remove kopano, ad-restore, enable strict mode in all installers

2026-02-18 23:46:18 +00:00 · 2026-01-18 12:52:37 +00:00
parent 753243e444
commit 6e009743f4
26 changed files with 44 additions and 579 deletions
--- a/1
+++ b/1
@@ -0,0 +1 @@
 - icinga2
--- a/src/ansible-semaphore/install-service.sh
+++ b/src/ansible-semaphore/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/authentik/install-service.sh
+++ b/src/authentik/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/bookstack/install-service.sh
+++ b/src/bookstack/install-service.sh
@@ -7,6 +7,8 @@ set -euo pipefail
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/checkmk/install-service.sh
+++ b/src/checkmk/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/docker/install-service.sh
+++ b/src/docker/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/gitea/install-service.sh
+++ b/src/gitea/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/icinga2/install-service.sh
+++ b/src/icinga2/install-service.sh
@@ -1,4 +1,6 @@
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/kimai/constants-service.conf
+++ b/src/kimai/constants-service.conf
@@ -8,7 +8,7 @@
 # This file contains the project constants on service level
 # Debian Version, which will be installed
-LXC_TEMPLATE_VERSION="debian-12-standard"
+LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
@@ -30,7 +30,7 @@ LXC_KEYCTL="0"
 #KIMAI_VERSION="main"
 # Defines the php version to install
-KIMAI_PHP_VERSION="8.2"
+KIMAI_PHP_VERSION="8.4"
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
--- a/src/kimai/install-service.sh
+++ b/src/kimai/install-service.sh
@@ -14,12 +14,11 @@ source /root/constants-service.conf
 KIMAI_DB_PWD=$(random_password)
 webroot=/var/www/kimai/public
 #wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
 #echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
 apt update
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client php${KIMAI_PHP_VERSION} php${KIMAI_PHP_VERSION}-intl php${KIMAI_PHP_VERSION}-cli php${KIMAI_PHP_VERSION}-fpm php${KIMAI_PHP_VERSION}-mysql php${KIMAI_PHP_VERSION}-xml php${KIMAI_PHP_VERSION}-mbstring php${KIMAI_PHP_VERSION}-gd php${KIMAI_PHP_VERSION}-tokenizer php${KIMAI_PHP_VERSION}-zip php${KIMAI_PHP_VERSION}-opcache php${KIMAI_PHP_VERSION}-curl
+inst_php intl,cli,fpm,mysql,xml,mbstring,gd,tokenizer,zip,opcache,curl $KIMAI_PHP_VERSION
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq zip unzip sudo nginx-full mariadb-server mariadb-client  
 mkdir -p /etc/nginx/ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/kimai.key -out /etc/nginx/ssl/kimai.crt -subj "/CN=$LXC_HOSTNAME.$LXC_DOMAIN" -addext "subjectAltName=DNS:$LXC_HOSTNAME.$LXC_DOMAIN"
--- a/src/kopano-core/constants-service.conf
+++ b/src/kopano-core/constants-service.conf
@@ -1,53 +0,0 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-11-standard"
 # Create sharefs mountpoint
 LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="tank"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="1"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # Defines the version number of piler mail archive to install (type in exact version number (e.g. 1.3.11) or 'latest')
 KOPANO_VERSION="latest"
 # Defines the php version to install
 KOPANO_PHP_VERSION="7.4"
 # Defines Maria DB Version
 MARIA_DB_VERS="10.5"
 # Defines the name from the SQL database
 MARIA_DB_NAME="kopano"
 # Defines the name from the SQL user
 MARIA_DB_USER="kopano"
 # Build a strong password for the SQL user - could be overwritten with something fixed 
 MARIA_ROOT_PWD=$(random_password)
 MARIA_USER_PWD=$(random_password)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=4096
 # service dependent meta tags
 SERVICE_TAGS="php-fpm,nginx,mariadb"
--- a/src/kopano-core/install-service.sh
+++ b/src/kopano-core/install-service.sh
@@ -1,276 +0,0 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 HOSTNAME=$(hostname -f)
 #wget -q -O - https://packages.sury.org/php/apt.gpg | apt-key add -
 #echo "deb https://packages.sury.org/php/ $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
 wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
 echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
 wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | apt-key add -
 echo "deb https://mirror.wtnet.de/mariadb/repo/$MARIA_DB_VERS/debian $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/maria.list
 apt update
 #DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
 #php$KOPANO_PHP_VERSION-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends nginx-light mariadb-server postfix postfix-ldap \
 php-{cli,common,curl,fpm,gd,json,mysql,mbstring,opcache,phpdbg,readline,soap,xml,zip}
 #timedatectl set-timezone Europe/Berlin
 #mkdir -p /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 #chown -R www-data:www-data /$LXC_SHAREFS_MOUNTPOINT/$NEXTCLOUD_DATA /var/www
 #### Secure Maria Instance ####
 mysqladmin -u root password "[$MARIA_ROOT_PWD]"
 mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User=''"
 mysql -uroot -p$MARIA_ROOT_PWD -e"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
 #mysql -uroot -p$MARIA_ROOT_PWD -e"DROP DATABASE test;DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
 mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
 #### Create user and DB for Kopano ####
 mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE USER '$MARIA_DB_USER'@'localhost' IDENTIFIED BY '$MARIA_USER_PWD'"
 mysql -uroot -p$MARIA_ROOT_PWD -e"CREATE DATABASE $MARIA_DB_NAME; GRANT ALL PRIVILEGES ON $MARIA_DB_NAME.* TO '$MARIA_DB_USER'@'localhost'"
 mysql -uroot -p$MARIA_ROOT_PWD -e"FLUSH PRIVILEGES"
 echo "root-password: $MARIA_ROOT_PWD,\
 db-user: $MARIA_DB_USER, password: $MARIA_USER_PWD" > /root/maria.log
 cat > /etc/apt/sources.list.d/kopano.list << EOF
 # Kopano Core
 deb https://download.kopano.io/supported/core:/final/Debian_11/ ./
 # Kopano WebApp
 deb https://download.kopano.io/supported/webapp:/final/Debian_11/ ./
 # Kopano MobileDeviceManagement
 deb https://download.kopano.io/supported/mdm:/final/Debian_11/ ./
 # Kopano Files
 deb https://download.kopano.io/supported/files:/final/Debian_11/ ./
 # Z-Push
 deb https://download.kopano.io/zhub/z-push:/final/Debian_11/ ./
 EOF
 cat > /etc/apt/auth.conf.d/kopano.conf << EOF
 machine download.kopano.io
 login serial
 password $KOPANO_REPKEY
 EOF
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/core:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/webapp:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/mdm:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/supported/files:/final/Debian_11/Release.key | apt-key add -
 curl https://serial:$KOPANO_REPKEY@download.kopano.io/zhub/z-push:/final/Debian_11/Release.key | apt-key add -
 apt update && apt full-upgrade -y
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \
 z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files 
 #### Adjust kopano settings ####
 cat > /etc/kopano/ldap.cfg << EOF
 !include /usr/share/kopano/ldap.active-directory.cfg
 ldap_uri = ldap://192.168.100.100:389
 ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks
 ldap_bind_passwd = Start123!
 ldap_search_base = dc=zmb,dc=rocks
 #ldap_user_search_filter = (kopanoAccount=1)
 EOF
 cat > /etc/kopano/server.cfg << EOF
 server_listen = *:236
 local_admin_users = root kopano
 #database_engine = mysql
 #mysql_host = localhost
 #mysql_port = 3306
 mysql_user = $MARIA_DB_USER
 mysql_password = $MARIA_USER_PWD
 mysql_database = $MARIA_DB_NAME
 #user_plugin = ldap
 #user_plugin_config = /etc/kopano/ldap.cfg
 EOF
 #### Adjust php settings ####
 sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
 cat > /etc/php/7.4/fpm/pool.d/webapp.conf << EOF
 [webapp]
 listen = 127.0.0.1:9002
 user = www-data
 group = www-data
 listen.allowed_clients = 127.0.0.1
 pm = dynamic
 pm.max_children = 150
 pm.start_servers = 35
 pm.min_spare_servers = 20
 pm.max_spare_servers = 50
 pm.max_requests = 200
 listen.backlog = -1
 request_terminate_timeout = 120s
 rlimit_files = 131072
 rlimit_core = unlimited
 catch_workers_output = yes
 EOF
 sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php
 #### Adjust nginx settings ####
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN"
 generate_dhparam
 #mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
 cat > /etc/nginx/sites-available/webapp.conf << EOF
 upstream php-handler {
    #server 127.0.0.1:9002;
    #server unix:/var/run/php5-fpm.sock;
    server unix:/var/run/php/php7.4-fpm.sock;
 }
 server{
    listen 80;
    charset utf-8;
    listen [::]:80;
    server_name _;
    location / {
        rewrite   ^(.*)   https://\$server_name\$1 permanent;
    }  
 }
 server {
    charset utf-8;
    listen 443;
    listen [::]:443 ssl;
    server_name _;
    ssl on;
    client_max_body_size 1024m;
    ssl_certificate /etc/ssl/certs/kopano.crt;
    ssl_certificate_key /etc/ssl/private/kopano.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers on;
    #
    # ssl_dhparam require you to create a dhparam.pem, this takes a long time
    ssl_dhparam /etc/nginx/dhparam.pem;
    #
    # add headers
    server_tokens off;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    location /webapp {
        alias /usr/share/kopano-webapp/;
        index index.php;
    location ~ /webapp/presence/ {
                rewrite ^/webapp/presence(/.*)$ \$1 break;
                proxy_pass http://localhost:1234;
                proxy_set_header Upgrade \$http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_http_version 1.1;
                }
    }
    location ~* ^/webapp/(.+\.php)$ {
        alias /usr/share/kopano-webapp/;
        # deny access to .htaccess files
        location ~ /\.ht {
                    deny all;
        }
        fastcgi_param PHP_VALUE "
            register_globals=off
            magic_quotes_gpc=off
            magic_quotes_runtime=off
            post_max_size=31M
            upload_max_filesize=30M
        ";
        fastcgi_param PHP_VALUE "post_max_size=31M
                 upload_max_filesize=30M
                 max_execution_time=3660
        ";
        include fastcgi_params;
        fastcgi_index index.php;
        #fastcgi_param HTTPS on;
        fastcgi_param SCRIPT_FILENAME \$document_root\$1;
        fastcgi_pass php-handler;
        access_log /var/log/nginx/kopano-webapp-access.log;
        error_log /var/log/nginx/kopano-webapp-error.log;
        # CSS and Javascript
        location ~* \.(?:css|js)$ {
            expires 1y;
            access_log off;
            add_header Cache-Control "public";
        }
        # All (static) resources set to 2 months expiration time.
        location ~* \.(?:jpg|gif|png)\$ {
            expires 2M;
            access_log off;
            add_header Cache-Control "public";
        }
        # enable gzip compression
        gzip on;
        gzip_min_length  1100;
        gzip_buffers  4 32k;
        gzip_types    text/plain application/x-javascript text/xml text/css application/json;
        gzip_vary on;
        }
 }
 map \$http_upgrade \$connection_upgrade {
        default upgrade;
        '' close;
 }
 EOF
 ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/
 phpenmod kopano
 systemctl restart php7.4-fpm nginx
--- a/src/mailcow/install-service.sh
+++ b/src/mailcow/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/matrix/install-service.sh
+++ b/src/matrix/install-service.sh
@@ -5,12 +5,12 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 set -euo pipefail
 #### Set repo and install matrix ####
 inst_matrix() {
    apt_repo "matrix" "https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg" "https://packages.matrix.org/debian" "$(lsb_release -cs)" "main"
--- a/src/onlyoffice/install-service.sh
+++ b/src/onlyoffice/install-service.sh
@@ -5,12 +5,12 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 set -euo pipefail
 #### Set repo and install onlyoffice ####
 inst_onlyoffice() {
    apt_repo "onlyoffice" "https://download.onlyoffice.com/GPG-KEY-ONLYOFFICE" "https://download.onlyoffice.com/repo/debian" "squeeze" "main"
--- a/src/open3a/install-service.sh
+++ b/src/open3a/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/piler/install-service.sh
+++ b/src/piler/install-service.sh
@@ -3,6 +3,8 @@
 # Author:
 # (C) 2024 Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source zamba.conf
 wget -O - https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-keyring.gpg
--- a/src/rei3/install-service.sh
+++ b/src/rei3/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/urbackup/install-service.sh
+++ b/src/urbackup/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/vaultwarden/install-service.sh
+++ b/src/vaultwarden/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/zammad/install-service.sh
+++ b/src/zammad/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/zmb-ad-restore/constants-service.conf
+++ b/src/zmb-ad-restore/constants-service.conf
@@ -1,45 +0,0 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 # This file contains the project constants on service level
 # Debian Version, which will be installed
 LXC_TEMPLATE_VERSION="debian-13-standard"
 # Create sharefs mountpoint
 LXC_MP=0
 # Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
 LXC_SHAREFS_MOUNTPOINT="backup"
 # Defines the recordsize of mp0
 LXC_MP_RECORDSIZE="16K"
 # Create unprivileged container
 LXC_UNPRIVILEGED="0"
 # enable nesting feature
 LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 # add optional features to samba ad dc
 # CURRENTLY SUPPORTED:
 # wsdd = add windows service discovery
 # splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
 # bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
 # Example:
 # OPTIONAL_FEATURES=(wsdd)
 # OPTIONAL_FEATURES=(wsdd splitdns)
 OPTIONAL_FEATURES=(wsdd)
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 # service dependent meta tags
 SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"
--- a/src/zmb-ad-restore/install-service.sh
+++ b/src/zmb-ad-restore/install-service.sh
@@ -1,195 +0,0 @@
 #!/bin/bash
 # Authors:
 # (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 ZMB_DNS_BACKEND="SAMBA_INTERNAL"
 for f in ${OPTIONAL_FEATURES[@]}; do
  if [[ "$f" == "wsdd" ]]; then
    ADDITIONAL_PACKAGES="wsdd2 $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="wsdd2 $ADDITIONAL_SERVICES"
  elif [[ "$f" == "splitdns" ]]; then
    ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
  elif [[ "$f" == "bind9dlz" ]]; then
    ZMB_DNS_BACKEND="BIND9_DLZ"
    ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
    ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
  else
    echo "Unsupported optional feature $f"
  fi
 done
 # echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
 mkdir -p /etc/chrony/conf.d
 mkdir -p /etc/systemd/system/chrony.service.d
 cat << EOF > /etc/default/chrony
 # This is a configuration file for /etc/init.d/chrony and
 # /lib/systemd/system/chrony.service; it allows you to pass various options to
 # the chrony daemon without editing the init script or service file.
 # Options to pass to chrony.
 DAEMON_OPTS="-x -F 1"
 EOF
 cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
 [Unit]
 ConditionCapability=
 EOF
 cat << EOF > /etc/chrony/conf.d/samba.conf
 bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
 server de.pool.ntp.org iburst
 server europe.pool.ntp.org iburst
 allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
 ntpsigndsocket /var/lib/samba/ntp_signd
 EOF
 if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
  cat << EOF > /etc/nginx/sites-available/default
 server {
    listen 80 default_server;
    server_name _;
    return 301 http://www.$LXC_DOMAIN\$request_uri;
 }
 EOF
 fi
 if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
  # configure bind dns service
  cat << EOF > /etc/default/bind9
 #
 # run resolvconf?
 RESOLVCONF=no
 # startup options for the server
 OPTIONS="-4 -u bind"
 EOF
  cat << EOF > /etc/bind/named.conf.local
 //
 // Do any local configuration here
 //
 // Consider adding the 1918 zones here, if they are not used in your
 // organization
 //include "/etc/bind/zones.rfc1918";
 dlz "$LXC_DOMAIN" {
  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
 };
 EOF
  cat << EOF > /etc/bind/named.conf.options
 options {
  directory "/var/cache/bind";
  forwarders {
    $LXC_DNS;
  };
  allow-query {  any;};
  dnssec-validation no;
  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
  listen-on { any; };
  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
  minimal-responses yes;
 };
 EOF
  mkdir -p /var/lib/samba/bind-dns/dns
 fi
 # stop + disable samba services and remove default config
 systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 rm -f /etc/krb5.conf
 rm -r /var/lib/samba/*
 backupfile=$(find /backup/online -name samba-backup* | tail -1)
 samba-tool domain backup restore --backup-file=${backupfile} --newservername=${LXC_HOSTNAME} --targetdir=/var/lib/samba/ 
 ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
 # disable password expiry for administrator
 samba-tool user setexpiry Administrator --noexpiry
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
 systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
 # configure ad backup
 cat << EOF > /usr/local/bin/smb-backup
 #!/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 rc=0
 keep=\$1
 mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
 prune () {
  backup_type=\$1
  if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
    find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
  fi
 }
 echo "\$(date) Starting samba-ad-dc online backup"
 if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
  echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
  prune online
 else
  echo "\$(date) samba-ad-dc online backup failed"
  rc=\$((\$rc + 1))
 fi
 echo "\$(date) Starting samba-ad-dc offline backup"
 if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then 
  echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
  prune offline
 else
  echo "S(date) samba-ad-dc offline backup failed"
  rc=\$((\$rc + 1))
 fi
 exit \$rc
 EOF
 chmod +x /usr/local/bin/smb-backup
 cat << EOF > /etc/cron.d/smb-backup
 23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
 EOF
 cat << EOF > /etc/logrotate.d/smb-backup
 /var/log/smb-backup.log {
        weekly
        rotate 12
        compress
        delaycompress
        missingok
        notifempty
        create 644 root root
 }
 EOF
 exit 0
--- a/src/zmb-cups/install-service.sh
+++ b/src/zmb-cups/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/zmb-member/install-service.sh
+++ b/src/zmb-member/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
--- a/src/zmb-standalone/install-service.sh
+++ b/src/zmb-standalone/install-service.sh
@@ -5,6 +5,8 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 set -euo pipefail
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf