Mirrors/zamba-lxc-toolbox
1
0
Fork 0
mirror of https://github.com/bashclub/zamba-lxc-toolbox synced 2025-10-01 15:56:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into main

Browse Source
This commit is contained in:
Thorsten Spille
2025-09-29 20:37:01 +02:00
committed by GitHub
parent 7d4b85d83e f4c3d6f6e1
commit 2ae38a3340
19 changed files with 1445 additions and 422 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
check_zambaconfonpve_trmm.sh Normal file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
export LC_ALL=C
ZAMBA_CONF="/root/zamba-lxc-toolbox/conf/zamba.conf"
if [[ -f "$ZAMBA_CONF" ]]; then
# Prüfen, ob die Datei älter als 3 Tage ist
if find "$ZAMBA_CONF" -mtime +3 >/dev/null 2>&1; then
echo "⚠️ zamba.conf ist älter als 3 Tage Datei wird gelöscht: $ZAMBA_CONF"
rm -f "$ZAMBA_CONF"
exit 0
else
echo "❌ Problem: zamba.conf ist vorhanden und jünger als 3 Tage: $ZAMBA_CONF"
exit 2
fi
else
echo "✅ OK: zamba.conf ist nicht vorhanden"
exit 0
fi

10
conf/zamba.conf.example
View File

@@ -99,17 +99,21 @@ LXC_TAGS="linux,debian,${service}"
############### Zamba-Server-Section ###############
# Defines the REALM for the Active Directory (AD DC, AD member)
# Defines the REALM for the Active Directory (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups)
ZMB_REALM="ZMB.ROCKS"
# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
# Defines the domain name in your Active Directory or Workgroup (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
ZMB_DOMAIN="ZMB"
# Defines the name of your domain administrator account (AD DC, AD member, standalone)
# Defines the name of your domain administrator account (Some environments are case sensitive, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
ZMB_ADMIN_USER="administrator"
# The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
# `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
ZMB_ADMIN_PASS='Start!123'
# Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups, lower case)
ZMB_DOMAIN_ADMINS="domain admins"
# Defines the name of your Zamba share
ZMB_SHARE="share"

17
install.sh
View File

@@ -102,6 +102,15 @@ source "$config"
source "$PWD/src/$service/constants-service.conf"
if [[ $service == "zmb-ad-restore" ]]; then
if find ./ | grep samba-backup*.tar.bz2 ; then
sambabackup=$(find $PWD/ | grep samba-backup*.tar.bz2 | tail -1)
else
echo "No samba backup found in $PWD. Please place a samba online backup into $PWD. Canceling..."
exit 1
fi
fi
if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
LXC_MEM=$LXC_MEM_MIN
fi
@@ -184,6 +193,11 @@ pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
if [[ $service == "zmb-ad-restore" ]]; then
pct exec $LXC_NBR -- mkdir -p /backup/online
pct push $LXC_NBR "$PWD/samba-backup-*.tar.bz2" /backup/online/
fi
if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
echo "Installing basic container setup..."
@@ -195,6 +209,9 @@ pct shutdown $LXC_NBR
if [[ $service == "zmb-ad" ]]; then
## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
pct set $LXC_NBR -nameserver ${LXC_IP%/*}
elif [[ $service == "zmb-ad-restore" ]]; then
## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
pct set $LXC_NBR -nameserver ${LXC_IP%/*}
elif [[ $service == "zmb-ad-join" ]]; then
pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
fi

52
scripts/nextcloud-update
View File

@@ -1,17 +1,47 @@
#!/bin/bash
#
# Update nextcloud
# place in /etc/cron.daily and make executable with chmod +x /etc/cron.daily/nextcloud-update
# Update Nextcloud
# Place in /etc/cron.daily and make executable with: chmod +x /etc/cron.daily/nextcloud-update
user=www-data
phpversion=php8.2
phpversion=php8.3
path=/var/www/nextcloud
logfile="/var/log/nextcloud-update.log"
alias ncc="sudo -u $user $phpversion $path/occ"
alias updater="sudo -u $user $phpversion $path/updater/updater.phar"
ncc() {
sudo -u "$user" "$phpversion" "$path/occ" "$@"
}
updater --no-backup --no-interaction
updater() {
sudo -u "$user" "$phpversion" "$path/updater/updater.phar" "$@"
}
subcommands=("db:add-missing-primary-keys" "db:add-missing-indices" "db:add-missing-columns" "db:convert-filecache-bigint" "files:scan-app-data" "--quiet --all app:update" "upgrade")
for cmd in ${subcommands[@]}; do
ncc -n $cmd
done
{
echo "===== $(date): Nextcloud Update Start ====="
updater --no-backup --no-interaction
subcommands=(
"db:add-missing-primary-keys"
"db:add-missing-indices"
"db:add-missing-columns"
"db:convert-filecache-bigint"
"files:scan-app-data"
"upgrade"
)
for cmd in "${subcommands[@]}"; do
echo "Running: occ $cmd"
ncc -n $cmd
done
# App Updates
echo "Updating apps..."
apps=$(ncc app:list | grep -Po 'Enabled:\s*\K.*' | tr -d ' ' | tr ',' '\n')
for app in $apps; do
echo "Updating app: $app"
ncc app:update "$app"
done
echo "===== $(date): Nextcloud Update Finished ====="
} >> "$logfile" 2>&1

27
src/functions.sh
View File

@@ -9,7 +9,7 @@ random_password() {
}
generate_dhparam() {
openssl dhparam -out /etc/nginx/dhparam.pem 2048
openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 2048
cat << EOF > /etc/cron.monthly/generate-dhparams
#!/bin/bash
openssl dhparam -out /etc/nginx/dhparam.gen 4096 > /dev/null 2>&1
@@ -27,5 +27,26 @@ apt_repo() {
wget -q -O - ${apt_key_url} | gpg --dearmor -o ${apt_key_path}
echo "deb [signed-by=${apt_key_path}] ${apt_repo_url}" > /etc/apt/sources.list.d/${apt_name}.list
}
}
#### Set repo and install Nginx ####
inst_nginx() {
apt_repo "nginx" "https://nginx.org/keys/nginx_signing.key" "http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx"
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx
}
#### Set repo and install PHP ####
inst_php() {
curl -sSLo /usr/share/keyrings/sury_php.gpg https://packages.sury.org/php/apt.gpg
echo "deb [signed-by=/usr/share/keyrings/sury_php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury_php.list
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends php-common php$NEXTCLOUD_PHP_VERSION-{fpm,gd,curl,pgsql,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,mysql,redis,smbclient,sqlite3,cli,common,opcache,readline}
}
#### Set repo and install Postgresql ####
inst_postgresql() {
apt_repo "postgresql" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" "http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends postgresql-$POSTGRES_VERSION
}
#### Set repo and install Crowdsec ####
inst_crowdsec() {
apt_repo "crowdsec" "https://packagecloud.io/crowdsec/crowdsec/gpgkey" " https://packagecloud.io/crowdsec/crowdsec/any any main"
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends crowdsec-firewall-bouncer-nftables
}

37
src/icinga2/constants-service.conf Normal file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="tank"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="1"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,mariadb"
CRED_FILE="/root/.zamba_credentials/icinga_stack.txt"
PHP_VERSION=8.2

533
src/icinga2/install-service.sh Normal file
View File

@@ -0,0 +1,533 @@
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
source /etc/os-release
# --- Internal Helper Functions ---
_generate_local_password() {
openssl rand -base64 "$1"
}
curl -fsSL https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-$(lsb_release -cs) main" > /etc/apt/sources.list.d/icinga.list
curl -fsSL https://packages.netways.de/netways-repo.asc | gpg --dearmor -o /usr/share/keyrings/netways-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/netways-archive-keyring.gpg] https://packages.netways.de/extras/debian/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/netways.list
curl -fsSL https://repos.influxdata.com/influxdata-archive_compat.key | gpg --dearmor -o /usr/share/keyrings/influxdata-archive_compat-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/influxdata-archive_compat-keyring.gpg] https://repos.influxdata.com/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/influxdata.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq --no-install-recommends \
icinga2 nginx php${PHP_VERSION}-fpm php${PHP_VERSION}-mysql php${PHP_VERSION}-intl php${PHP_VERSION}-xml php${PHP_VERSION}-gd php${PHP_VERSION}-ldap php${PHP_VERSION}-imagick \
mariadb-server mariadb-client influxdb2 influxdb2-client imagemagick icingaweb2 icingacli icinga-php-library icingaweb2-module-reactbundle icinga-notifications icinga-notifications-web \
icinga-director icingadb icingadb-redis icingadb-web icingaweb2-module-perfdatagraphs icingaweb2-module-perfdatagraphs-influxdbv2 chromium fonts-liberation fonts-noto icinga-x509 \
monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard monitoring-plugins-systemd icingaweb2-module-pdfexport
ICINGAWEB_DB_PASS=$(_generate_local_password 24)
DIRECTOR_DB_PASS=$(_generate_local_password 24)
ICINGADB_PASS=$(_generate_local_password 24)
ICINGA_X509_DB_PASS=$(_generate_local_password 24)
ICINGA_API_USER_PASS=$(_generate_local_password 24)
NOTIFICATIONS_DB_PASS=$(_generate_local_password 24)
ICINGAWEB_ADMIN_PASS=$(_generate_local_password 16)
INFLUX_ADMIN_PASS=$(_generate_local_password 16)
INFLUX_ADMIN_TOKEN=$(_generate_local_password 40)
systemctl start mariadb
mysql -e "CREATE DATABASE IF NOT EXISTS icingaweb2 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
mysql -e "CREATE DATABASE IF NOT EXISTS director CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
mysql -e "CREATE DATABASE IF NOT EXISTS icingadb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
mysql -e "CREATE DATABASE IF NOT EXISTS notifications CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
mysql -e "CREATE DATABASE IF NOT EXISTS x509 CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
mysql -e "CREATE USER IF NOT EXISTS 'icingaweb2'@'localhost' IDENTIFIED BY '${ICINGAWEB_DB_PASS}';"
mysql -e "CREATE USER IF NOT EXISTS 'director'@'localhost' IDENTIFIED BY '${DIRECTOR_DB_PASS}';"
mysql -e "CREATE USER IF NOT EXISTS 'icingadb'@'localhost' IDENTIFIED BY '${ICINGADB_PASS}';"
mysql -e "CREATE USER IF NOT EXISTS 'notifications'@'localhost' IDENTIFIED BY '${NOTIFICATIONS_DB_PASS}';"
mysql -e "CREATE USER IF NOT EXISTS 'x509'@'localhost' IDENTIFIED BY '${ICINGA_X509_DB_PASS}';"
mysql -e "GRANT ALL PRIVILEGES ON icingaweb2.* TO 'icingaweb2'@'localhost';"
mysql -e "GRANT ALL PRIVILEGES ON director.* TO 'director'@'localhost';"
mysql -e "GRANT ALL PRIVILEGES ON icingadb.* TO 'icingadb'@'localhost';"
mysql -e "GRANT ALL PRIVILEGES ON notifications.* TO 'notifications'@'localhost';"
mysql -e "GRANT ALL PRIVILEGES ON x509.* TO 'x509'@'localhost';"
mysql -e "FLUSH PRIVILEGES;"
systemctl start influxdb
influx setup --skip-verify --username admin --password "$INFLUX_ADMIN_PASS" --org icinga --bucket icinga --token "$INFLUX_ADMIN_TOKEN" -f
INFLUX_ICINGA_TOKEN=$(influx auth create --org icinga --all-access --json | grep -oP '"token": "\K[^"]+')
if [ -z "$INFLUX_ICINGA_TOKEN" ]; then echo "[ERROR] Konnte InfluxDB Token nicht erstellen." >&2; exit 1; fi
mkdir -p "$(dirname "$CRED_FILE")" && chmod 700 "$(dirname "$CRED_FILE")"
{
echo "# --- Icinga Monitoring Stack Credentials ---"
echo "URL: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2; Benutzer: icingaadmin; Passwort: ${ICINGAWEB_ADMIN_PASS}"
echo "InfluxDB Admin Token: ${INFLUX_ADMIN_TOKEN}"
echo "Icinga Director API: Benutzer: director; Passwort: ${ICINGA_API_USER_PASS}"
} > "$CRED_FILE" && chmod 600 "$CRED_FILE"
systemctl enable --now icingadb-redis
cat > /etc/icinga2/features-available/icingadb.conf <<EOF
library "icingadb"
object IcingaDB "icingadb" {
host = "127.0.0.1"
port = 6380
}
EOF
cat > /etc/icinga2/conf.d/api-users.conf <<EOF
object ApiUser "director" {
password = "${ICINGA_API_USER_PASS}"
permissions = [ "*" ]
}
EOF
cat > /etc/icinga2/features-available/influxdb2-writer.conf <<EOF
object Influxdb2Writer "influxdb2" {
host = "127.0.0.1"
port = 8086
organization = "icinga"
bucket = "icinga"
auth_token = "${INFLUX_ICINGA_TOKEN}"
flush_threshold = 1024
flush_interval = 10s
host_template = {
measurement = "\$host.check_command\$"
tags = {
hostname = "\$host.name\$"
}
}
service_template = {
measurement = "\$service.check_command\$"
tags = {
hostname = "\$host.name\$"
service = "\$service.name\$"
}
}
}
EOF
cat > /etc/icinga2/zones.conf <<EOF
object Endpoint "$(hostname -f)" { host = "127.0.0.1" }
object Zone "master" { endpoints = [ "$(hostname -f)" ] }
object Zone "global-templates" { global = true }
object Zone "director-global" { global = true }
EOF
cat > /etc/icingadb/config.yml <<EOF
database:
type: mysql
host: localhost
database: icingadb
user: icingadb
password: ${ICINGADB_PASS}
redis:
host: 127.0.0.1
port: 6380
logging:
level: info
output: systemd-journald
EOF
mkdir -p /etc/icingaweb2/modules/icingadb
cat << EOF > /etc/icingaweb2/modules/icingadb/config.ini
[icingadb]
resource = icingadb
EOF
cat << EOF > /etc/icingaweb2/modules/icingadb/redis.ini
[redis1]
host = "localhost"
EOF
cat << EOF > /etc/icingaweb2/modules/icingadb/commandtransports.ini
[$(hostname -f)]
transport = "api"
host = "$(hostname -f)"
port = "5665"
username = "director"
password = "${ICINGA_API_USER_PASS}"
EOF
icinga2 feature enable icingadb
mkdir -p /etc/icingaweb2
cat > /etc/icingaweb2/resources.ini <<EOF
[icingaweb_db]
type = "db"
db = "mysql"
host = "localhost"
dbname = "icingaweb2"
username = "icingaweb2"
password = "${ICINGAWEB_DB_PASS}"
charset = "utf8mb4"
[director_db]
type = "db"
db = "mysql"
host = "localhost"
dbname = "director"
username = "director"
password = "${DIRECTOR_DB_PASS}"
charset = "utf8mb4"
[icingadb]
type = "db"
db = "mysql"
host = "localhost"
dbname = "icingadb"
username = "icingadb"
password = "${ICINGADB_PASS}"
charset = "utf8mb4"
[notifications]
type = "db"
db = "mysql"
host = "localhost"
dbname = "notifications"
username = "notifications"
password = "${NOTIFICATIONS_DB_PASS}"
charset = "utf8mb4"
EOF
cat << EOF > /etc/icinga2/conf.d/services.conf
apply Service "ping4" {
import "generic-service"
check_command = "ping4"
assign where host.address
}
apply Service "ping6" {
import "generic-service"
check_command = "ping6"
assign where host.address6
}
apply Service "ssh" {
import "generic-service"
check_command = "ssh"
assign where (host.address || host.address6) && host.vars.os == "Linux"
}
apply Service for (http_vhost => config in host.vars.http_vhosts) {
import "generic-service"
check_command = "http"
vars += config
}
apply Service for (disk => config in host.vars.disks) {
import "generic-service"
check_command = "disk"
vars += config
}
apply Service "icinga" {
import "generic-service"
check_command = "icinga"
assign where host.name == NodeName
}
apply Service "load" {
import "generic-service"
check_command = "load"
assign where host.name == NodeName
}
apply Service "procs" {
import "generic-service"
check_command = "procs"
assign where host.name == NodeName
}
apply Service "users" {
import "generic-service"
check_command = "users"
assign where host.name == NodeName
}
apply Service "ssl" {
import "generic-service"
check_command = "ssl"
assign where host.name == NodeName
}
apply Service "smtp" {
import "generic-service"
check_command = "smtp"
assign where host.name == NodeName
}
EOF
mkdir -p /etc/nginx/ssl
if [ ! -L /etc/nginx/ssl/fullchain.pem ]; then
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/fullchain.pem
ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/privkey.pem
fi
cat > /etc/nginx/sites-available/icinga-stack <<EOF
server {
listen 80;
server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
return 301 https://\$host\$request_uri;
}
server {
listen 443 ssl http2;
server_name ${ZAMBA_HOSTNAME:-$(hostname -f)};
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
root /usr/share/icingaweb2/public;
index index.php;
location / { try_files \$uri \$uri/ /index.php\$is_args\$args; }
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
}
#location /grafana {
# proxy_pass http://localhost:3000;
# proxy_set_header Host \$http_host;
#}
location /icingadb-web {
proxy_pass http://localhost:8080/icingadb-web;
proxy_set_header Host \$http_host;
}
}
EOF
cat << EOF > /etc/icinga-notifications/config.yml
database:
type: mysql
host: localhost
database: notifications
user: notifications
password: ${NOTIFICATIONS_DB_PASS}
EOF
cat << EOF > /etc/icingaweb2/modules/notifications/config.ini
[database]
resource = "notifications"
EOF
mkdir -p /etc/icingaweb2/modules/pdfexport
cat << EOF > /etc/icingaweb2/modules/pdfexport/config.ini
[chrome]
binary = "/usr/bin/chromium"
force_temp_storage = "0"
EOF
ln -sf /etc/nginx/sites-available/icinga-stack /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default
sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' "/etc/php/${PHP_VERSION}/fpm/php.ini"
sed -i "s|;date.timezone =|date.timezone = $(cat /etc/timezone)|" "/etc/php/${PHP_VERSION}/fpm/php.ini"
icinga2 api setup
systemctl enable icinga2 mariadb nginx php${PHP_VERSION}-fpm influxdb icingadb icingadb-redis icinga-notifications
systemctl start mariadb
systemctl start icinga2 icingadb-redis nginx php${PHP_VERSION}-fpm influxdb icingadb
IWEB_SCHEMA="/usr/share/icingaweb2/schema/mysql.schema.sql"
DIRECTOR_SCHEMA="/usr/share/icingaweb2/modules/director/schema/mysql.sql"
ICINGADB_SCHEMA="/usr/share/icingadb/schema/mysql/schema.sql"
NOTIFICATIONS_SCHEMA="/usr/share/icinga-notifications/schema/mysql/schema.sql"
X509_SCHEMA="/usr/share/icingaweb2/modules/x509/schema/mysql.schema.sql"
if [ ! -f "$IWEB_SCHEMA" ]; then echo "[ERROR] IcingaWeb-Schema nicht gefunden: $IWEB_SCHEMA" >&2; exit 1; fi
if [ ! -f "$DIRECTOR_SCHEMA" ]; then echo "[ERROR] Director-Schema nicht gefunden: $DIRECTOR_SCHEMA" >&2; exit 1; fi
if [ ! -f "$ICINGADB_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $ICINGADB_SCHEMA" >&2; exit 1; fi
if [ ! -f "$NOTIFICATIONS_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $NOTIFICATIONS_SCHEMA" >&2; exit 1; fi
if [ ! -f "$X509_SCHEMA" ]; then echo "[ERROR] IcingaDB-Schema nicht gefunden: $X509_SCHEMA" >&2; exit 1; fi
if ! mysql -e "use icingaweb2; show tables;" | grep -q "icingaweb_user"; then
echo "[INFO] Importiere IcingaWeb2-Schema..."
mysql icingaweb2 < "$IWEB_SCHEMA"
fi
if ! mysql -e "use director; show tables;" | grep -q "director_datafield"; then
echo "[INFO] Importiere Icinga Director-Schema..."
mysql director < "$DIRECTOR_SCHEMA"
fi
if ! mysql -e "use icingadb; show tables;" | grep -q "icingadb_schema_migration"; then
echo "[INFO] Importiere IcingaDB-Schema..."
mysql icingadb < "$ICINGADB_SCHEMA"
fi
if ! mysql -e "use notifications; show tables;" | grep -q "incident_rule_escalation_state"; then
echo "[INFO] Importiere Notifications-Schema..."
mysql notifications < "$NOTIFICATIONS_SCHEMA"
fi
if ! mysql -e "use x509; show tables;" | grep -q "x509_schema"; then
echo "[INFO] Importiere x509-Schema..."
mysql x509 < "$X509_SCHEMA"
fi
cat > /etc/icingaweb2/config.ini <<EOF
[global]
show_stacktraces = "0"
config_backend = "db"
config_resource = "icingaweb_db"
[logging]
log = "file"
log_file = "/var/log/icingaweb2/icingaweb2.log"
level = "ERROR"
EOF
cat > /etc/icingaweb2/authentication.ini <<EOF
[icinga-web-admin]
backend = "db"
resource = "icingaweb_db"
EOF
cat > /etc/icingaweb2/roles.ini <<EOF
[Administrators]
users = "icingaadmin"
permissions = "*"
groups = "Administrators"
EOF
mkdir -p /etc/icingaweb2/modules/monitoring
cat > /etc/icingaweb2/modules/monitoring/backends.ini <<EOF
[icingadb]
backend = "icingadb"
resource = "icingadb"
EOF
mkdir -p /etc/icingaweb2/modules/director
cat > /etc/icingaweb2/modules/director/config.ini <<EOF
[db]
resource = "director_db"
EOF
mkdir -p /etc/icingaweb2/modules/perfdatagraphs
mkdir -p /etc/icingaweb2/modules/perfdatagraphsinfluxdbv2
cat > /etc/icingaweb2/modules/perfdatagraphsinfluxdbv2/config.ini <<EOF
[influx]
api_url = "http://127.0.0.1:8086"
api_token = "${INFLUX_ICINGA_TOKEN}"
api_org = "icinga"
api_bucket = "icinga"
api_tls_insecure = "1"
EOF
cat > /etc/icingaweb2/modules/perfdatagraphs/config.ini << EOF
[perfdatagraphs]
default_timerange = "PT12H"
default_backend = "InfluxDBv2"
EOF
icinga2 feature enable icingadb api influxdb2-writer perfdata
icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt
echo "[INFO] Icinga Web 2 Module werden in korrekter Reihenfolge aktiviert."
icingacli module enable reactbundle
icingacli module enable incubator
icingacli module enable director
icingacli module enable icingadb
icingacli module enable perfdatagraphs
icingacli module enable perfdatagraphsinfluxdbv2
icingacli module enable notifications
echo "[INFO] Alle Services werden neu gestartet, um die finale Konfiguration zu laden."
systemctl restart mariadb
systemctl restart php${PHP_VERSION}-fpm
systemctl restart nginx
systemctl restart icingadb
systemctl restart icinga-notifications
echo "[INFO] Füge Icinga Web 2 Admin-Benutzer direkt in die Datenbank ein."
PASSWORD_HASH=$(php -r "echo password_hash('${ICINGAWEB_ADMIN_PASS}', PASSWORD_BCRYPT);")
mysql icingaweb2 -e "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, '${PASSWORD_HASH}') ON DUPLICATE KEY UPDATE password_hash='${PASSWORD_HASH}';"
echo "[INFO] Warte auf Icinga Web 2 und API..."
counter=0
while ! icingacli director migration run >/dev/null 2>&1; do
counter=$((counter + 1))
if [ "$counter" -gt 15 ]; then
echo "[ERROR] Icinga Director wurde nach 30 Sekunden nicht bereit." >&2
exit 1
fi
echo "[INFO] Director ist noch nicht bereit, warte 2 Sekunden... (Versuch ${counter}/15)"
sleep 2
done
echo "[INFO] Icinga Director ist bereit."
echo "[INFO] Icinga Director Setup wird ausgeführt."
cat > /etc/icingaweb2/modules/director/kickstart.ini <<EOF
[config]
endpoint = "$(hostname -f)"
port = "5665"
username = "director"
password = "${ICINGA_API_USER_PASS}"
EOF
systemctl restart icinga2
icingacli director kickstart run
echo "[INFO] Director Konfiguration wird angewendet."
icingacli director config deploy
echo ""
echo "================================================="
echo " Installation des Icinga Monitoring Stacks abgeschlossen"
echo "================================================="
echo ""
echo "Die Konfiguration wurde erfolgreich abgeschlossen."
echo "Alle notwendigen Passwörter, Logins und API-Keys wurden generiert."
echo ""
echo "Sie finden alle Zugangsdaten in der folgenden Datei:"
echo " ${CRED_FILE}"
echo ""
echo "Wichtige URLs:"
echo " Icinga Web 2: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingaweb2"
echo " IcingaDB Web: https://${ZAMBA_HOSTNAME:-$(hostname -f)}/icingadb-web"
echo ""
cat ${CRED_FILE}

2
src/mailcow/constants-service.conf
View File

@@ -13,7 +13,7 @@ LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=1
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="var/lib/docker"
LXC_SHAREFS_MOUNTPOINT="backup"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"

74
src/mailcow/install-service.sh
View File

@@ -17,7 +17,7 @@ chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin jq
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get install -y -qq rsync docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin jq
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get purge -y -qq postfix
SECRET=$(random_password)
@@ -156,7 +156,6 @@ POPS_PORT=995
SIEVE_PORT=4190
DOVEADM_PORT=127.0.0.1:19991
SQL_PORT=127.0.0.1:13306
SOLR_PORT=127.0.0.1:18983
REDIS_PORT=127.0.0.1:7654
# Your timezone
@@ -242,15 +241,6 @@ SKIP_CLAMD=n
SKIP_SOGO=n
# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.
SKIP_SOLR=n
# Solr heap size in MB, there is no recommendation, please see Solr docs.
# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.
SOLR_HEAP=1024
# Allow admins to log into SOGo as email user (without any password)
ALLOW_ADMIN_EMAIL_LOGIN=n
@@ -361,35 +351,45 @@ WEBAUTHN_ONLY_TRUSTED_VENDORS=n
# Otherwise it will work normally.
SPAMHAUS_DQS_KEY=
# Obtain certificates for autodiscover.* and autoconfig.* domains.
# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.
# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs
# between services. So acme-mailcow obtains for maildomains and all web-things get handled
# in the reverse proxy.
AUTODISCOVER_SAN=y
# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n
SKIP_UNBOUND_HEALTHCHECK=n
# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n
# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost
DISABLE_NETFILTER_ISOLATION_RULE=n
# ------------------------------
# REDIS configuration
# ------------------------------
REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2> /dev/null | head -c 28)
# Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.
# Flatcurve is used as FTS Engine. It is supposed to be pretty efficient in CPU and RAM consumption.
# Please always monitor your Resource consumption!
FTS_HEAP=128
# Controls how many processes the Dovecot indexing process can spawn at max.
# Too many indexing processes can use a lot of CPU and Disk I/O
# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations
FTS_PROCS=1
# Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.
# Dovecot inside mailcow use Flatcurve as FTS Backend.
SKIP_FTS=y
# Redirect HTTP connections to HTTPS - y/n
HTTP_REDIRECT=y
EOF
cat << EOF > /etc/cron.daily/mailcowbackup
#!/bin/sh
# Backup mailcow data
# https://docs.mailcow.email/backup_restore/b_n_r-backup/
set -e
OUT="\$(mktemp)"
export MAILCOW_BACKUP_LOCATION="/$LXC_SHAREFS_MOUNTPOINT/backup"
SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh"
PARAMETERS="backup all"
OPTIONS="--delete-days 7"
mkdir -p \$MAILCOW_BACKUP_LOCATION
# run command
set +e
"\${SCRIPT}" \${PARAMETERS} \${OPTIONS} 2>&1 > "\$OUT"
RESULT=\$?
if [ \$RESULT -ne 0 ]
then
echo "\${SCRIPT} \${PARAMETERS} \${OPTIONS} encounters an error:"
echo "RESULT=\$RESULT"
echo "STDOUT / STDERR:"
cat "\$OUT"
fi
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
25 1 * * * rsync -aH --delete /opt/mailcow-dockerized /${LXC_SHAREFS_MOUNTPOINT}/mailcow-dockerized
40 2 * * * rsync -aH --delete /var/lib/docker/volumes /${LXC_SHAREFS_MOUNTPOINT}/var_lib_docker_volumes
5 4 * * * cd /opt/mailcow-dockerized/; BACKUP_LOCATION=/${LXC_SHAREFS_MOUNTPOINT}/db_crypt_redis /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3
EOF
chmod +x /etc/cron.daily/mailcowbackup

7
src/nextcloud/constants-service.conf
View File

@@ -30,7 +30,10 @@ LXC_KEYCTL="0"
NEXTCLOUD_VERSION="latest"
# Defines the php version to install
NEXTCLOUD_PHP_VERSION="8.2"
NEXTCLOUD_PHP_VERSION="8.3"
# Defines the postgresql version to install
POSTGRES_VERSION=16
# Defines the IP from the SQL server
NEXTCLOUD_DB_IP="127.0.0.1"
@@ -51,4 +54,4 @@ NEXTCLOUD_DB_PWD="$(random_password)"
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="php-fpm,nginx,postgresql"
SERVICE_TAGS="php-fpm,nginx,postgresql"

813
src/nextcloud/install-service.sh
View File

@@ -5,130 +5,68 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh
NEXTCLOUD_ADMIN_PWD=$(random_password)
source /root/zamba.conf
source /root/constants-service.conf
NEXTCLOUD_ADMIN_PWD=$(random_password)
NEXTCLOUD_REDIS_PWD=$(random_password)
HOSTNAME=$(hostname -f)
HOST_IP=$(hostname -i)
wget -q -O - https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/sury-php.gpg >/dev/null
echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
wget -q -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/nginx.gpg >/dev/null
echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg >/dev/null
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat fail2ban ldap-utils cifs-utils redis-server imagemagick libmagickcore-6.q16-6-extra \
postgresql-15 nginx php$NEXTCLOUD_PHP_VERSION-{fpm,gd,mysql,pgsql,curl,xml,zip,intl,mbstring,bz2,ldap,apcu,bcmath,gmp,imagick,igbinary,redis,dev,smbclient,cli,common,opcache,readline}
timedatectl set-timezone $LXC_TIMEZONE
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
#### Create database for nextcloud ####
su - postgres <<EOF
psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
EOF
#### Adjust php settings ####
cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.max_children =.*/pm.max_children = 120/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.start_servers =.*/pm.start_servers = 12/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 6/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 18/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 1024M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=16/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
echo -e '\napc.enable_cli=1' >> /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
#### Adjust nginx settings ####
mkdir -p /etc/nginx/ssl
#### Modify Nginx for Nextcloud ####
mod_nginx() {
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/nextcloud.key -out /etc/ssl/certs/nextcloud.crt -subj "/CN=$NEXTCLOUD_FQDN" -addext "subjectAltName=DNS:$NEXTCLOUD_FQDN"
generate_dhparam
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat > /etc/nginx/nginx.conf <<EOF
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on; use epoll;
worker_connections 2048;
multi_accept on;
use epoll;
}
http {
server_names_hash_bucket_size 64;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
set_real_ip_from 127.0.0.1;
#optional, Sie können das eigene Subnetz ergänzen, bspw.:
# set_real_ip_from $LXC_IP;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
types {
text/javascript mjs;
}
default_type application/octet-stream;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 127.0.0.53 valid=30s;
resolver_timeout 5s;
include /etc/nginx/conf.d/*.conf;
log_format bashclub escape=json
'{'
'"time_local":"\$time_local",'
'"remote_addr":"\$remote_addr",'
'"remote_user":"\$remote_user",'
'"request":"\$request",'
'"status": "\$status",'
'"body_bytes_sent":"\$body_bytes_sent",'
'"request_time":"\$request_time",'
'"http_referrer":"\$http_referer",'
'"http_user_agent":"\$http_user_agent"'
'}';
server_names_hash_bucket_size 64;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
set_real_ip_from 127.0.0.1;
# optional, set reverse proxy ip, if used:
# set_real_ip_from $NEXTCLOUD_REVPROX;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver $NEXTCLOUD_REVPROX valid=30s;
resolver_timeout 5s;
include /etc/nginx/conf.d/*.conf;
}
EOF
@@ -137,171 +75,311 @@ touch /etc/nginx/conf.d/default.conf
cat > /etc/nginx/conf.d/http.conf << EOF
upstream php-handler {
server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
server unix:/run/php/php$NEXTCLOUD_PHP_VERSION-fpm.sock;
}
map \$arg_v \$asset_immutable {
"" "";
default "immutable";
"" "";
default "immutable";
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name $NEXTCLOUD_FQDN;
root /var/www;
location / {
return 301 https://\$host\$request_uri;
}
listen 80 default_server;
listen [::]:80 default_server;
server_name $NEXTCLOUD_FQDN;
root /var/www;
location ^~ /.well-known/acme-challenge {
default_type text/plain;
root /var/www/letsencrypt;
}
location / {
return 301 https://\$host\$request_uri;
}
}
EOF
cat > /etc/nginx/conf.d/nextcloud.conf << EOF
limit_req_zone \$binary_remote_addr zone=NextcloudRateLimit:10m rate=2r/s;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name $NEXTCLOUD_FQDN;
ssl_certificate /etc/ssl/certs/nextcloud.crt;
ssl_certificate_key /etc/ssl/private/nextcloud.key;
ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
ssl_ecdh_curve X448:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 5120M;
client_body_timeout 300s;
client_body_buffer_size 512k;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml text/javascript application/wasm application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
root /var/www/nextcloud;
index index.php index.html /index.php\$request_uri;
expires 1m;
location = / {
if ( \$http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/\$is_args\$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location ^~ /.well-known { return 301 /index.php/\$uri; }
try_files \$uri \$uri/ =404;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:\$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
location ~ \.php(?:\$|/) {
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)\$;
set \$path_info \$fastcgi_path_info;
try_files \$fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_param PATH_INFO \$path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|mjs|svg|gif|ico|wasm|tflite|map)\$ {
try_files \$uri /index.php\$request_uri;
expires 6M;
access_log off;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
#listen 443 quic reuseport;
#listen [::]:443 quic reuseport;
#http3 on;
#http3_hq on;
#quic_retry on;
server_name $NEXTCLOUD_FQDN;
ssl_certificate /etc/ssl/certs/nextcloud.crt;
ssl_certificate_key /etc/ssl/private/nextcloud.key;
ssl_trusted_certificate /etc/ssl/certs/nextcloud.crt;
#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 10G;
client_body_timeout 3600s;
client_body_buffer_size 512k;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Alt-Svc 'h3=":\$server_port"; ma=86400';
add_header x-quic 'h3';
add_header Alt-Svc 'h3-29=":\$server_port"';
fastcgi_hide_header X-Powered-By;
include mime.types;
types {
text/javascript mjs;
}
root /var/www/nextcloud;
index index.php index.html /index.php\$request_uri;
location = / {
if ( \$http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/\$is_args\$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files \$uri \$uri/ =404; }
location /.well-known/pki-validation { try_files \$uri \$uri/ =404; }
return 301 /index.php\$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
location ~ \.php(?:$|/) {
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php\$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set \$path_info \$fastcgi_path_info;
try_files \$fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
fastcgi_param PATH_INFO \$path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
fastcgi_max_temp_file_size 0;
}
location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
try_files \$uri /index.php\$request_uri;
add_header Cache-Control "public, max-age=15768000, \$asset_immutable";
add_header Permissions-Policy "interest-cohort=()";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Alt-Svc 'h3=":\$server_port"; ma=86400';
add_header x-quic 'h3';
add_header Alt-Svc 'h3-29=":\$server_port"';
access_log off;
expires 6M;
access_log off;
location ~ \.wasm$ {
default_type application/wasm;
}
}
location ~ \.woff2?\$ {
try_files \$uri /index.php\$request_uri;
expires 7d;
access_log off;
}
location / {
try_files \$uri \$uri/ /index.php\$request_uri;
}
location /push/ {
proxy_pass http://localhost:7867/;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
default_type application/wasm;
}
}
location ~ \.(otf|woff2?)$ {
try_files \$uri /index.php\$request_uri;
expires 7d;
access_log off;
}
location /remote {
return 301 /remote.php\$request_uri;
}
location /login {
limit_req zone=NextcloudRateLimit burst=5 nodelay;
limit_req_status 429;
try_files \$uri \$uri/ /index.php\$request_uri;
}
location / {
try_files \$uri \$uri/ /index.php\$request_uri;
}
location ^~ /push/ {
proxy_pass http://127.0.0.1:7867/;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
}
EOF
}
systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm nginx
#### Modify php settings for Nextcloud ####
mod_php() {
cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini.bak
cp /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini.bak
cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
#### Adjust redis settings ####
sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.max_children =.*/pm.max_children = 200/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.start_servers =.*/pm.start_servers = 100/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 60/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 140/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/;pm.max_requests =.*/pm.max_requests = 1000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/pool.d/www.conf
sed -i "s/allow_url_fopen =.*/allow_url_fopen = 1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/;cgi.fix_pathinfo.*/cgi.fix_pathinfo=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/cli/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 1G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/post_max_size =.*/post_max_size = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10G/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s|;date.timezone.*|date.timezone = $LXC_TIMEZONE|" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.validate_timestamps=.*/opcache.validate_timestamps=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=256/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=64/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=100000/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s/;opcache.huge_code_pages=.*/opcache.huge_code_pages=0/" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php.ini
sed -i "s|;emergency_restart_threshold.*|emergency_restart_threshold = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
sed -i "s|;emergency_restart_interval.*|emergency_restart_interval = 1m|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
sed -i "s|;process_control_timeout.*|process_control_timeout = 10|g" /etc/php/$NEXTCLOUD_PHP_VERSION/fpm/php-fpm.conf
sed -i '$aapc.enable_cli=1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/apcu.ini
sed -i 's/opcache.jit=off/opcache.jit=on/' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
sed -i '$aopcache.jit=1255' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
sed -i '$aopcache.jit_buffer_size=256M' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/opcache.ini
sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"EPS\"/rights=\"read|write\" pattern=\"EPS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
sed -i '$apgsql.allow_persistent = On' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
sed -i '$apgsql.auto_reset_persistent = Off' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
sed -i '$apgsql.max_persistent = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
sed -i '$apgsql.max_links = -1' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
sed -i '$apgsql.ignore_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
sed -i '$apgsql.log_notice = 0' /etc/php/$NEXTCLOUD_PHP_VERSION/mods-available/pgsql.ini
}
#### Modify Postgresql for Nextcloud ####
mod_postgresql() {
su - postgres <<EOF
psql -c "CREATE USER $NEXTCLOUD_DB_USR WITH PASSWORD '$NEXTCLOUD_DB_PWD';"
psql -c "CREATE DATABASE $NEXTCLOUD_DB_NAME ENCODING UTF8 TEMPLATE template0 OWNER $NEXTCLOUD_DB_USR;"
echo "Postgres User $NEXTCLOUD_DB_USR and database $NEXTCLOUD_DB_NAME created."
EOF
cat > /etc/postgresql/$POSTGRES_VERSION/main/conf.d/nextcloud.conf <<EOF
max_connections = 200
shared_buffers = 1GB
effective_cache_size = 3GB
maintenance_work_mem = 256MB
checkpoint_completion_target = 0.9
wal_buffers = 16MB
default_statistics_target = 100
random_page_cost = 1.1
effective_io_concurrency = 200
work_mem = 2621kB
min_wal_size = 1GB
max_wal_size = 4GB
max_worker_processes = 4
max_parallel_workers_per_gather = 2
max_parallel_workers = 4
max_parallel_maintenance_workers = 2
EOF
}
#### Install and modify Redis-server ####
inst_redis() {
apt update && DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends redis-server
}
mod_redis() {
cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
sed -i "s/port 6379/port 0/" /etc/redis/redis.conf
sed -i s/\#\ unixsocket/\unixsocket/g /etc/redis/redis.conf
sed -i "s/unixsocketperm 700/unixsocketperm 770/" /etc/redis/redis.conf
sed -i "s/# maxclients 10000/maxclients 512/" /etc/redis/redis.conf
sed -i "s/# maxclients 10000/maxclients 10240/" /etc/redis/redis.conf
sed -i "s/# requirepass foobared/requirepass $NEXTCLOUD_REDIS_PWD/" /etc/redis/redis.conf
usermod -aG redis www-data
#### Adjust sysctl.conf settings ####
cp /etc/sysctl.conf /etc/sysctl.conf.bak
echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
systemctl restart redis
sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf
}
#### HIER MÜSSTE EIN REBOOT REIN ####
#### Install nextcloud ####
#### Install some more packages
inst_packages() {
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends tree ldap-utils php-ldap cifs-utils locate screen zip ffmpeg ghostscript libfile-fcntllock-perl libfuse2 socat imagemagick libmagickcore-6.q16-6-extra
timedatectl set-timezone $LXC_TIMEZONE
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www /etc/letsencrypt
chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
}
#### Install and modify Nextcloud ####
inst_nextcloud() {
cd /usr/local/src
wget https://download.nextcloud.com/server/releases/latest.tar.bz2
wget https://download.nextcloud.com/server/releases/latest.tar.bz2.md5
md5sum -c latest.tar.bz2.md5 < latest.tar.bz2
tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2
md5sum -c --ignore-missing latest.tar.bz2.md5 < latest.tar.bz2
tar -xjf latest.tar.bz2 -C /var/www && chown -R www-data:www-data /var/www/ && rm -f latest.tar.bz2*
cat > /root/permissions.sh << EOF
#!/bin/bash
find /var/www/ -type f -print0 | xargs -0 chmod 0640
find /var/www/ -type d -print0 | xargs -0 chmod 0750
chown -R www-data:www-data /var/www
if [ -d "/var/www/nextcloud/apps/notify_push" ]; then
chmod ug+x /var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push
fi
chmod -R 770 /etc/letsencrypt
chown -R www-data:www-data /var/www
chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
chmod 0644 /var/www/nextcloud/.htaccess
chmod 0644 /var/www/nextcloud/.user.ini
@@ -310,39 +388,14 @@ EOF
chmod +x /root/permissions.sh
/root/permissions.sh
#### install fail2ban ####
cat <<EOF >/etc/fail2ban/filter.d/nextcloud.conf
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
EOF
cat > /etc/fail2ban/jail.d/nextcloud.local << EOF
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
bantime = 3600
findtime = 36000
logpath = /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log
EOF
systemctl restart fail2ban
}
#### Create configuration script for nextcloud, which will be executet as user www-data
mod_nextcloudconfig() {
cat > /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh << DFOE
systemctl stop nginx
#!/bin/bash
php /var/www/nextcloud/occ maintenance:install --database pgsql \
sudo -u www-data /usr/bin/php /var/www/nextcloud/occ maintenance:install --database pgsql \
--database-host $NEXTCLOUD_DB_IP \
--database-port $NEXTCLOUD_DB_PORT \
--database-name $NEXTCLOUD_DB_NAME \
@@ -352,110 +405,176 @@ php /var/www/nextcloud/occ maintenance:install --database pgsql \
--admin-pass $NEXTCLOUD_ADMIN_PWD \
--data-dir /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA
php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$NEXTCLOUD_FQDN
php /var/www/nextcloud/occ config:system:set overwrite.cli.url --value=https://$NEXTCLOUD_FQDN
cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
sed -i '/);/d' /var/www/nextcloud/config/config.php
sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
cat >> /var/www/nextcloud/config/config.php << EOF
'activity_expire_days' => 14,
'auth.bruteforce.protection.enabled' => true,
'blacklisted_files' =>
array (
0 => '.htaccess',
1 => 'Thumbs.db',
2 => 'thumbs.db',
),
'cron_log' => true,
'default_phone_region' => 'DE',
'enable_previews' => true,
'enabledPreviewProviders' =>
array (
0 => 'OC\Preview\PNG',
1 => 'OC\Preview\JPEG',
2 => 'OC\Preview\GIF',
3 => 'OC\Preview\BMP',
4 => 'OC\Preview\XBitmap',
5 => 'OC\Preview\Movie',
6 => 'OC\Preview\PDF',
7 => 'OC\Preview\MP3',
8 => 'OC\Preview\TXT',
9 => 'OC\Preview\MarkDown',
),
'filesystem_check_changes' => 0,
'filelocking.enabled' => 'true',
'htaccess.RewriteBase' => '/',
'integrity.check.disabled' => false,
'knowledgebaseenabled' => false,
'logfile' => '/var/$NEXTCLOUD_DATA/nextcloud.log',
'loglevel' => 2,
'logtimezone' => '$LXC_TIMEZONE',
'log_rotate_size' => 104857600,
'maintenance' => false,
'memcache.local' => '\OC\Memcache\APCu',
'memcache.locking' => '\OC\Memcache\Redis',
'overwriteprotocol' => 'https',
'preview_max_x' => 1024,
'preview_max_y' => 768,
'preview_max_scale_factor' => 1,
'redis' =>
array (
'host' => '/var/run/redis/redis-server.sock',
'port' => 0,
'timeout' => 0.0,
),
'quota_include_external_storage' => false,
'share_folder' => '/Freigaben',
'skeletondirectory' => '',
'theme' => '',
'trashbin_retention_obligation' => 'auto, 7',
'updater.release.channel' => 'stable',
'trusted_proxies' =>
array (
'$NEXTCLOUD_REVPROX',
'127.0.0.1',
'::1',
),
'activity_expire_days' => 14,
'allow_local_remote_servers' => true,
'auth.bruteforce.protection.enabled' => true,
'forbidden_filenames' =>
array (
0 => '.htaccess',
1 => 'Thumbs.db',
2 => 'thumbs.db',
),
'cron_log' => true,
'default_phone_region' => 'DE',
'enable_previews' => true,
'enabledPreviewProviders' =>
array (
0 => 'OC\\Preview\\PNG',
1 => 'OC\\Preview\\JPEG',
2 => 'OC\\Preview\\GIF',
3 => 'OC\\Preview\\BMP',
4 => 'OC\\Preview\\XBitmap',
5 => 'OC\\Preview\\Movie',
6 => 'OC\\Preview\\PDF',
7 => 'OC\\Preview\\MP3',
8 => 'OC\\Preview\\TXT',
9 => 'OC\\Preview\\MarkDown',
10 => 'OC\\Preview\\HEIC',
11 => 'OC\\Preview\\Movie',
12 => 'OC\\Preview\\MKV',
13 => 'OC\\Preview\\MP4',
14 => 'OC\\Preview\\AVI',
),
'filesystem_check_changes' => 0,
'filelocking.enabled' => 'true',
'htaccess.RewriteBase' => '/',
'integrity.check.disabled' => false,
'knowledgebaseenabled' => false,
'logfile' => '/$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/nextcloud.log',
'loglevel' => 2,
'logtimezone' => '$LXC_TIMEZONE',
'log_rotate_size' => 104857600,
'memcache.local' => '\OC\Memcache\APCu',
'memcache.locking' => '\OC\Memcache\Redis',
'overwriteprotocol' => 'https',
'preview_max_x' => 1024,
'preview_max_y' => 768,
'preview_max_scale_factor' => 1,
'profile.enabled' => false,
'redis' =>
array (
'host' => '/run/redis/redis-server.sock',
'port' => 0,
'password' => '$NEXTCLOUD_REDIS_PWD',
'timeout' => 0.0,
),
'quota_include_external_storage' => false,
'share_folder' => '/Freigaben',
'skeletondirectory' => '',
'theme' => '',
'trashbin_retention_obligation' => 'auto, 7',
'updater.release.channel' => 'stable',
'maintenance_window_start' => 1,
'maintenance' => false,
'mail_smtpmode' => 'sendmail',
'mail_sendmailmode' => 'smtp',
'mail_from_address' => '$NEXTCLOUD_ADMIN_USR',
'mail_domain' => '$NEXTCLOUD_FQDN',
'overwrite.cli.url' => 'https://$NEXTCLOUD_FQDN',
'overwritehost' => '$NEXTCLOUD_FQDN',
'trusted_domains' =>
array (
0 => '$HOST_IP',
1 => '$NEXTCLOUD_FQDN',
),
);
EOF
sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
php /var/www/nextcloud/occ app:disable survey_client
php /var/www/nextcloud/occ app:disable firstrunwizard
php /var/www/nextcloud/occ app:enable admin_audit
php /var/www/nextcloud/occ app:enable notify_push
php /var/www/nextcloud/occ app:enable files_pdfviewer
php /var/www/nextcloud/occ background:cron
DFOE
/root/permissions.sh
su -s /bin/bash www-data <<EOF
bash /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA/config_nextcloud.sh
EOF
sudo -u www-data /usr/bin/cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable survey_client
sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:disable firstrunwizard
sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable admin_audit
#sudo -u www-data /usr/bin/php /var/www/nextcloud/occ app:enable notify_push
sudo -u www-data /usr/bin/php /var/www/nextcloud/occ background:cron
sudo -u www-data /usr/bin/php /var/www/nextcloud/occ db:add-missing-indices
sudo -u www-data nohup /usr/bin/php /var/www/nextcloud/occ maintenance:repair --include-expensive &
sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
sed -i "s/output_buffering=.*/output_buffering=0/" /var/www/nextcloud/.user.ini
#### Create file for high performance backend
echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
systemctl restart php$NEXTCLOUD_PHP_VERSION-fpm
systemctl start nginx
cat > /etc/systemd/system/notify_push.service << EOF
[Unit]
Description = Push daemon for Nextcloud clients
After=nginx.service php$NEXTCLOUD_PHP_VERSION-fpm.service system-postgresql.slice redis-server.service
[Service]
Environment=PORT=7867
Environment=NEXTCLOUD_URL=https://$NEXTCLOUD_FQDN
Environment=ALLOW_SELF_SIGNED=true
ExecStart=/var/www/nextcloud/apps/notify_push/bin/x86_64/notify_push /var/www/nextcloud/config/config.php
User=www-data
[Install]
WantedBy = multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now notify_push
systemctl enable notify_push
}
echo "*/5 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php > /dev/null 2>&1" > /etc/cron.d/nextcloud
#### Modifying Crowdsec ####
mod_crowdsec() {
systemctl restart crowdsec
cscli collections install crowdsecurity/nginx
cscli collections install crowdsecurity/nextcloud
cscli collections install crowdsecurity/sshd
cat >> /etc/crowdsec/acquis.yaml << EOF
filenames:
- /var/log/nextcloud/nextcloud.log
labels:
type: Nextcloud
---
EOF
systemctl reload crowdsec
}
#### Install the system !####
echo "=> Installing Nginx ..."
inst_nginx
echo "=> Modifying Nginx config for Nextcloud ..."
mod_nginx
echo "=> Installing PHP $NEXTCLOUD_PHP_VERSION ..."
inst_php
echo "=> Modifying PHP config for Nextcloud ..."
mod_php
echo "=> Installing Postgresql $POSTGRES_VERSION ..."
inst_postgresql
echo "=> Modifying Postgresql config for Nextcloud ..."
mod_postgresql
echo "=> Installing Redis-server ..."
inst_redis
echo "=> Modifying Redis-server for Nextcloud ..."
mod_redis
echo "=> Installing some more packages ..."
inst_packages
echo "=> Installing Nextcloud ..."
inst_nextcloud
echo "=> Modifying Nextcloud ..."
mod_nextcloudconfig
echo "=> Installing Crowdsec ..."
inst_crowdsec
echo "=> Modifying Crowdsec ..."
mod_crowdsec
echo -e "\n######################################################################\n\n Please note this user and password for the nextcloud login:\n '$NEXTCLOUD_ADMIN_USR' / '$NEXTCLOUD_ADMIN_PWD'\n Enjoy your Nextcloud intallation.\n\n######################################################################"
shutdown -r now

6
src/omada/constants-service.conf
View File

@@ -8,7 +8,7 @@
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard"
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
@@ -27,7 +27,7 @@ LXC_NESTING="1"
LXC_KEYCTL="0"
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=2048
LXC_MEM_MIN=4096
# service dependent meta tags
SERVICE_TAGS="mongodb-server,java"
SERVICE_TAGS="mongodb-server,java"

12
src/omada/install-service.sh
View File

@@ -10,14 +10,14 @@ set -euo pipefail
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
# wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor > /usr/share/keyrings/adoptium-keyring.gpg
wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
wget -O - https://pgp.mongodb.com/server-4.4.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-4.4.gpg
wget -O - https://pgp.mongodb.com/server-7.0.asc | gpg --dearmor > /usr/share/keyrings/mongodb-server-7.0.gpg
echo "deb [signed-by=/usr/share/keyrings/bashclub-keyring.gpg] https://apt.bashclub.org/omada $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/bashclub-omada.list
echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
echo "deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
# echo "deb [signed-by=/usr/share/keyrings/adoptium-keyring.gpg] https://packages.adoptium.net/artifactory/deb $(lsb_release -cs 2>/dev/null) main" > /etc/apt/sources.list.d/adoptium.list
echo "deb [signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq temurin-8-jre jsvc mongodb-org
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq default-jre-headless jsvc mongodb-org
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --no-install-recommends -y -qq omadac

2
src/zmb-ad-join/install-service.sh
View File

@@ -205,7 +205,7 @@ EOF
chmod +x /usr/local/bin/smb-backup
cat << EOF > /etc/cron.d/smb-backup
23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
EOF
cat << EOF > /etc/logrotate.d/smb-backup

45
src/zmb-ad-restore/constants-service.conf Normal file
View File

@@ -0,0 +1,45 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
# This file contains the project constants on service level
# Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-12-standard"
# Create sharefs mountpoint
LXC_MP=0
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
LXC_SHAREFS_MOUNTPOINT="backup"
# Defines the recordsize of mp0
LXC_MP_RECORDSIZE="16K"
# Create unprivileged container
LXC_UNPRIVILEGED="0"
# enable nesting feature
LXC_NESTING="1"
# enable keyctl feature
LXC_KEYCTL="0"
# add optional features to samba ad dc
# CURRENTLY SUPPORTED:
# wsdd = add windows service discovery
# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
# Example:
# OPTIONAL_FEATURES=(wsdd)
# OPTIONAL_FEATURES=(wsdd splitdns)
OPTIONAL_FEATURES=(wsdd)
# Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024
# service dependent meta tags
SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"

195
src/zmb-ad-restore/install-service.sh Normal file
View File

@@ -0,0 +1,195 @@
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/functions.sh
source /root/zamba.conf
source /root/constants-service.conf
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
for f in ${OPTIONAL_FEATURES[@]}; do
if [[ "$f" == "wsdd" ]]; then
ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
elif [[ "$f" == "splitdns" ]]; then
ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
elif [[ "$f" == "bind9dlz" ]]; then
ZMB_DNS_BACKEND="BIND9_DLZ"
ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
else
echo "Unsupported optional feature $f"
fi
done
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
mkdir -p /etc/chrony/conf.d
mkdir -p /etc/systemd/system/chrony.service.d
cat << EOF > /etc/default/chrony
# This is a configuration file for /etc/init.d/chrony and
# /lib/systemd/system/chrony.service; it allows you to pass various options to
# the chrony daemon without editing the init script or service file.
# Options to pass to chrony.
DAEMON_OPTS="-x -F 1"
EOF
cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
[Unit]
ConditionCapability=
EOF
cat << EOF > /etc/chrony/conf.d/samba.conf
bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
server de.pool.ntp.org iburst
server europe.pool.ntp.org iburst
allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
server_name _;
return 301 http://www.$LXC_DOMAIN\$request_uri;
}
EOF
fi
if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
# configure bind dns service
cat << EOF > /etc/default/bind9
#
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-4 -u bind"
EOF
cat << EOF > /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
dlz "$LXC_DOMAIN" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
EOF
cat << EOF > /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders {
$LXC_DNS;
};
allow-query { any;};
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
EOF
mkdir -p /var/lib/samba/bind-dns/dns
fi
# stop + disable samba services and remove default config
systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
rm -f /etc/samba/smb.conf
rm -f /etc/krb5.conf
rm -r /var/lib/samba/*
backupfile=$(find /backup/online -name samba-backup* | tail -1)
samba-tool domain backup restore --backup-file=${backupfile} --newservername=${LXC_HOSTNAME} --targetdir=/var/lib/samba/
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
# disable password expiry for administrator
samba-tool user setexpiry Administrator --noexpiry
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
# configure ad backup
cat << EOF > /usr/local/bin/smb-backup
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
rc=0
keep=\$1
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
prune () {
backup_type=\$1
if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
fi
}
echo "\$(date) Starting samba-ad-dc online backup"
if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
prune online
else
echo "\$(date) samba-ad-dc online backup failed"
rc=\$((\$rc + 1))
fi
echo "\$(date) Starting samba-ad-dc offline backup"
if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then
echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
prune offline
else
echo "S(date) samba-ad-dc offline backup failed"
rc=\$((\$rc + 1))
fi
exit \$rc
EOF
chmod +x /usr/local/bin/smb-backup
cat << EOF > /etc/cron.d/smb-backup
23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
EOF
cat << EOF > /etc/logrotate.d/smb-backup
/var/log/smb-backup.log {
weekly
rotate 12
compress
delaycompress
missingok
notifempty
create 644 root root
}
EOF
exit 0

2
src/zmb-ad/install-service.sh
View File

@@ -176,7 +176,7 @@ EOF
chmod +x /usr/local/bin/smb-backup
cat << EOF > /etc/cron.d/smb-backup
23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
EOF
cat << EOF > /etc/logrotate.d/smb-backup

8
src/zmb-cups/install-service.sh
View File

@@ -96,13 +96,13 @@ systemctl restart winbind nmbd
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
chown -R root:"${ZMB_DOMAIN_ADMINS@L}" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,g:"NT Authority/authenticated users":r-x,o::r-x /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\${ZMB_DOMAIN_ADMINS@L}" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
systemctl disable --now cups-browsed.service
cupsctl --remote-admin

6
src/zmb-member/install-service.sh
View File

@@ -99,9 +99,9 @@ wbinfo -g
mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
# originally 'domain users' was set, added variable for domain admins group, samba wiki recommends separate group e.g. 'unix admins'
chown "${ZMB_ADMIN_USER@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
chown "${ZMB_ADMIN_USER@L}":"${ZMB_DOMAIN_ADMINS@L}" /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g::-,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
setfacl -Rm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
setfacl -Rdm u:${ZMB_ADMIN_USER@L}:rwx,g:"${ZMB_DOMAIN_ADMINS@L}":rwx,o::- /$LXC_SHAREFS_MOUNTPOINT/$ZMB_SHARE
systemctl restart smbd nmbd winbind wsdd