick \
-        icingaweb2 icingacli \
-        icinga-php-library \
-        icingaweb2-module-reactbundle \
-        icinga-director \
-        icingadb \
-        icingadb-redis \
-        icingadb-web \
-        icingaweb2-module-perfdatagraphs \
-        icingaweb2-module-perfdatagraphs-influxdbv2
-}
 
-_configure() {
-    echo ""
-    echo "================================================="
-    echo "  Phase 2: Konfiguration der Komponenten (IcingaDB Edition)"
-    echo "================================================="
-    echo ""
+ICINGAWEB_DB_PASS=$(_generate_local_password 24)
+DIRECTOR_DB_PASS=$(_generate_local_password 24)
+ICINGA_IDO_DB_PASS=$(_generate_local_password 24)
+ICINGA_API_USER_PASS=$(_generate_local_password 24)
+ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
+GRAFANA_ADMIN_PASS=$(_generate_local_password 16)
+INFLUX_ADMIN_TOKEN=$(_generate_local_password 40)
 
-    # 1. Passwörter generieren
-    echo "[INFO] Passwörter und API-Keys werden generiert."
-    ICINGAWEB_DB_PASS=$(_generate_local_password 24)
-    DIRECTOR_DB_PASS=$(_generate_local_password 24)
-    ICINGADB_PASS=$(_generate_local_password 24)
-    ICINGA_API_USER_PASS=$(_generate_local_password 24)
-    ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
-    GRAFANA_ADMIN_PASS=$(_generate_local_password 16)
-    INFLUX_ADMIN_TOKEN=$(_generate_local_password 40)
-    
-    # 2. MariaDB konfigurieren
-    echo "[INFO] MariaDB wird konfiguriert."
-    # Ensure MariaDB is running for configuration
-    systemctl start mariadb
-    while ! mysqladmin ping -h localhost --silent; do sleep 1; done
-    
-    mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
-    mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
-    mysql -e "CREATE DATABASE IF NOT EXISTS icingadb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
-    
-    mysql -e "CREATE USER IF NOT EXISTS 'icingaweb2'@'localhost' IDENTIFIED BY '${ICINGAWEB_DB_PASS}';"
-    mysql -e "CREATE USER IF NOT EXISTS 'director'@'localhost' IDENTIFIED BY '${DIRECTOR_DB_PASS}';"
-    mysql -e "CREATE USER IF NOT EXISTS 'icingadb'@'localhost' IDENTIFIED BY '${ICINGADB_PASS}';"
+systemctl start mariadb
+while ! mysqladmin ping -h localhost --silent; do sleep 1; done
 
-    mysql -e "GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';"
-    mysql -e "GRANT ALL PRIVILEGES ON director.* TO 'director'@'localhost';"
-    mysql -e "GRANT ALL PRIVILEGES ON icingadb.* TO 'icingadb'@'localhost';"
-    mysql -e "FLUSH PRIVILEGES;"
+mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS icinga_ido CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 
-    # 3. Redis konfigurieren
-    echo "[INFO] Erstelle systemd-Override für Redis-Server."
-    mkdir -p /etc/systemd/system/redis-server.service.d
-    bash -c "cat > /etc/systemd/system/redis-server.service.d/override.conf" <<EOF
-[Service]
-# Deaktiviert die systemd-Benachrichtigung, um Kompatibilitätsprobleme in Containern zu vermeiden.
-Supervised=no
-EOF
-    
-    # 4. InfluxDB 2 konfigurieren
-    echo "[INFO] InfluxDB 2 wird konfiguriert."
-    systemctl start influxdb
-    influx setup --skip-verify --username admin --password "$GRAFANA_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
-    INFLUX_ICINGA_TOKEN=$(influx auth create --org icinga --all-access --json | grep -oP '"token": "\K[^"]+')
-    if [ -z "$INFLUX_ICINGA_TOKEN" ]; then echo "[ERROR] Konnte InfluxDB Token nicht erstellen." >&2; exit 1; fi
+mysql -e "CREATE USER IF NOT EXISTS 'icingaweb2'@'localhost' IDENTIFIED BY '${ICINGAWEB_DB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'director'@'localhost' IDENTIFIED BY '${DIRECTOR_DB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'icinga_ido'@'localhost' IDENTIFIED BY '${ICINGA_IDO_DB_PASS}';"
 
-    # 5. Credentials-Datei schreiben
-    echo "[INFO] Zugangsdaten werden in ${CRED_FILE} gespeichert."
-    mkdir -p "$(dirname "$CRED_FILE")" && chmod 700 "$(dirname "$CRED_FILE")"
-    {
-      echo "# --- Icinga Monitoring Stack Credentials ---"
-      echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2; Benutzer: icingaadmin; Passwort: ${ICINGAWEB_ADMIN_PASS}"
-      echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/grafana; Benutzer: admin; Passwort: ${GRAFANA_ADMIN_PASS}"
-      echo "InfluxDB Admin Token: ${INFLUX_ADMIN_TOKEN}"
-      echo "Icinga Director API: Benutzer: director; Passwort: ${ICINGA_API_USER_PASS}"
-    } > "$CRED_FILE" && chmod 600 "$CRED_FILE"
+mysql -e "GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON director.* TO 'director'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON icinga_ido.* TO 'icinga_ido'@'localhost';"
+mysql -e "FLUSH PRIVILEGES;"
 
-    # 6. Icinga2 Konfigurationsdateien schreiben
-    echo "[INFO] Icinga2 Konfigurationsdateien werden geschrieben."
-    bash -c "cat > /etc/icinga2/features-available/icingadb.conf" <<EOF
+systemctl start influxdb
+influx setup --skip-verify --username admin --password "$GRAFANA_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
+INFLUX_ICINGA_TOKEN=$(influx auth create --org icinga --all-access --json | grep -oP '"token": "\K[^"]+')
+if [ -z "$INFLUX_ICINGA_TOKEN" ]; then echo "[ERROR] Konnte InfluxDB Token nicht erstellen." >&2; exit 1; fi
+
+
+mkdir -p "$(dirname "$CRED_FILE")" && chmod 700 "$(dirname "$CRED_FILE")"
+{
+    echo "# --- Icinga Monitoring Stack Credentials ---"
+    echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2; Benutzer: icingaadmin; Passwort: ${ICINGAWEB_ADMIN_PASS}"
+    echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/grafana; Benutzer: admin; Passwort: ${GRAFANA_ADMIN_PASS}"
+    echo "InfluxDB Admin Token: ${INFLUX_ADMIN_TOKEN}"
+    echo "Icinga Director API: Benutzer: director; Passwort: ${ICINGA_API_USER_PASS}"
+} > "$CRED_FILE" && chmod 600 "$CRED_FILE"
+
+systemctl enable --now icingadb-redis
+bash -c "cat > /etc/icinga2/features-available/icingadb.conf" <<EOF
 library "icingadb"
 
 object IcingaDB "icingadb" {
   host = "127.0.0.1"
-  port = 6379
+  port = 6380
 }
 EOF
-    bash -c "cat > /etc/icinga2/conf.d/api-users.conf" <<EOF
+bash -c "cat > /etc/icinga2/conf.d/api-users.conf" <<EOF
 object ApiUser "director" {
   password = "${ICINGA_API_USER_PASS}"
   permissions = [ "object/modify/*", "object/query/*", "status/query", "actions/*", "events/*" ]
 }
 EOF
-    bash -c "cat > /etc/icinga2/features-available/influxdb2-writer.conf" <<EOF
+bash -c "cat > /etc/icinga2/features-available/influxdb2-writer.conf" <<EOF
 object Influxdb2Writer "influxdb2-writer" {
   host = "http://127.0.0.1:8086"
   organization = "icinga"
@@ -161,31 +91,27 @@ object Influxdb2Writer "influxdb2-writer" {
   auth_token = "${INFLUX_ICINGA_TOKEN}"
 }
 EOF
-    local FQDN=$(hostname -f)
     bash -c "cat > /etc/icinga2/zones.conf" <<EOF
-object Endpoint "${FQDN}" {}
-object Zone "master" { endpoints = [ "${FQDN}" ] }
+object Endpoint "$(hostname -f)" {}
+object Zone "master" { endpoints = [ "$(hostname -f)" ] }
 object Zone "global-templates" { global = true }
 object Zone "director-global" { global = true }
 EOF
-
-    # 7. IcingaDB konfigurieren
-    echo "[INFO] IcingaDB wird konfiguriert."
-    bash -c "cat > /etc/icingadb/config.yml" <<EOF
+bash -c "cat > /etc/icingadb/config.yml" <<EOF
 database:
   dsn: icingadb@tcp(127.0.0.1:3306)/icingadb
   password: ${ICINGADB_PASS}
 redis:
   host: 127.0.0.1
-  port: 6379
+  port: 6380
 logging:
   level: info
   output: stdout
 EOF
+icinga2 feature enable icingadb
+systemctl restart icinga2
 
-    # 8. Icinga Web 2 Konfigurationsdateien schreiben
-    echo "[INFO] Icinga Web 2 Konfigurationsdateien werden geschrieben."
-    mkdir -p /etc/icingaweb2
+mkdir -p /etc/icingaweb2
     bash -c "cat > /etc/icingaweb2/resources.ini" <<EOF
 [icingaweb_db]
 type = "db"
@@ -214,15 +140,13 @@ username = "icingadb"
 password = "${ICINGADB_PASS}"
 charset = "utf8mb4"
 EOF
-    
-    # 9. Grafana konfigurieren
-    echo "[INFO] Grafana wird konfiguriert."
-    systemctl stop grafana-server
-    grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
-    systemctl start grafana-server
-    
-    mkdir -p /etc/grafana/provisioning/datasources
-    bash -c "cat > /etc/grafana/provisioning/datasources/influxdb.yaml" <<EOF
+
+systemctl stop grafana-server
+grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
+systemctl start grafana-server
+
+mkdir -p /etc/grafana/provisioning/datasources
+bash -c "cat > /etc/grafana/provisioning/datasources/influxdb.yaml" <<EOF
 apiVersion: 1
 datasources:
 - name: InfluxDB-Icinga
@@ -232,17 +156,15 @@ datasources:
   jsonData: { version: "Flux", organization: "icinga", defaultBucket: "icinga" }
   secureJsonData: { token: "${INFLUX_ICINGA_TOKEN}" }
 EOF
-    chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
-    
-    # 10. Nginx TLS Konfiguration
-    echo "[INFO] Nginx für TLS wird konfiguriert."
-    mkdir -p /etc/nginx/ssl
-    if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
-        ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
-        ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
-    fi
+chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
 
-    bash -c "cat > /etc/nginx/sites-available/icinga-stack" <<EOF
+mkdir -p /etc/nginx/ssl
+if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
+    ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
+    ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
+fi
+
+bash -c "cat > /etc/nginx/sites-available/icinga-stack" <<EOF
 server {
     listen 80;
     server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
@@ -272,70 +194,46 @@ server {
     }
 }
 EOF
-    ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
-    rm -f /etc/nginx/sites-enabled/default
 
-    sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' "/etc/php/${PHP_VERSION}/fpm/php.ini"
-    sed -i "s|;date.timezone =|date.timezone = $(cat /etc/timezone)|" "/etc/php/${PHP_VERSION}/fpm/php.ini"
-}
+ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
+rm -f /etc/nginx/sites-enabled/default
 
-_setup() {
-    echo ""
-    echo "================================================="
-    echo "  Phase 3: Setup und finaler Neustart (IcingaDB Edition)"
-    echo "================================================="
-    echo ""
-    
-    echo "[INFO] Icinga2 API wird initialisiert und Zertifikate werden erstellt."
-    icinga2 api setup
-    
-    echo "[INFO] Aktiviere und starte alle Dienste in der korrekten Reihenfolge."
-    systemctl enable icinga2 mariadb redis-server nginx php${PHP_VERSION}-fpm influxdb grafana-server icingadb
-    systemctl daemon-reload # Um Redis-Override zu laden
+sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' "/etc/php/${PHP_VERSION}/fpm/php.ini"
+sed -i "s|;date.timezone =|date.timezone = $(cat /etc/timezone)|" "/etc/php/${PHP_VERSION}/fpm/php.ini"
 
-    systemctl start mariadb
-    systemctl start redis-server
+icinga2 api setup
+systemctl enable icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb grafana-server icingadb icingadb-redis
 
-    echo "[INFO] Warte auf MariaDB-Dienst..."
-    while ! mysqladmin ping -h localhost --silent; do sleep 2; done
-    echo "[INFO] MariaDB ist bereit."
+systemctl start mariadb
+while ! mysqladmin ping -h localhost --silent; do sleep 2; done
+systemctl start icinga2 icingadb-redis nginx php${PHP_VERSION}-fpm influxdb grafana-server icingadb
 
-    echo "[INFO] Warte auf Redis-Dienst..."
-    while ! redis-cli ping | grep -q PONG; do sleep 2; done
-    echo "[INFO] Redis ist bereit."
+IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
+DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
+ICINGADB_SCHEMA="/usr/share/icingadb/schema/mysql/schema.sql"
 
-    # Starte restliche Dienste
-    systemctl start icinga2 nginx php${PHP_VERSION}-fpm influxdb grafana-server icingadb
-    
-    echo "[INFO] Datenbank-Schemas werden importiert."
-    local IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
-    local DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
-    local ICINGADB_SCHEMA="/usr/share/icingadb/schema/mysql/schema.sql"
+if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi
+if [ ! -f "$DIRECTOR_SCHEMA" ]; then echo "[ERROR] Director-Schema nicht gefunden: $DIRECTOR_SCHEMA" >&2; exit 1; fi
+if [ ! -f "$ICINGADB_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $ICINGADB_SCHEMA" >&2; exit 1; fi
 
-    if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi
-    if [ ! -f "$DIRECTOR_SCHEMA" ]; then echo "[ERROR] Director-Schema nicht gefunden: $DIRECTOR_SCHEMA" >&2; exit 1; fi
-    if [ ! -f "$ICINGADB_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $ICINGADB_SCHEMA" >&2; exit 1; fi
 
-    if ! mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then
-        echo "[INFO] Importiere IcingaWeb2-Schema..."
-        mysql icingaweb2 < "$IWEB_SCHEMA"
-    fi
-    
-    if ! mysql -e "use director; show tables;" | grep -q "director_datafield"; then
-        echo "[INFO] Importiere Icinga Director-Schema..."
-        mysql director < "$DIRECTOR_SCHEMA"
-    fi
-    
-    if ! mysql -e "use icingadb; show tables;" | grep -q "icingadb_schema_migration"; then
-        echo "[INFO] Importiere IcingaDB-Schema..."
-        mysql icingadb < "$ICINGADB_SCHEMA"
-    fi
-    
-    echo "[INFO] Icinga2 Features werden aktiviert."
-    icinga2 feature enable icingadb api influxdb2-writer >/dev/null
+if ! mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then
+    echo "[INFO] Importiere IcingaWeb2-Schema..."
+    mysql icingaweb2 < "$IWEB_SCHEMA"
+fi
 
-    echo "[INFO] Erstelle Icinga Web 2 Kernkonfiguration."
-    bash -c "cat > /etc/icingaweb2/config.ini" <<EOF
+if ! mysql -e "use director; show tables;" | grep -q "director_datafield"; then
+    echo "[INFO] Importiere Icinga Director-Schema..."
+    mysql director < "$DIRECTOR_SCHEMA"
+fi
+
+if ! mysql -e "use icingadb; show tables;" | grep -q "icingadb_schema_migration"; then
+    echo "[INFO] Importiere IcingaDB-Schema..."
+    mysql icingadb < "$ICINGADB_SCHEMA"
+fi
+icinga2 feature enable icingadb api influxdb2-writer
+
+bash -c "cat > /etc/icingaweb2/config.ini" <<EOF
 [global]
 show_stacktraces = "0"
 config_backend = "db"
@@ -345,34 +243,35 @@ log = "file"
 log_file = "/var/log/icingaweb2/icingaweb2.log"
 level = "ERROR"
 EOF
-    bash -c "cat > /etc/icingaweb2/authentication.ini" <<EOF
+
+bash -c "cat > /etc/icingaweb2/authentication.ini" <<EOF
 [icinga-web-admin]
 backend = "db"
 resource = "icingaweb_db"
 EOF
-    bash -c "cat > /etc/icingaweb2/roles.ini" <<EOF
+
+bash -c "cat > /etc/icingaweb2/roles.ini" <<EOF
 [Administrators]
 users = "icingaadmin"
 permissions = "*"
 groups = "Administrators"
 EOF
     
-    mkdir -p /etc/icingaweb2/modules/monitoring
-    bash -c "cat > /etc/icingaweb2/modules/monitoring/backends.ini" <<EOF
+mkdir -p /etc/icingaweb2/modules/monitoring
+bash -c "cat > /etc/icingaweb2/modules/monitoring/backends.ini" <<EOF
 [icingadb]
 backend = "icingadb"
 resource = "icingadb"
 EOF
     
-    mkdir -p /etc/icingaweb2/modules/director
-    bash -c "cat > /etc/icingaweb2/modules/director/config.ini" <<EOF
+mkdir -p /etc/icingaweb2/modules/director
+bash -c "cat > /etc/icingaweb2/modules/director/config.ini" <<EOF
 [db]
 resource = "director_db"
 EOF
 
-    # Konfiguration für perfdatagraphs
-    mkdir -p /etc/icingaweb2/modules/perfdatagraphs
-    bash -c "cat > /etc/icingaweb2/modules/perfdatagraphs/config.ini" <<EOF
+mkdir -p /etc/icingaweb2/modules/perfdatagraphs
+bash -c "cat > /etc/icingaweb2/modules/perfdatagraphs/config.ini" <<EOF
 [influxdb2]
 backend = "influxdb2"
 url = "http://127.0.0.1:8086"
@@ -384,42 +283,42 @@ bucket = "icinga"
 backend = "influxdb2"
 EOF
 
-    echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
-    icingacli module enable ipl
-    icingacli module enable reactbundle
-    icingacli module enable incubator
-    icingacli module enable director
-    icingacli module enable icingadb
-    icingacli module enable perfdatagraphs
+echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
+icingacli module enable ipl
+icingacli module enable reactbundle
+icingacli module enable incubator
+icingacli module enable director
+icingacli module enable icingadb
+icingacli module enable perfdatagraphs
 
-    echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu laden."
-    systemctl restart mariadb
-    systemctl restart redis-server
-    systemctl restart icinga2
-    systemctl restart php${PHP_VERSION}-fpm
-    systemctl restart nginx
-    systemctl restart grafana-server
-    systemctl restart icingadb
+echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu laden."
+systemctl restart mariadb
+systemctl restart redis-server
+systemctl restart icinga2
+systemctl restart php${PHP_VERSION}-fpm
+systemctl restart nginx
+systemctl restart grafana-server
+systemctl restart icingadb
 
-    echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein."
-    local PASSWORD_HASH=$(php -r "echo password_hash('${ICINGAWEB_ADMIN_PASS}', PASSWORD_BCRYPT);")
-    mysql icingaweb2 -e "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, '${PASSWORD_HASH}') ON DUPLICATE KEY UPDATE password_hash='${PASSWORD_HASH}';"
-    
-    echo "[INFO] Warte auf Icinga Web 2 und API..."
-    local counter=0
-    while ! icingacli director migration run >/dev/null 2>&1; do
-        counter=$((counter + 1))
-        if [ "$counter" -gt 15 ]; then
-            echo "[ERROR] Icinga Director wurde nach 30 Sekunden nicht bereit." >&2
-            exit 1
-        fi
-        echo "[INFO] Director ist noch nicht bereit, warte 2 Sekunden... (Versuch ${counter}/15)"
-        sleep 2
-    done
-    echo "[INFO] Icinga Director ist bereit."
+echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein."
+PASSWORD_HASH=$(php -r "echo password_hash('${ICINGAWEB_ADMIN_PASS}', PASSWORD_BCRYPT);")
+mysql icingaweb2 -e "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, '${PASSWORD_HASH}') ON DUPLICATE KEY UPDATE password_hash='${PASSWORD_HASH}';"
 
-    echo "[INFO] Icinga Director Setup wird ausgeführt."
-    bash -c "cat > /etc/icingaweb2/modules/director/kickstart.ini" <<EOF
+echo "[INFO] Warte auf Icinga Web 2 und API..."
+counter=0
+while ! icingacli director migration run >/dev/null 2>&1; do
+    counter=$((counter + 1))
+    if [ "$counter" -gt 15 ]; then
+        echo "[ERROR] Icinga Director wurde nach 30 Sekunden nicht bereit." >&2
+        exit 1
+    fi
+    echo "[INFO] Director ist noch nicht bereit, warte 2 Sekunden... (Versuch ${counter}/15)"
+    sleep 2
+done
+echo "[INFO] Icinga Director ist bereit."
+
+echo "[INFO] Icinga Director Setup wird ausgeführt."
+bash -c "cat > /etc/icingaweb2/modules/director/kickstart.ini" <<EOF
 [config]
 endpoint = "$(hostname -f)"
 host = "127.0.0.1"
@@ -427,50 +326,25 @@ port = "5665"
 username = "director"
 password = "${ICINGA_API_USER_PASS}"
 EOF
-    icingacli director kickstart run
-    rm /etc/icingaweb2/modules/director/kickstart.ini
+icingacli director kickstart run
+rm /etc/icingaweb2/modules/director/kickstart.ini
 
-    echo "[INFO] Director Konfiguration wird angewendet."
-    icingacli director config deploy
-}
+echo "[INFO] Director Konfiguration wird angewendet."
+icingacli director config deploy
 
-_info() {
-    echo ""
-    echo "================================================="
-    echo "  Installation des Icinga Monitoring Stacks abgeschlossen"
-    echo "================================================="
-    echo ""
-    echo "Die Konfiguration wurde erfolgreich abgeschlossen."
-    echo "Alle notwendigen Passwörter, Logins und API-Keys wurden generiert."
-    echo ""
-    echo "Sie finden alle Zugangsdaten in der folgenden Datei:"
-    echo "  ${CRED_FILE}"
-    echo ""
-    echo "Wichtige URLs:"
-    echo "  Icinga Web 2: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
-    echo "  IcingaDB Web: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingadb-web"
-    echo "  Grafana:      https://${ZAMBA_HOSTNAME:-$(hostname -f)}/grafana"
-    echo ""
-}
-
-# --- Main Execution Logic ---
-if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
-    if [ "$EUID" -ne 0 ]; then
-      echo "[ERROR] Dieses Skript muss als Root ausgeführt werden."
-      exit 1
-    fi
-    if [ -f ./constants-service.conf ]; then
-        source ./constants-service.conf
-    else
-        echo "[ERROR] Die Datei 'constants-service.conf' wird für den Standalone-Betrieb benötigt."
-        exit 1
-    fi
-    ZAMBA_HOSTNAME=${ZAMBA_HOSTNAME:-$(hostname -f)}
-    set -euo pipefail
-    _install
-    _configure
-    _setup
-    _info
-    set +euo pipefail
-    exit 0
-fi
+echo ""
+echo "================================================="
+echo "  Installation des Icinga Monitoring Stacks abgeschlossen"
+echo "================================================="
+echo ""
+echo "Die Konfiguration wurde erfolgreich abgeschlossen."
+echo "Alle notwendigen Passwörter, Logins und API-Keys wurden generiert."
+echo ""
+echo "Sie finden alle Zugangsdaten in der folgenden Datei:"
+echo "  ${CRED_FILE}"
+echo ""
+echo "Wichtige URLs:"
+echo "  Icinga Web 2: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
+echo "  IcingaDB Web: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingadb-web"
+echo "  Grafana:      https://${ZAMBA_HOSTNAME:-$(hostname -f)}/grafana"
+echo ""

From 91eee428e551070fc5c21d41da085f67adbfa16a Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Thu, 24 Jul 2025 23:06:07 +0200
Subject: [PATCH 067/105] fix

---
 src/icinga2/install-service.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 8f0ee86..cbf6e0a 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -38,7 +38,6 @@ GRAFANA_ADMIN_PASS=$(_generate_local_password 16)
 INFLUX_ADMIN_TOKEN=$(_generate_local_password 40)
 
 systemctl start mariadb
-while ! mysqladmin ping -h localhost --silent; do sleep 1; done
 
 mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"

From 0b5990cec86278ec65952ac8acaaa6834ee685db Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Thu, 24 Jul 2025 23:18:50 +0200
Subject: [PATCH 068/105] fix

---
 src/icinga2/install-service.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index cbf6e0a..352f90d 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -13,8 +13,8 @@ _generate_local_password() {
 curl -fsSL https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-$(lsb_release -cs) main" > /etc/apt/sources.list.d/icinga.list
 
-curl -fsSL https://packages.netways.de/icinga/netways.key | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg
-echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/icinga/debian/ icinga-$(lsb_release -cs) main" > /etc/apt/sources.list.d/netways.list
+curl -fsSL https://packages.netways.de/netways-repo.asc | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/extras/debian/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/netways.list
 
 curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/influxdata.list

From 20e9eb05671b11982785c7011f8a23df64171e3f Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 00:20:45 +0200
Subject: [PATCH 069/105] -ipl

---
 src/icinga2/install-service.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 352f90d..7c55b4f 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -283,7 +283,6 @@ backend = "influxdb2"
 EOF
 
 echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
-icingacli module enable ipl
 icingacli module enable reactbundle
 icingacli module enable incubator
 icingacli module enable director

From 2770be329756e649ee4d10152ef0f997813c7826 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 09:56:33 +0200
Subject: [PATCH 070/105] fix

---
 src/icinga2/install-service.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 7c55b4f..93df199 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -108,7 +108,7 @@ logging:
   output: stdout
 EOF
 icinga2 feature enable icingadb
-systemctl restart icinga2
+#systemctl restart icinga2
 
 mkdir -p /etc/icingaweb2
     bash -c "cat > /etc/icingaweb2/resources.ini" <<EOF
@@ -204,7 +204,6 @@ icinga2 api setup
 systemctl enable icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb grafana-server icingadb icingadb-redis
 
 systemctl start mariadb
-while ! mysqladmin ping -h localhost --silent; do sleep 2; done
 systemctl start icinga2 icingadb-redis nginx php${PHP_VERSION}-fpm influxdb grafana-server icingadb
 
 IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"

From 226f518d988827c6fb2aa0fb935b20907b4f0ac1 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 14:39:00 +0200
Subject: [PATCH 071/105] php version

---
 src/icinga2/constants-service.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/icinga2/constants-service.conf b/src/icinga2/constants-service.conf
index 0da0c0f..944f7c9 100644
--- a/src/icinga2/constants-service.conf
+++ b/src/icinga2/constants-service.conf
@@ -32,4 +32,6 @@ LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb"
 
-CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
\ No newline at end of file
+CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
+
+PHP_VERSION=8.2
\ No newline at end of file

From b3f81a47e7e00f3d86f34892126d42b4a723aec0 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 14:40:47 +0200
Subject: [PATCH 072/105] fix

---
 src/icinga2/install-service.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 93df199..cd8d0cb 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -290,7 +290,6 @@ icingacli module enable perfdatagraphs
 
 echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu laden."
 systemctl restart mariadb
-systemctl restart redis-server
 systemctl restart icinga2
 systemctl restart php${PHP_VERSION}-fpm
 systemctl restart nginx

From d67281a7d81b977240e80e576d4eba942f2f6af9 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 14:55:55 +0200
Subject: [PATCH 073/105] fix

---
 src/icinga2/install-service.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index cd8d0cb..20614f1 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -31,7 +31,7 @@ apt-get install -y icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql p
 
 ICINGAWEB_DB_PASS=$(_generate_local_password 24)
 DIRECTOR_DB_PASS=$(_generate_local_password 24)
-ICINGA_IDO_DB_PASS=$(_generate_local_password 24)
+ICINGA_DB_PASS=$(_generate_local_password 24)
 ICINGA_API_USER_PASS=$(_generate_local_password 24)
 ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
 GRAFANA_ADMIN_PASS=$(_generate_local_password 16)

From ad800c5c1fd47779d099e98d9cc1eded2d990a1a Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 15:01:12 +0200
Subject: [PATCH 074/105] f

---
 src/icinga2/install-service.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 20614f1..7bcb663 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -31,7 +31,7 @@ apt-get install -y icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql p
 
 ICINGAWEB_DB_PASS=$(_generate_local_password 24)
 DIRECTOR_DB_PASS=$(_generate_local_password 24)
-ICINGA_DB_PASS=$(_generate_local_password 24)
+ICINGADB_PASS=$(_generate_local_password 24)
 ICINGA_API_USER_PASS=$(_generate_local_password 24)
 ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
 GRAFANA_ADMIN_PASS=$(_generate_local_password 16)

From 9f637c0083b8c194b4650f71ea10e64b3acdf3af Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 15:07:06 +0200
Subject: [PATCH 075/105] f

---
 src/icinga2/install-service.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 7bcb663..d5485af 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -41,15 +41,15 @@ systemctl start mariadb
 
 mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
-mysql -e "CREATE DATABASE IF NOT EXISTS icinga_ido CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS icingadb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 
 mysql -e "CREATE USER IF NOT EXISTS 'icingaweb2'@'localhost' IDENTIFIED BY '${ICINGAWEB_DB_PASS}';"
 mysql -e "CREATE USER IF NOT EXISTS 'director'@'localhost' IDENTIFIED BY '${DIRECTOR_DB_PASS}';"
-mysql -e "CREATE USER IF NOT EXISTS 'icinga_ido'@'localhost' IDENTIFIED BY '${ICINGA_IDO_DB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'icingadb'@'localhost' IDENTIFIED BY '${ICINGADB_PASS}';"
 
 mysql -e "GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';"
 mysql -e "GRANT ALL PRIVILEGES ON director.* TO 'director'@'localhost';"
-mysql -e "GRANT ALL PRIVILEGES ON icinga_ido.* TO 'icinga_ido'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON icingadb.* TO 'icingadb'@'localhost';"
 mysql -e "FLUSH PRIVILEGES;"
 
 systemctl start influxdb

From fef7c7b11f37711d5078723d9ee7ce9eac681829 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 15:16:15 +0200
Subject: [PATCH 076/105] fix db conf

---
 src/icinga2/install-service.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index d5485af..c571294 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -98,14 +98,17 @@ object Zone "director-global" { global = true }
 EOF
 bash -c "cat > /etc/icingadb/config.yml" <<EOF
 database:
-  dsn: icingadb@tcp(127.0.0.1:3306)/icingadb
+  type: mysql
+  host: localhost
+  database: icingadb
+  user: icingadb
   password: ${ICINGADB_PASS}
 redis:
   host: 127.0.0.1
   port: 6380
 logging:
   level: info
-  output: stdout
+  output: systemd-journald
 EOF
 icinga2 feature enable icingadb
 #systemctl restart icinga2

From 3b84d905b1bc3e72f2563a3bdf86125137c96c2f Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 15:30:20 +0200
Subject: [PATCH 077/105] fix grafana db

---
 src/icinga2/install-service.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index c571294..9bf96ad 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -144,6 +144,7 @@ charset = "utf8mb4"
 EOF
 
 systemctl stop grafana-server
+chown -R grafana:grafana /var/lib/grafana/grafana.db
 grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
 systemctl start grafana-server
 

From d55c74f6f4b0e1a2875217e05f4d594aa66868ad Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 15:41:00 +0200
Subject: [PATCH 078/105] f

---
 src/icinga2/install-service.sh | 38 ++++++++++++++++++++--------------
 1 file changed, 23 insertions(+), 15 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 9bf96ad..986ef33 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -68,7 +68,8 @@ mkdir -p "$(dirname "$CRED_FILE")" && chmod 700 "$(dirname "$CRED_FILE")"
 } > "$CRED_FILE" && chmod 600 "$CRED_FILE"
 
 systemctl enable --now icingadb-redis
-bash -c "cat > /etc/icinga2/features-available/icingadb.conf" <<EOF
+
+cat > /etc/icinga2/features-available/icingadb.conf <<EOF
 library "icingadb"
 
 object IcingaDB "icingadb" {
@@ -76,13 +77,15 @@ object IcingaDB "icingadb" {
   port = 6380
 }
 EOF
-bash -c "cat > /etc/icinga2/conf.d/api-users.conf" <<EOF
+
+cat > /etc/icinga2/conf.d/api-users.conf <<EOF
 object ApiUser "director" {
   password = "${ICINGA_API_USER_PASS}"
   permissions = [ "object/modify/*", "object/query/*", "status/query", "actions/*", "events/*" ]
 }
 EOF
-bash -c "cat > /etc/icinga2/features-available/influxdb2-writer.conf" <<EOF
+
+cat > /etc/icinga2/features-available/influxdb2-writer.conf <<EOF
 object Influxdb2Writer "influxdb2-writer" {
   host = "http://127.0.0.1:8086"
   organization = "icinga"
@@ -90,13 +93,15 @@ object Influxdb2Writer "influxdb2-writer" {
   auth_token = "${INFLUX_ICINGA_TOKEN}"
 }
 EOF
-    bash -c "cat > /etc/icinga2/zones.conf" <<EOF
+
+cat > /etc/icinga2/zones.conf <<EOF
 object Endpoint "$(hostname -f)" {}
 object Zone "master" { endpoints = [ "$(hostname -f)" ] }
 object Zone "global-templates" { global = true }
 object Zone "director-global" { global = true }
 EOF
-bash -c "cat > /etc/icingadb/config.yml" <<EOF
+
+cat > /etc/icingadb/config.yml <<EOF
 database:
   type: mysql
   host: localhost
@@ -110,11 +115,13 @@ logging:
   level: info
   output: systemd-journald
 EOF
+
 icinga2 feature enable icingadb
 #systemctl restart icinga2
 
 mkdir -p /etc/icingaweb2
-    bash -c "cat > /etc/icingaweb2/resources.ini" <<EOF
+
+cat > /etc/icingaweb2/resources.ini <<EOF
 [icingaweb_db]
 type = "db"
 db = "mysql"
@@ -149,7 +156,8 @@ grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
 systemctl start grafana-server
 
 mkdir -p /etc/grafana/provisioning/datasources
-bash -c "cat > /etc/grafana/provisioning/datasources/influxdb.yaml" <<EOF
+
+cat > /etc/grafana/provisioning/datasources/influxdb.yaml <<EOF
 apiVersion: 1
 datasources:
 - name: InfluxDB-Icinga
@@ -167,7 +175,7 @@ if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
     ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
 fi
 
-bash -c "cat > /etc/nginx/sites-available/icinga-stack" <<EOF
+cat > /etc/nginx/sites-available/icinga-stack <<EOF
 server {
     listen 80;
     server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
@@ -235,7 +243,7 @@ if ! mysql -e "use icingadb; show tables;" | grep -q "icingadb_schema_migration"
 fi
 icinga2 feature enable icingadb api influxdb2-writer
 
-bash -c "cat > /etc/icingaweb2/config.ini" <<EOF
+cat > /etc/icingaweb2/config.ini <<EOF
 [global]
 show_stacktraces = "0"
 config_backend = "db"
@@ -246,13 +254,13 @@ log_file = "/var/log/icingaweb2/icingaweb2.log"
 level = "ERROR"
 EOF
 
-bash -c "cat > /etc/icingaweb2/authentication.ini" <<EOF
+cat > /etc/icingaweb2/authentication.ini <<EOF
 [icinga-web-admin]
 backend = "db"
 resource = "icingaweb_db"
 EOF
 
-bash -c "cat > /etc/icingaweb2/roles.ini" <<EOF
+cat > /etc/icingaweb2/roles.ini <<EOF
 [Administrators]
 users = "icingaadmin"
 permissions = "*"
@@ -260,20 +268,20 @@ groups = "Administrators"
 EOF
     
 mkdir -p /etc/icingaweb2/modules/monitoring
-bash -c "cat > /etc/icingaweb2/modules/monitoring/backends.ini" <<EOF
+cat > /etc/icingaweb2/modules/monitoring/backends.ini <<EOF
 [icingadb]
 backend = "icingadb"
 resource = "icingadb"
 EOF
     
 mkdir -p /etc/icingaweb2/modules/director
-bash -c "cat > /etc/icingaweb2/modules/director/config.ini" <<EOF
+cat > /etc/icingaweb2/modules/director/config.ini <<EOF
 [db]
 resource = "director_db"
 EOF
 
 mkdir -p /etc/icingaweb2/modules/perfdatagraphs
-bash -c "cat > /etc/icingaweb2/modules/perfdatagraphs/config.ini" <<EOF
+cat > /etc/icingaweb2/modules/perfdatagraphs/config.ini <<EOF
 [influxdb2]
 backend = "influxdb2"
 url = "http://127.0.0.1:8086"
@@ -318,7 +326,7 @@ done
 echo "[INFO] Icinga Director ist bereit."
 
 echo "[INFO] Icinga Director Setup wird ausgeführt."
-bash -c "cat > /etc/icingaweb2/modules/director/kickstart.ini" <<EOF
+cat > /etc/icingaweb2/modules/director/kickstart.ini <<EOF
 [config]
 endpoint = "$(hostname -f)"
 host = "127.0.0.1"

From b77e488ec6fcc48a7aed503d5f33c65914c0a524 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 15:44:33 +0200
Subject: [PATCH 079/105] f

---
 src/icinga2/install-service.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 986ef33..75737f9 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -335,7 +335,7 @@ username = "director"
 password = "${ICINGA_API_USER_PASS}"
 EOF
 icingacli director kickstart run
-rm /etc/icingaweb2/modules/director/kickstart.ini
+#rm /etc/icingaweb2/modules/director/kickstart.ini
 
 echo "[INFO] Director Konfiguration wird angewendet."
 icingacli director config deploy

From 69f934982be8d2426293878102c9d0766ee8eed8 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 16:01:04 +0200
Subject: [PATCH 080/105] f

---
 src/icinga2/install-service.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 75737f9..19de19a 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -151,9 +151,7 @@ charset = "utf8mb4"
 EOF
 
 systemctl stop grafana-server
-chown -R grafana:grafana /var/lib/grafana/grafana.db
 grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
-systemctl start grafana-server
 
 mkdir -p /etc/grafana/provisioning/datasources
 
@@ -293,6 +291,8 @@ bucket = "icinga"
 backend = "influxdb2"
 EOF
 
+chown -R grafana:grafana /var/lib/grafana/grafana.db
+
 echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
 icingacli module enable reactbundle
 icingacli module enable incubator

From 8bab934bdf3bf4bf23731e95bc866d7a8108649f Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 16:09:56 +0200
Subject: [PATCH 081/105] f

---
 src/icinga2/install-service.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 19de19a..b230bd3 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -302,7 +302,6 @@ icingacli module enable perfdatagraphs
 
 echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu laden."
 systemctl restart mariadb
-systemctl restart icinga2
 systemctl restart php${PHP_VERSION}-fpm
 systemctl restart nginx
 systemctl restart grafana-server
@@ -334,6 +333,7 @@ port = "5665"
 username = "director"
 password = "${ICINGA_API_USER_PASS}"
 EOF
+systemctl restart icinga2
 icingacli director kickstart run
 #rm /etc/icingaweb2/modules/director/kickstart.ini
 

From d9585b594051ff43e0ae636193824343bfbafe5f Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 16:11:46 +0200
Subject: [PATCH 082/105] f

---
 src/icinga2/install-service.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index b230bd3..9dc3238 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -95,7 +95,7 @@ object Influxdb2Writer "influxdb2-writer" {
 EOF
 
 cat > /etc/icinga2/zones.conf <<EOF
-object Endpoint "$(hostname -f)" {}
+object Endpoint "$(hostname -f)" { host = "127.0.0.1" }
 object Zone "master" { endpoints = [ "$(hostname -f)" ] }
 object Zone "global-templates" { global = true }
 object Zone "director-global" { global = true }
@@ -328,7 +328,6 @@ echo "[INFO] Icinga Director Setup wird ausgeführt."
 cat > /etc/icingaweb2/modules/director/kickstart.ini <<EOF
 [config]
 endpoint = "$(hostname -f)"
-host = "127.0.0.1"
 port = "5665"
 username = "director"
 password = "${ICINGA_API_USER_PASS}"

From 2744bd543fc8125b89614e1b55379e9a5ad258fa Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 16:21:02 +0200
Subject: [PATCH 083/105] f

---
 src/icinga2/install-service.sh | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 9dc3238..b4ae733 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -81,7 +81,14 @@ EOF
 cat > /etc/icinga2/conf.d/api-users.conf <<EOF
 object ApiUser "director" {
   password = "${ICINGA_API_USER_PASS}"
-  permissions = [ "object/modify/*", "object/query/*", "status/query", "actions/*", "events/*" ]
+  permissions = [
+    "object/modify/*",
+    "object/query/*",
+    "object/list/*",
+    "status/query",
+    "actions/*",
+    "events/*"
+  ]
 }
 EOF
 
@@ -117,7 +124,7 @@ logging:
 EOF
 
 icinga2 feature enable icingadb
-#systemctl restart icinga2
+systemctl restart icinga2
 
 mkdir -p /etc/icingaweb2
 

From a3330544c1074bdecfabbafb94b1ba636660ad69 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 16:25:10 +0200
Subject: [PATCH 084/105] f

---
 src/icinga2/install-service.sh | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index b4ae733..d9e33c5 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -81,14 +81,7 @@ EOF
 cat > /etc/icinga2/conf.d/api-users.conf <<EOF
 object ApiUser "director" {
   password = "${ICINGA_API_USER_PASS}"
-  permissions = [
-    "object/modify/*",
-    "object/query/*",
-    "object/list/*",
-    "status/query",
-    "actions/*",
-    "events/*"
-  ]
+  permissions = [ "*" ]
 }
 EOF
 

From 0e531d2982acbb0782fc6717f5c852369e48c519 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 16:37:20 +0200
Subject: [PATCH 085/105] f

---
 src/icinga2/install-service.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index d9e33c5..e96fda9 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -116,6 +116,12 @@ logging:
   output: systemd-journald
 EOF
 
+mkdir -p /etc/icingaweb2/modules/icingadb
+cat << EOF > /etc/icingaweb2/modules/icingadb/config.ini
+[icingadb]
+resource = icingadb
+EOF
+
 icinga2 feature enable icingadb
 systemctl restart icinga2
 

From 97b6fdeec9ff9de47574a6be63718331ba539083 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 17:52:51 +0200
Subject: [PATCH 086/105] f

---
 src/icinga2/install-service.sh | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index e96fda9..a0339e9 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -93,7 +93,6 @@ object Influxdb2Writer "influxdb2-writer" {
   auth_token = "${INFLUX_ICINGA_TOKEN}"
 }
 EOF
-
 cat > /etc/icinga2/zones.conf <<EOF
 object Endpoint "$(hostname -f)" { host = "127.0.0.1" }
 object Zone "master" { endpoints = [ "$(hostname -f)" ] }
@@ -245,8 +244,6 @@ if ! mysql -e "use icingadb; show tables;" | grep -q "icingadb_schema_migration"
     echo "[INFO] Importiere IcingaDB-Schema..."
     mysql icingadb < "$ICINGADB_SCHEMA"
 fi
-icinga2 feature enable icingadb api influxdb2-writer
-
 cat > /etc/icingaweb2/config.ini <<EOF
 [global]
 show_stacktraces = "0"
@@ -285,18 +282,23 @@ resource = "director_db"
 EOF
 
 mkdir -p /etc/icingaweb2/modules/perfdatagraphs
-cat > /etc/icingaweb2/modules/perfdatagraphs/config.ini <<EOF
-[influxdb2]
-backend = "influxdb2"
-url = "http://127.0.0.1:8086"
-token = "${INFLUX_ICINGA_TOKEN}"
-organization = "icinga"
-bucket = "icinga"
-
-[default]
-backend = "influxdb2"
+cat > /etc/icingaweb2/modules/perfdatagraphsinfluxdbv2/config.ini <<EOF
+[influx]
+api_url = "http://127.0.0.1:8086"
+api_token = "${INFLUX_ICINGA_TOKEN}"
+api_org = "icinga"
+api_bucket = "icinga"
+api_tls_insecure = "1"
 EOF
 
+cat > /etc/icingaweb2/modules/perfdatagraphs/config.ini << EOF
+[perfdatagraphs]
+default_timerange = "PT12H"
+default_backend = "InfluxDBv2"
+EOF
+
+icinga2 feature enable icingadb api influxdb2-writer perfdata
+
 chown -R grafana:grafana /var/lib/grafana/grafana.db
 
 echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
@@ -305,6 +307,7 @@ icingacli module enable incubator
 icingacli module enable director
 icingacli module enable icingadb
 icingacli module enable perfdatagraphs
+icingacli module enable perfdatagraphsinfluxdbv2
 
 echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu laden."
 systemctl restart mariadb

From 3a6711c850e3a89e770a0d6c4c8ce18b3e7ea4ae Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 18:02:32 +0200
Subject: [PATCH 087/105] create folder

---
 src/icinga2/install-service.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index a0339e9..c6f3c6a 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -282,6 +282,7 @@ resource = "director_db"
 EOF
 
 mkdir -p /etc/icingaweb2/modules/perfdatagraphs
+mkdir -p /etc/icingaweb2/modules/perfdatagraphsinfluxdbv2
 cat > /etc/icingaweb2/modules/perfdatagraphsinfluxdbv2/config.ini <<EOF
 [influx]
 api_url = "http://127.0.0.1:8086"

From 161ffb7a2dc75a908cbb6321eefc756517db88dd Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 19:06:19 +0200
Subject: [PATCH 088/105] fix influxdb writer

---
 src/icinga2/install-service.sh | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index c6f3c6a..e45b991 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -86,11 +86,28 @@ object ApiUser "director" {
 EOF
 
 cat > /etc/icinga2/features-available/influxdb2-writer.conf <<EOF
-object Influxdb2Writer "influxdb2-writer" {
-  host = "http://127.0.0.1:8086"
+  host = "127.0.0.1"
+  port = 8086
   organization = "icinga"
   bucket = "icinga"
   auth_token = "${INFLUX_ICINGA_TOKEN}"
+  
+  flush_threshold = 1024
+  flush_interval = 10s
+
+  host_template = {
+    measurement = "$host.check_command$"
+    tags = {
+      hostname = "$host.name$"
+    }
+  }
+  service_template = {
+    measurement = "$service.check_command$"
+    tags = {
+      hostname = "$host.name$"
+      service = "$service.name$"
+    }
+  }
 }
 EOF
 cat > /etc/icinga2/zones.conf <<EOF

From e68cb98a92a9f715355088f5791f0e9933e87b57 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 19:06:49 +0200
Subject: [PATCH 089/105] f

---
 src/icinga2/install-service.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index e45b991..aa90cb1 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -96,16 +96,16 @@ cat > /etc/icinga2/features-available/influxdb2-writer.conf <<EOF
   flush_interval = 10s
 
   host_template = {
-    measurement = "$host.check_command$"
+    measurement = "\$host.check_command\$"
     tags = {
-      hostname = "$host.name$"
+      hostname = "\$host.name\$"
     }
   }
   service_template = {
-    measurement = "$service.check_command$"
+    measurement = "\$service.check_command\$"
     tags = {
-      hostname = "$host.name$"
-      service = "$service.name$"
+      hostname = "\$host.name$\"
+      service = "\$service.name\$"
     }
   }
 }

From 5f47110e34e971e8141da79a9d5f5abd4a70caad Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 20:08:27 +0200
Subject: [PATCH 090/105] f

---
 src/icinga2/install-service.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index aa90cb1..9575d05 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -104,7 +104,7 @@ cat > /etc/icinga2/features-available/influxdb2-writer.conf <<EOF
   service_template = {
     measurement = "\$service.check_command\$"
     tags = {
-      hostname = "\$host.name$\"
+      hostname = "\$host.name\$"
       service = "\$service.name\$"
     }
   }

From a8c0a7bdc155fd4bdcbeaab70ff1032015e1e2b5 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 20:14:07 +0200
Subject: [PATCH 091/105] remove grafana

---
 src/icinga2/install-service.sh | 56 ++++++++++++++++------------------
 1 file changed, 27 insertions(+), 29 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 9575d05..f8f7f41 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -19,13 +19,13 @@ echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://pa
 curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/influxdata.list
 
-wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor -o /usr/share/keyrings/grafana-archive-keyring.gpg
-echo "deb [signed-by=/usr/share/keyrings/grafana-archive-keyring.gpg] https://apt.grafana.com stable main" > /etc/apt/sources.list.d/grafana.list
+#wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor -o /usr/share/keyrings/grafana-archive-keyring.gpg
+#echo "deb [signed-by=/usr/share/keyrings/grafana-archive-keyring.gpg] https://apt.grafana.com stable main" > /etc/apt/sources.list.d/grafana.list
 
 apt update
 
 apt-get install -y icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
-        mariadb-server mariadb-client influxdb2 grafana imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle \
+        mariadb-server mariadb-client influxdb2 imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle \
         icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2
 
 
@@ -34,7 +34,7 @@ DIRECTOR_DB_PASS=$(_generate_local_password 24)
 ICINGADB_PASS=$(_generate_local_password 24)
 ICINGA_API_USER_PASS=$(_generate_local_password 24)
 ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
-GRAFANA_ADMIN_PASS=$(_generate_local_password 16)
+INFLUX_ADMIN_PASS=$(_generate_local_password 16)
 INFLUX_ADMIN_TOKEN=$(_generate_local_password 40)
 
 systemctl start mariadb
@@ -53,7 +53,7 @@ mysql -e "GRANT ALL PRIVILEGES ON icingadb.* TO 'icingadb'@'localhost';"
 mysql -e "FLUSH PRIVILEGES;"
 
 systemctl start influxdb
-influx setup --skip-verify --username admin --password "$GRAFANA_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
+influx setup --skip-verify --username admin --password "$INFLUX_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
 INFLUX_ICINGA_TOKEN=$(influx auth create --org icinga --all-access --json | grep -oP '"token": "\K[^"]+')
 if [ -z "$INFLUX_ICINGA_TOKEN" ]; then echo "[ERROR] Konnte InfluxDB Token nicht erstellen." >&2; exit 1; fi
 
@@ -62,7 +62,6 @@ mkdir -p "$(dirname "$CRED_FILE")" && chmod 700 "$(dirname "$CRED_FILE")"
 {
     echo "# --- Icinga Monitoring Stack Credentials ---"
     echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2; Benutzer: icingaadmin; Passwort: ${ICINGAWEB_ADMIN_PASS}"
-    echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/grafana; Benutzer: admin; Passwort: ${GRAFANA_ADMIN_PASS}"
     echo "InfluxDB Admin Token: ${INFLUX_ADMIN_TOKEN}"
     echo "Icinga Director API: Benutzer: director; Passwort: ${ICINGA_API_USER_PASS}"
 } > "$CRED_FILE" && chmod 600 "$CRED_FILE"
@@ -172,22 +171,22 @@ password = "${ICINGADB_PASS}"
 charset = "utf8mb4"
 EOF
 
-systemctl stop grafana-server
-grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
+#systemctl stop grafana-server
+#grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
 
-mkdir -p /etc/grafana/provisioning/datasources
+#mkdir -p /etc/grafana/provisioning/datasources
 
-cat > /etc/grafana/provisioning/datasources/influxdb.yaml <<EOF
-apiVersion: 1
-datasources:
-- name: InfluxDB-Icinga
-  type: influxdb
-  access: proxy
-  url: http://localhost:8086
-  jsonData: { version: "Flux", organization: "icinga", defaultBucket: "icinga" }
-  secureJsonData: { token: "${INFLUX_ICINGA_TOKEN}" }
-EOF
-chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
+#cat > /etc/grafana/provisioning/datasources/influxdb.yaml <<EOF
+#apiVersion: 1
+#datasources:
+#- name: InfluxDB-Icinga
+#  type: influxdb
+#  access: proxy
+#  url: http://localhost:8086
+#  jsonData: { version: "Flux", organization: "icinga", defaultBucket: "icinga" }
+#  secureJsonData: { token: "${INFLUX_ICINGA_TOKEN}" }
+#EOF
+#chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
 
 mkdir -p /etc/nginx/ssl
 if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
@@ -215,10 +214,10 @@ server {
         fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
         fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
     }
-    location /grafana {
-        proxy_pass http://localhost:3000;
-        proxy_set_header Host \$http_host;
-    }
+    #location /grafana {
+    #    proxy_pass http://localhost:3000;
+    #    proxy_set_header Host \$http_host;
+    #}
     location /icingadb-web {
         proxy_pass http://localhost:8080/icingadb-web;
         proxy_set_header Host \$http_host;
@@ -233,10 +232,10 @@ sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' "/etc/php/${PHP_VERSION}/fpm/
 sed -i "s|;date.timezone =|date.timezone = $(cat /etc/timezone)|" "/etc/php/${PHP_VERSION}/fpm/php.ini"
 
 icinga2 api setup
-systemctl enable icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb grafana-server icingadb icingadb-redis
+systemctl enable icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb icingadb icingadb-redis
 
 systemctl start mariadb
-systemctl start icinga2 icingadb-redis nginx php${PHP_VERSION}-fpm influxdb grafana-server icingadb
+systemctl start icinga2 icingadb-redis nginx php${PHP_VERSION}-fpm influxdb icingadb
 
 IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
 DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
@@ -317,7 +316,7 @@ EOF
 
 icinga2 feature enable icingadb api influxdb2-writer perfdata
 
-chown -R grafana:grafana /var/lib/grafana/grafana.db
+#chown -R grafana:grafana /var/lib/grafana/grafana.db
 
 echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
 icingacli module enable reactbundle
@@ -331,7 +330,7 @@ echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu
 systemctl restart mariadb
 systemctl restart php${PHP_VERSION}-fpm
 systemctl restart nginx
-systemctl restart grafana-server
+#systemctl restart grafana-server
 systemctl restart icingadb
 
 echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein."
@@ -380,5 +379,4 @@ echo ""
 echo "Wichtige URLs:"
 echo "  Icinga Web 2: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
 echo "  IcingaDB Web: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingadb-web"
-echo "  Grafana:      https://${ZAMBA_HOSTNAME:-$(hostname -f)}/grafana"
 echo ""

From 015a48fd9229e3f2f3ce803c6ed68e6777a5c529 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 20:18:46 +0200
Subject: [PATCH 092/105] f

---
 src/icinga2/install-service.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index f8f7f41..69b0165 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -85,6 +85,7 @@ object ApiUser "director" {
 EOF
 
 cat > /etc/icinga2/features-available/influxdb2-writer.conf <<EOF
+object Influxdb2Writer "influxdb2" {
   host = "127.0.0.1"
   port = 8086
   organization = "icinga"

From 0cfd24e10d163fdd406226cc2ff889076a39e6c4 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 20:23:05 +0200
Subject: [PATCH 093/105] f

---
 src/icinga2/install-service.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 69b0165..3620597 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -139,7 +139,6 @@ resource = icingadb
 EOF
 
 icinga2 feature enable icingadb
-systemctl restart icinga2
 
 mkdir -p /etc/icingaweb2
 

From 8148cb7f078452d11d0d658c36ace69b2d1f69de Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 20:41:01 +0200
Subject: [PATCH 094/105] f

---
 src/icinga2/install-service.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 3620597..0b9be46 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -137,6 +137,10 @@ cat << EOF > /etc/icingaweb2/modules/icingadb/config.ini
 [icingadb]
 resource = icingadb
 EOF
+cat << EOF > /etc/icingaweb2/modules/icingadb/redis.ini
+[redis1]
+host = "localhost"
+EOF
 
 icinga2 feature enable icingadb
 

From 9a6e4d6f49a0008776e3ca9c94e85f385ec079fd Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 22:02:29 +0200
Subject: [PATCH 095/105] f

---
 src/icinga2/install-service.sh | 93 ++++++++++++++++++++++++++++++++++
 1 file changed, 93 insertions(+)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 0b9be46..445ae38 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -175,6 +175,99 @@ password = "${ICINGADB_PASS}"
 charset = "utf8mb4"
 EOF
 
+cat << EOF > /etc/icinga2/conf.d/services.conf
+apply Service "ping4" {
+  import "generic-service"
+
+  check_command = "ping4"
+
+  assign where host.address
+}
+
+apply Service "ping6" {
+  import "generic-service"
+
+  check_command = "ping6"
+
+  assign where host.address6
+}
+
+apply Service "ssh" {
+  import "generic-service"
+
+  check_command = "ssh"
+
+  assign where (host.address || host.address6) && host.vars.os == "Linux"
+}
+
+
+
+apply Service for (http_vhost => config in host.vars.http_vhosts) {
+  import "generic-service"
+
+  check_command = "http"
+
+  vars += config
+}
+
+apply Service for (disk => config in host.vars.disks) {
+  import "generic-service"
+
+  check_command = "disk"
+
+  vars += config
+}
+
+apply Service "icinga" {
+  import "generic-service"
+
+  check_command = "icinga"
+
+  assign where host.name == NodeName
+}
+
+apply Service "load" {
+  import "generic-service"
+
+  check_command = "load"
+
+  assign where host.name == NodeName
+}
+
+apply Service "procs" {
+  import "generic-service"
+
+  check_command = "procs"
+
+  assign where host.name == NodeName
+}
+
+apply Service "users" {
+  import "generic-service"
+
+  check_command = "users"
+
+  assign where host.name == NodeName
+}
+
+apply Service "ssl" {
+  import "generic-service"
+
+  check_command = "ssl"
+
+  assign where host.name == NodeName
+}
+
+apply Service "smtp" {
+  import "generic-service"
+
+  check_command = "smtp"
+
+  assign where host.name == NodeName
+}
+
+EOF
+
 #systemctl stop grafana-server
 #grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
 

From 67490fb7a7111d07151fd481123366c4b0bacf3f Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 22:15:40 +0200
Subject: [PATCH 096/105] add notifications

---
 src/icinga2/install-service.sh | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 445ae38..fbf4081 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -25,7 +25,7 @@ echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg]
 apt update
 
 apt-get install -y icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
-        mariadb-server mariadb-client influxdb2 imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle \
+        mariadb-server mariadb-client influxdb2 imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle icinga-notifications icinga-notifications-web \
         icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2
 
 
@@ -33,6 +33,7 @@ ICINGAWEB_DB_PASS=$(_generate_local_password 24)
 DIRECTOR_DB_PASS=$(_generate_local_password 24)
 ICINGADB_PASS=$(_generate_local_password 24)
 ICINGA_API_USER_PASS=$(_generate_local_password 24)
+NOTIFICATIONS_DB_PASS=$(_generate_local_password 24)
 ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
 INFLUX_ADMIN_PASS=$(_generate_local_password 16)
 INFLUX_ADMIN_TOKEN=$(_generate_local_password 40)
@@ -42,14 +43,17 @@ systemctl start mariadb
 mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 mysql -e "CREATE DATABASE IF NOT EXISTS icingadb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS notifications CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 
 mysql -e "CREATE USER IF NOT EXISTS 'icingaweb2'@'localhost' IDENTIFIED BY '${ICINGAWEB_DB_PASS}';"
 mysql -e "CREATE USER IF NOT EXISTS 'director'@'localhost' IDENTIFIED BY '${DIRECTOR_DB_PASS}';"
 mysql -e "CREATE USER IF NOT EXISTS 'icingadb'@'localhost' IDENTIFIED BY '${ICINGADB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'notifications'@'localhost' IDENTIFIED BY '${NOTIFICATIONS_DB_PASS}';"
 
 mysql -e "GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';"
 mysql -e "GRANT ALL PRIVILEGES ON director.* TO 'director'@'localhost';"
 mysql -e "GRANT ALL PRIVILEGES ON icingadb.* TO 'icingadb'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON notifications.* TO 'notifications'@'localhost';"
 mysql -e "FLUSH PRIVILEGES;"
 
 systemctl start influxdb
@@ -173,6 +177,15 @@ dbname = "icingadb"
 username = "icingadb"
 password = "${ICINGADB_PASS}"
 charset = "utf8mb4"
+
+[notifications]
+type = "db"
+db = "mysql"
+host = "localhost"
+dbname = "notifications"
+username = "notifications"
+password = "${NOTIFICATIONS_DB_PASS}"
+charset = "utf8mb4"
 EOF
 
 cat << EOF > /etc/icinga2/conf.d/services.conf
@@ -329,18 +342,20 @@ sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' "/etc/php/${PHP_VERSION}/fpm/
 sed -i "s|;date.timezone =|date.timezone = $(cat /etc/timezone)|" "/etc/php/${PHP_VERSION}/fpm/php.ini"
 
 icinga2 api setup
-systemctl enable icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb icingadb icingadb-redis
+systemctl enable icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb icingadb icingadb-redis icinga-notifications
 
 systemctl start mariadb
-systemctl start icinga2 icingadb-redis nginx php${PHP_VERSION}-fpm influxdb icingadb
+systemctl start icinga2 icingadb-redis nginx php${PHP_VERSION}-fpm influxdb icingadb icinga-notifications
 
 IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
 DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
 ICINGADB_SCHEMA="/usr/share/icingadb/schema/mysql/schema.sql"
+NOTIFICATIONS_SCHEMA="/usr/share/icinga-notifications/schema/mysql/schema.sql"
 
 if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi
 if [ ! -f "$DIRECTOR_SCHEMA" ]; then echo "[ERROR] Director-Schema nicht gefunden: $DIRECTOR_SCHEMA" >&2; exit 1; fi
 if [ ! -f "$ICINGADB_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $ICINGADB_SCHEMA" >&2; exit 1; fi
+if [ ! -f "$NOTIFICATIONS_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $NOTIFICATIONS_SCHEMA" >&2; exit 1; fi
 
 
 if ! mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then
@@ -357,6 +372,12 @@ if ! mysql -e "use icingadb; show tables;" | grep -q "icingadb_schema_migration"
     echo "[INFO] Importiere IcingaDB-Schema..."
     mysql icingadb < "$ICINGADB_SCHEMA"
 fi
+
+if ! mysql -e "use notifications; show tables;" | grep -q "icingadb_schema_migration"; then
+    echo "[INFO] Importiere IcingaDB-Schema..."
+    mysql notifications < "$NOTIFICATIONS_SCHEMA"
+fi
+
 cat > /etc/icingaweb2/config.ini <<EOF
 [global]
 show_stacktraces = "0"
@@ -422,6 +443,7 @@ icingacli module enable director
 icingacli module enable icingadb
 icingacli module enable perfdatagraphs
 icingacli module enable perfdatagraphsinfluxdbv2
+icingacli module enable notifications
 
 echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu laden."
 systemctl restart mariadb

From 15acf5a2a5d8c4f139485a0af614292ac7a5582c Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 22:25:00 +0200
Subject: [PATCH 097/105] f

---
 src/icinga2/install-service.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index fbf4081..c3fe365 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -335,6 +335,19 @@ server {
 }
 EOF
 
+cat << EOF > /etc/icinga-notifications/config.yml
+database:
+  type: mysql
+
+  host: localhost
+  
+  database: notifications
+
+  user: notifications
+
+  password: ${NOTIFICATIONS_DB_PASS}
+EOF
+
 ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
 rm -f /etc/nginx/sites-enabled/default
 

From 19d47088c90cbe9e38d4d6c3f9baff9620678b46 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 22:27:51 +0200
Subject: [PATCH 098/105] n

---
 src/icinga2/install-service.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index c3fe365..1382c79 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -348,6 +348,12 @@ database:
   password: ${NOTIFICATIONS_DB_PASS}
 EOF
 
+cat << EOF > /etc/icingaweb2/modules/notifications/config.ini 
+[database]
+resource = "notifications"
+EOF
+
+
 ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
 rm -f /etc/nginx/sites-enabled/default
 

From 524f0d3ada8019d7b8dabae4106cd394cd773a69 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 22:51:18 +0200
Subject: [PATCH 099/105] f

---
 src/icinga2/install-service.sh | 24 ------------------------
 1 file changed, 24 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 1382c79..af2abab 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -19,9 +19,6 @@ echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://pa
 curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/influxdata.list
 
-#wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor -o /usr/share/keyrings/grafana-archive-keyring.gpg
-#echo "deb [signed-by=/usr/share/keyrings/grafana-archive-keyring.gpg] https://apt.grafana.com stable main" > /etc/apt/sources.list.d/grafana.list
-
 apt update
 
 apt-get install -y icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
@@ -281,23 +278,6 @@ apply Service "smtp" {
 
 EOF
 
-#systemctl stop grafana-server
-#grafana-cli admin reset-admin-password "$GRAFANA_ADMIN_PASS"
-
-#mkdir -p /etc/grafana/provisioning/datasources
-
-#cat > /etc/grafana/provisioning/datasources/influxdb.yaml <<EOF
-#apiVersion: 1
-#datasources:
-#- name: InfluxDB-Icinga
-#  type: influxdb
-#  access: proxy
-#  url: http://localhost:8086
-#  jsonData: { version: "Flux", organization: "icinga", defaultBucket: "icinga" }
-#  secureJsonData: { token: "${INFLUX_ICINGA_TOKEN}" }
-#EOF
-#chown grafana:grafana /etc/grafana/provisioning/datasources/influxdb.yaml
-
 mkdir -p /etc/nginx/ssl
 if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
     ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
@@ -453,8 +433,6 @@ EOF
 
 icinga2 feature enable icingadb api influxdb2-writer perfdata
 
-#chown -R grafana:grafana /var/lib/grafana/grafana.db
-
 echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
 icingacli module enable reactbundle
 icingacli module enable incubator
@@ -468,7 +446,6 @@ echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu
 systemctl restart mariadb
 systemctl restart php${PHP_VERSION}-fpm
 systemctl restart nginx
-#systemctl restart grafana-server
 systemctl restart icingadb
 
 echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein."
@@ -498,7 +475,6 @@ password = "${ICINGA_API_USER_PASS}"
 EOF
 systemctl restart icinga2
 icingacli director kickstart run
-#rm /etc/icingaweb2/modules/director/kickstart.ini
 
 echo "[INFO] Director Konfiguration wird angewendet."
 icingacli director config deploy

From 5609d57200f4ce2721c836bb3897e699004dd4e5 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Fri, 25 Jul 2025 23:09:41 +0200
Subject: [PATCH 100/105] monitoring plugins

---
 src/icinga2/install-service.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index af2abab..a69aa67 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -23,7 +23,8 @@ apt update
 
 apt-get install -y icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
         mariadb-server mariadb-client influxdb2 imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle icinga-notifications icinga-notifications-web \
-        icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2
+        icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2 \
+        monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard monitoring-plugins-systemd
 
 
 ICINGAWEB_DB_PASS=$(_generate_local_password 24)

From 3c80439391bf24830f8c9b5675c43ee4ceb46ffc Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Sat, 26 Jul 2025 14:15:21 +0200
Subject: [PATCH 101/105] i

---
 src/icinga2/install-service.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index a69aa67..f49a20d 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -345,7 +345,7 @@ icinga2 api setup
 systemctl enable icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb icingadb icingadb-redis icinga-notifications
 
 systemctl start mariadb
-systemctl start icinga2 icingadb-redis nginx php${PHP_VERSION}-fpm influxdb icingadb icinga-notifications
+systemctl start icinga2 icingadb-redis nginx php${PHP_VERSION}-fpm influxdb icingadb
 
 IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
 DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
@@ -448,6 +448,7 @@ systemctl restart mariadb
 systemctl restart php${PHP_VERSION}-fpm
 systemctl restart nginx
 systemctl restart icingadb
+systemctl restart icinga-notifications
 
 echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein."
 PASSWORD_HASH=$(php -r "echo password_hash('${ICINGAWEB_ADMIN_PASS}', PASSWORD_BCRYPT);")
@@ -495,3 +496,4 @@ echo "Wichtige URLs:"
 echo "  Icinga Web 2: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
 echo "  IcingaDB Web: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingadb-web"
 echo ""
+cat ${CRED_FILE}
\ No newline at end of file

From a6914a72521f849f7df6cc45df080169b716fb86 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Tue, 29 Jul 2025 18:36:46 +0200
Subject: [PATCH 102/105] Add pdfexport to icinga2

---
 src/icinga2/install-service.sh | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index f49a20d..df63cfe 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -21,10 +21,12 @@ echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg]
 
 apt update
 
-apt-get install -y icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq --no-install-recommends \
+        icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
         mariadb-server mariadb-client influxdb2 imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle icinga-notifications icinga-notifications-web \
-        icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2 \
-        monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard monitoring-plugins-systemd
+        icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2 chromium fonts-liberation fonts-noto \
+        monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard monitoring-plugins-systemd icingaweb2-module-pdfexport
+
 
 
 ICINGAWEB_DB_PASS=$(_generate_local_password 24)
@@ -334,6 +336,14 @@ cat << EOF > /etc/icingaweb2/modules/notifications/config.ini
 resource = "notifications"
 EOF
 
+mkdir -p /etc/icingaweb2/modules/pdfexport
+cat << EOF > /etc/icingaweb2/modules/pdfexport/config.ini 
+[chrome]
+binary = "/usr/bin/chromium"
+force_temp_storage = "0"
+EOF
+
+
 
 ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
 rm -f /etc/nginx/sites-enabled/default

From 8eb2e0d323c93391a6797e5036bba939889ed228 Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Tue, 29 Jul 2025 23:46:41 +0200
Subject: [PATCH 103/105] add commandtransports

---
 src/icinga2/install-service.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index df63cfe..bfb2d08 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -145,6 +145,16 @@ cat << EOF > /etc/icingaweb2/modules/icingadb/redis.ini
 [redis1]
 host = "localhost"
 EOF
+cat << EOF > /etc/icingaweb2/modules/icingadb/commandtransports.ini
+[$(hostname -f)]
+transport = "api"
+host = "$(hostname -f)"
+port = "5665"
+username = "director"
+password = "${ICINGA_API_USER_PASS}"
+EOF
+
+
 
 icinga2 feature enable icingadb
 

From 64d9295b5ea86bf36f51e9bc24f7fc945ff4804b Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Tue, 12 Aug 2025 23:50:06 +0200
Subject: [PATCH 104/105] Update install-service.sh

add influxdb2-client
---
 src/icinga2/install-service.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index bfb2d08..7272189 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -23,7 +23,7 @@ apt update
 
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq --no-install-recommends \
         icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
-        mariadb-server mariadb-client influxdb2 imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle icinga-notifications icinga-notifications-web \
+        mariadb-server mariadb-client influxdb2 influxdb2-client imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle icinga-notifications icinga-notifications-web \
         icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2 chromium fonts-liberation fonts-noto \
         monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard monitoring-plugins-systemd icingaweb2-module-pdfexport
 
@@ -516,4 +516,4 @@ echo "Wichtige URLs:"
 echo "  Icinga Web 2: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
 echo "  IcingaDB Web: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingadb-web"
 echo ""
-cat ${CRED_FILE}
\ No newline at end of file
+cat ${CRED_FILE}

From f4c3d6f6e1cf978f8d4ac05e9e48d841804bad1b Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorstenspille@users.noreply.github.com>
Date: Wed, 13 Aug 2025 00:18:56 +0200
Subject: [PATCH 105/105] Add x509 module (incomplete)

---
 src/icinga2/install-service.sh | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/icinga2/install-service.sh b/src/icinga2/install-service.sh
index 7272189..45a7228 100644
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -24,7 +24,7 @@ apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq --no-install-recommends \
         icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
         mariadb-server mariadb-client influxdb2 influxdb2-client imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle icinga-notifications icinga-notifications-web \
-        icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2 chromium fonts-liberation fonts-noto \
+        icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2 chromium fonts-liberation fonts-noto icinga-x509 \
         monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard monitoring-plugins-systemd icingaweb2-module-pdfexport
 
 
@@ -32,6 +32,7 @@ DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq -
 ICINGAWEB_DB_PASS=$(_generate_local_password 24)
 DIRECTOR_DB_PASS=$(_generate_local_password 24)
 ICINGADB_PASS=$(_generate_local_password 24)
+ICINGA_X509_DB_PASS=$(_generate_local_password 24)
 ICINGA_API_USER_PASS=$(_generate_local_password 24)
 NOTIFICATIONS_DB_PASS=$(_generate_local_password 24)
 ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
@@ -44,16 +45,19 @@ mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE
 mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 mysql -e "CREATE DATABASE IF NOT EXISTS icingadb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 mysql -e "CREATE DATABASE IF NOT EXISTS notifications CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+mysql -e "CREATE DATABASE IF NOT EXISTS x509 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
 
 mysql -e "CREATE USER IF NOT EXISTS 'icingaweb2'@'localhost' IDENTIFIED BY '${ICINGAWEB_DB_PASS}';"
 mysql -e "CREATE USER IF NOT EXISTS 'director'@'localhost' IDENTIFIED BY '${DIRECTOR_DB_PASS}';"
 mysql -e "CREATE USER IF NOT EXISTS 'icingadb'@'localhost' IDENTIFIED BY '${ICINGADB_PASS}';"
 mysql -e "CREATE USER IF NOT EXISTS 'notifications'@'localhost' IDENTIFIED BY '${NOTIFICATIONS_DB_PASS}';"
+mysql -e "CREATE USER IF NOT EXISTS 'x509'@'localhost' IDENTIFIED BY '${ICINGA_X509_DB_PASS}';"
 
 mysql -e "GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';"
 mysql -e "GRANT ALL PRIVILEGES ON director.* TO 'director'@'localhost';"
 mysql -e "GRANT ALL PRIVILEGES ON icingadb.* TO 'icingadb'@'localhost';"
 mysql -e "GRANT ALL PRIVILEGES ON notifications.* TO 'notifications'@'localhost';"
+mysql -e "GRANT ALL PRIVILEGES ON x509.* TO 'x509'@'localhost';"
 mysql -e "FLUSH PRIVILEGES;"
 
 systemctl start influxdb
@@ -371,11 +375,13 @@ IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
 DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
 ICINGADB_SCHEMA="/usr/share/icingadb/schema/mysql/schema.sql"
 NOTIFICATIONS_SCHEMA="/usr/share/icinga-notifications/schema/mysql/schema.sql"
+X509_SCHEMA="/usr/share/icingaweb2/modules/x509/schema/mysql.schema.sql"
 
 if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi
 if [ ! -f "$DIRECTOR_SCHEMA" ]; then echo "[ERROR] Director-Schema nicht gefunden: $DIRECTOR_SCHEMA" >&2; exit 1; fi
 if [ ! -f "$ICINGADB_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $ICINGADB_SCHEMA" >&2; exit 1; fi
 if [ ! -f "$NOTIFICATIONS_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $NOTIFICATIONS_SCHEMA" >&2; exit 1; fi
+if [ ! -f "$X509_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $X509_SCHEMA" >&2; exit 1; fi
 
 
 if ! mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then
@@ -393,11 +399,17 @@ if ! mysql -e "use icingadb; show tables;" | grep -q "icingadb_schema_migration"
     mysql icingadb < "$ICINGADB_SCHEMA"
 fi
 
-if ! mysql -e "use notifications; show tables;" | grep -q "icingadb_schema_migration"; then
-    echo "[INFO] Importiere IcingaDB-Schema..."
+if ! mysql -e "use notifications; show tables;" | grep -q "incident_rule_escalation_state"; then
+    echo "[INFO] Importiere Notifications-Schema..."
     mysql notifications < "$NOTIFICATIONS_SCHEMA"
 fi
 
+if ! mysql -e "use x509; show tables;" | grep -q "x509_schema"; then
+    echo "[INFO] Importiere x509-Schema..."
+    mysql x509 < "$X509_SCHEMA"
+fi
+
+
 cat > /etc/icingaweb2/config.ini <<EOF
 [global]
 show_stacktraces = "0"
@@ -454,6 +466,8 @@ EOF
 
 icinga2 feature enable icingadb api influxdb2-writer perfdata
 
+icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt
+
 echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
 icingacli module enable reactbundle
 icingacli module enable incubator