Add Debian 12 scripts

debian-12/apps/apt-cacher-ng/apt-cacher-ng.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+if [ -d "/var/cache/apt-cacher-ng" ]; then
+	chown apt-cacher-ng:apt-cacher-ng apt-cacher-ng
+fi
+
+apt install -y rinetd apt-cacher-ng
+
+cat > /etc/apt-cacher-ng/backend_archlx << "EOF"
+#### HTTPS not supported ####
+
+http://archlinux.puzzle.ch/
+EOF
+systemctl restart apt-cacher-ng
+
+sed -i '/^# bindadress.*/a 0.0.0.0         8080      127.0.0.1       3142' /etc/rinetd.conf
+sed -i '/^# bindadress.*/a 0.0.0.0         80        127.0.0.1       3142' /etc/rinetd.conf
+systemctl restart rinetd
+
+echo "Acquire::http { Proxy \"http://127.0.0.1\"; };" > /etc/apt/apt.conf.d/02proxy
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # apt-cacher-ng' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/bind9/bind9.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+apt install -y bind9
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # DNS' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/docker/docker.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+swapoff -a
+sed -i "/swap/d" /etc/fstab
+
+apt remove -y iptables-persistent
+apt autoremove -y
+apt install -y ca-certificates curl gnupg lsb-release
+
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian   bullseye stable" > /etc/apt/sources.list.d/docker.list
+
+sysctl -w net/netfilter/nf_conntrack_max=131072
+
+apt update
+apt dist-upgrade
+apt install -y docker-ce
+apt install -y docker-compose
+
+systemctl enable docker.service
+systemctl start docker.service
+
+sleep 3

debian-12/apps/iperf3/iperf3.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+apt install -y iperf3
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 5201 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 5201 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # IPERF' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/matomo/matomo.sh

@@ -0,0 +1,52 @@
+#!/bin/bash 
+
+apt install -y mariadb-server apache2 unzip
+apt install -y php7.4 php7.4-gd php7.4-mbstring php7.4-mysql php7.4-opcache php7.4-readline php7.4-xml php-geoip
+# apt install php php-curl php-gd php-cli php-mysql php-xml php-mbstring
+
+DBNAME=$(whiptail --title "DB" --inputbox "DB Name :" 0 30 "matomo" 3>&1 1>&2 2>&3)
+DBUSER=$(whiptail --title "DB" --inputbox "DB User :" 0 30 "matomo" 3>&1 1>&2 2>&3)
+DBPASS=$(whiptail --title "DB" --inputbox "DB Pass :" 0 30 "matomo" 3>&1 1>&2 2>&3)
+mysql -e "CREATE DATABASE ${DBNAME};CREATE USER '${DBUSER}'@'localhost' IDENTIFIED BY '${DBPASS}';GRANT ALL ON ${DBNAME}.* TO '${DBUSER}'@'localhost' WITH GRANT OPTION;FLUSH PRIVILEGES;"
+
+a2dissite 000-default
+a2dissite default-ssl.conf
+a2enmod ssl
+
+mkdir matomo
+cd matomo
+wget https://builds.matomo.org/matomo.zip && unzip matomo.zip
+mv matomo /var/www
+chown -R www-data:www-data /var/www/matomo
+cd ..
+rm -R matomo
+
+cat > /etc/apache2/sites-available/matomo.conf << "EOF"
+<IfModule mod_ssl.c>
+  <VirtualHost _default_:443>
+    ServerAdmin webmaster@localhost
+    DocumentRoot /var/www/matomo
+    ErrorLog ${APACHE_LOG_DIR}/error.log
+    CustomLog ${APACHE_LOG_DIR}/access.log combined
+    SSLEngine on
+    SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
+    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+    <FilesMatch "\.(cgi|shtml|phtml|php)$">
+        SSLOptions +StdEnvVars
+    </FilesMatch>
+    <Directory /usr/lib/cgi-bin>
+        SSLOptions +StdEnvVars
+    </Directory>
+  </VirtualHost>
+</IfModule>
+EOF
+
+systemctl reload apache2
+a2ensite matomo
+systemctl restart apache2
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Matomo' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/mongodb-4.4/mongodb-4.4.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | apt-key add -
+echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main"> /etc/apt/sources.list.d/mongodb-org-4.4.list
+apt update
+apt install -y mongodb-org
+
+DBPATH=/srv/mongodb
+mkdir -p ${DBPATH}
+chown mongodb:mongodb ${DBPATH}
+chmod 700 ${DBPATH}
+sed -i "/dbPath/c\  dbPath: ${DBPATH}" /etc/mongod.conf
+
+systemctl enable mongod.service
+systemctl restart mongod.service

debian-12/apps/mongodb-5.0/mongodb-5.0.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+wget -qO - https://www.mongodb.org/static/pgp/server-5.0.asc | apt-key add -
+echo "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/5.0 main"> /etc/apt/sources.list.d/mongodb-org-5.0.list
+apt update
+apt install -y mongodb-org
+
+DBPATH=/srv/mongodb
+mkdir -p ${DBPATH}
+chown mongodb:mongodb ${DBPATH}
+chmod 700 ${DBPATH}
+sed -i "/dbPath/c\  dbPath: ${DBPATH}" /etc/mongod.conf
+
+systemctl enable mongod.service
+systemctl restart mongod.service

debian-12/apps/mongodb-6.0/mongodb-6.0.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+wget -qO - https://www.mongodb.org/static/pgp/server-6.0.asc | apt-key add -
+echo "deb http://repo.mongodb.org/apt/debian bookworm/mongodb-org/6.0 main" > /etc/apt/sources.list.d/mongodb-org-6.0.list
+apt update
+apt install -y mongodb-org
+
+DBPATH=/srv/mongodb
+mkdir -p ${DBPATH}
+chown mongodb:mongodb ${DBPATH}
+chmod 700 ${DBPATH}
+sed -i "/dbPath/c\  dbPath: ${DBPATH}" /etc/mongod.conf
+
+systemctl enable mongod.service
+systemctl restart mongod.service

debian-12/apps/nextcloud-26/nextcloud-26.sh

@@ -0,0 +1,116 @@
+#!/bin/bash 
+
+# https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html
+
+IPV4=$(ip addr | grep 'inet ' | grep -v '127.0' | head -n1 | awk '{print $2}' | cut -f1 -d /)
+DBNAME=$(whiptail --title "DB" --inputbox "DB Name :" 0 30 "nextcloud" 3>&1 1>&2 2>&3)
+DBUSER=$(whiptail --title "DB" --inputbox "DB User :" 0 30 "nextcloud" 3>&1 1>&2 2>&3)
+DBPASS=$(whiptail --title "DB" --inputbox "DB Pass :" 0 30 "nextcloud" 3>&1 1>&2 2>&3)
+DATAPATH=$(whiptail --title "DATA" --inputbox "DATA Path :" 0 30 "/srv/nextcloud/data" 3>&1 1>&2 2>&3)
+NCUSER=$(whiptail --title "NextCloud" --inputbox "Admin Name :" 0 30 "admin" 3>&1 1>&2 2>&3)
+NCPASS=$(whiptail --title "NextCloud" --inputbox "Admin Pass :" 0 30 "admin" 3>&1 1>&2 2>&3)
+PHPVER=8.2
+
+curl -sSLo /usr/share/keyrings/deb.sury.org-php.gpg https://packages.sury.org/php/apt.gpg
+echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ bookworm main" > /etc/apt/sources.list.d/php-${PHPVER}.list
+apt update -y
+
+apt install -y sudo bzip2 apache2 coturn
+apt install -y php${PHPVER} php${PHPVER}-curl php${PHPVER}-gd php${PHPVER}-mbstring php${PHPVER}-zip php${PHPVER}-xml php${PHPVER}-bz2 php${PHPVER}-intl php${PHPVER}-fpm php${PHPVER}-apcu php${PHPVER}-memcached php${PHPVER}-redis php${PHPVER}-imagick php${PHPVER}-bcmath php${PHPVER}-gmp libapache2-mod-php${PHPVER}
+apt install -y php${PHPVER}-mysql mariadb-server
+apt install -y smbclient ffmpeg libmagickcore-6.q16-6-extra
+
+a2dissite 000-default
+a2dissite default-ssl.conf
+a2enmod rewrite
+a2enmod headers
+a2enmod env
+a2enmod dir
+a2enmod mime
+a2enmod ssl
+
+sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/${PHPVER}/apache2/php.ini
+sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/${PHPVER}/fpm/php.ini
+sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/${PHPVER}/cli/php.ini
+echo "apc.enable_cli=1" >> /etc/php/${PHPVER}/cli/php.ini
+
+mysql -e "CREATE DATABASE ${DBNAME};CREATE USER '${DBUSER}'@'localhost' IDENTIFIED BY '${DBPASS}';GRANT ALL ON ${DBNAME}.* TO '${DBUSER}'@'localhost' WITH GRANT OPTION;FLUSH PRIVILEGES;"
+
+wget https://download.nextcloud.com/server/releases/latest-26.tar.bz2
+tar -xvf latest-26.tar.bz2
+mv nextcloud /var/www
+chown -R www-data:www-data /var/www/nextcloud
+mkdir -p ${DATAPATH}
+chown -R www-data:www-data ${DATAPATH}
+
+cat > /etc/apache2/sites-available/nextcloud.conf << "EOF"
+<VirtualHost *:443>
+	Protocols h2 http:/1.1
+	DocumentRoot "/var/www/nextcloud"
+	#ServerName nextcloud.your-domain.com
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+	Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
+	SSLEngine on
+	SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+	SSLCertificateChainFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLProtocol TLSv1.2
+
+	<Directory /var/www/nextcloud/>
+		Options +FollowSymlinks
+		AllowOverride All
+		<IfModule mod_dav.c>
+			Dav off
+		</IfModule>
+		SetEnv HOME /var/www/nextcloud
+		SetEnv HTTP_HOME /var/www/nextcloud
+		Satisfy Any
+	</Directory>
+
+</VirtualHost>
+EOF
+
+a2ensite nextcloud
+systemctl restart apache2
+
+cd /var/www/nextcloud/
+sudo -u www-data php occ maintenance:install \
+	--database "mysql" \
+	--database-name "${DBNAME}" \
+	--database-user "${DBUSER}" \
+	--database-pass "${DBPASS}" \
+	--admin-user "${NCUSER}" \
+	--admin-pass "${NCPASS}" \
+	--data-dir "${DATAPATH}"
+sed -i "s/0 => 'localhost/0 => '${IPV4}/" /var/www/nextcloud/config/config.php
+sed -i "s/\/\/localhost/\/\/${IPV4}/" /var/www/nextcloud/config/config.php
+sed -i "s/http:/https:/" /var/www/nextcloud/config/config.php
+sed -i "/^);*/i\ \ 'memcache.local' => '\\\\OC\\\\Memcache\\\\APCu'," /var/www/nextcloud/config/config.php
+sed -i "/^);*/i\ \ 'default_phone_region' => 'CH'," /var/www/nextcloud/config/config.php
+echo "*/5  *  *  *  * php -f /var/www/nextcloud/cron.php" | crontab -u www-data -
+sudo -u www-data php occ background:cron
+
+cat >> /etc/turnserver.conf << "EOF"
+listening-port=8080
+listening-ip=0.0.0.0
+fingerprint
+use-auth-secret
+static-auth-secret=AUTHSECRET
+# realm=nextcloud.dom.lan
+total-quota=0
+bps-capacity=0
+stale-nonce
+no-multicast-peers
+EOF
+AUTHSECRET=$(openssl rand -hex 32)
+sed "s/AUTHSECRET/${AUTHSECRET}/" turnserver.conf
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NextCloud' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # TurnServer' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/nextcloud-latest/nextcloud-latest.sh

@@ -0,0 +1,112 @@
+#!/bin/bash 
+
+# https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html
+
+IPV4=$(ip addr | grep 'inet ' | grep -v '127.0' | head -n1 | awk '{print $2}' | cut -f1 -d /)
+DBNAME=$(whiptail --title "DB" --inputbox "DB Name :" 0 30 "nextcloud" 3>&1 1>&2 2>&3)
+DBUSER=$(whiptail --title "DB" --inputbox "DB User :" 0 30 "nextcloud" 3>&1 1>&2 2>&3)
+DBPASS=$(whiptail --title "DB" --inputbox "DB Pass :" 0 30 "nextcloud" 3>&1 1>&2 2>&3)
+DATAPATH=$(whiptail --title "DATA" --inputbox "DATA Path :" 0 30 "/srv/nextcloud/data" 3>&1 1>&2 2>&3)
+NCUSER=$(whiptail --title "NextCloud" --inputbox "Admin Name :" 0 30 "admin" 3>&1 1>&2 2>&3)
+NCPASS=$(whiptail --title "NextCloud" --inputbox "Admin Pass :" 0 30 "admin" 3>&1 1>&2 2>&3)
+
+
+apt install -y sudo apache2 coturn
+apt install -y php7.4 php7.4-curl php7.4-gd php7.4-mbstring php7.4-zip php-xml php-bz2 php7.4-intl php7.4-fpm php-apcu php-memcached php-redis php-imagick php7.4-bcmath php7.4-gmp libapache2-mod-php7.4
+apt install -y php7.4-mysql mariadb-server
+apt install -y smbclient ffmpeg libmagickcore-6.q16-6-extra
+
+a2dissite 000-default
+a2dissite default-ssl.conf
+a2enmod rewrite
+a2enmod headers
+a2enmod env
+a2enmod dir
+a2enmod mime
+a2enmod ssl
+
+sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/apache2/php.ini
+sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/fpm/php.ini
+sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/cli/php.ini
+echo "apc.enable_cli=1" >> /etc/php/7.4/cli/php.ini
+
+mysql -e "CREATE DATABASE ${DBNAME};CREATE USER '${DBUSER}'@'localhost' IDENTIFIED BY '${DBPASS}';GRANT ALL ON ${DBNAME}.* TO '${DBUSER}'@'localhost' WITH GRANT OPTION;FLUSH PRIVILEGES;"
+
+wget https://download.nextcloud.com/server/releases/latest.tar.bz2
+tar -xvf latest.tar.bz2
+mv nextcloud /var/www
+chown -R www-data:www-data /var/www/nextcloud
+mkdir -p ${DATAPATH}
+chown -R www-data:www-data ${DATAPATH}
+
+cat > /etc/apache2/sites-available/nextcloud.conf << "EOF"
+<VirtualHost *:443>
+	Protocols h2 http:/1.1
+	DocumentRoot "/var/www/nextcloud"
+	#ServerName nextcloud.your-domain.com
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+	Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
+	SSLEngine on
+	SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+	SSLCertificateChainFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLProtocol TLSv1.2
+
+	<Directory /var/www/nextcloud/>
+		Options +FollowSymlinks
+		AllowOverride All
+		<IfModule mod_dav.c>
+			Dav off
+		</IfModule>
+		SetEnv HOME /var/www/nextcloud
+		SetEnv HTTP_HOME /var/www/nextcloud
+		Satisfy Any
+	</Directory>
+
+</VirtualHost>
+EOF
+
+a2ensite nextcloud
+systemctl restart apache2
+
+cd /var/www/nextcloud/
+sudo -u www-data php occ maintenance:install \
+	--database "mysql" \
+	--database-name "${DBNAME}" \
+	--database-user "${DBUSER}" \
+	--database-pass "${DBPASS}" \
+	--admin-user "${NCUSER}" \
+	--admin-pass "${NCPASS}" \
+	--data-dir "${DATAPATH}"
+sed -i "s/0 => 'localhost/0 => '${IPV4}/" /var/www/nextcloud/config/config.php
+sed -i "s/\/\/localhost/\/\/${IPV4}/" /var/www/nextcloud/config/config.php
+sed -i "s/http:/https:/" /var/www/nextcloud/config/config.php
+sed -i "/^);*/i\ \ 'memcache.local' => '\\\\OC\\\\Memcache\\\\APCu'," /var/www/nextcloud/config/config.php
+sed -i "/^);*/i\ \ 'default_phone_region' => 'CH'," /var/www/nextcloud/config/config.php
+echo "*/5  *  *  *  * php -f /var/www/nextcloud/cron.php" | crontab -u www-data -
+sudo -u www-data php occ background:cron
+
+cat >> /etc/turnserver.conf << "EOF"
+listening-port=8080
+listening-ip=0.0.0.0
+fingerprint
+use-auth-secret
+static-auth-secret=AUTHSECRET
+# realm=nextcloud.dom.lan
+total-quota=0
+bps-capacity=0
+stale-nonce
+no-multicast-peers
+EOF
+AUTHSECRET=$(openssl rand -hex 32)
+sed "s/AUTHSECRET/${AUTHSECRET}/" turnserver.conf
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NextCloud' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # TurnServer' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/nodejs-14/nodejs-14.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+mkdir /srv/node
+curl -sL https://deb.nodesource.com/setup_14.x | bash -
+apt install -y nodejs
+npm i -g nodemon
+
+cat > /etc/systemd/system/nodejs.service << EOF
+[Service]
+ExecStart=/usr/bin/node app.js
+WorkingDirectory=/srv/node
+Restart=always
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=node
+#User=websites
+#Group=websites
+Environment=NODE_ENV=production
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /srv/node/app.js << "EOF"
+var http = require('http')
+
+http.createServer(function (req, res) {
+  res.writeHead(200, {'Content-Type': 'text/plain'})
+  res.write('Hello World!')
+  res.end()
+}).listen(80)
+EOF
+
+systemctl daemon-reload
+systemctl enable nodejs.service
+systemctl start nodejs.service
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NodeJS' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/nodejs-16/nodejs-16.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+mkdir /srv/node
+curl -sL https://deb.nodesource.com/setup_16.x | bash -
+apt install -y nodejs
+npm i -g nodemon
+
+cat > /etc/systemd/system/nodejs.service << EOF
+[Service]
+ExecStart=/usr/bin/node app.js
+WorkingDirectory=/srv/node
+Restart=always
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=node
+#User=websites
+#Group=websites
+Environment=NODE_ENV=production
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /srv/node/app.js << "EOF"
+var http = require('http')
+
+http.createServer(function (req, res) {
+  res.writeHead(200, {'Content-Type': 'text/plain'})
+  res.write('Hello World!')
+  res.end()
+}).listen(80)
+EOF
+
+systemctl daemon-reload
+systemctl enable nodejs.service
+systemctl start nodejs.service
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NodeJS' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/nodejs-18/nodejs-18.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+mkdir /srv/node
+curl -sL https://deb.nodesource.com/setup_18.x | bash -
+apt install -y nodejs
+npm i -g nodemon
+
+cat > /etc/systemd/system/nodejs.service << EOF
+[Service]
+ExecStart=/usr/bin/node app.js
+WorkingDirectory=/srv/node
+Restart=always
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=node
+#User=websites
+#Group=websites
+Environment=NODE_ENV=production
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /srv/node/app.js << "EOF"
+var http = require('http')
+
+http.createServer(function (req, res) {
+  res.writeHead(200, {'Content-Type': 'text/plain'})
+  res.write('Hello World!')
+  res.end()
+}).listen(80)
+EOF
+
+systemctl daemon-reload
+systemctl enable nodejs.service
+systemctl start nodejs.service
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NodeJS' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/nodejs-19/nodejs-19.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+mkdir /srv/node
+curl -sL https://deb.nodesource.com/setup_19.x | bash -
+apt install -y nodejs
+npm i -g nodemon
+
+cat > /etc/systemd/system/nodejs.service << EOF
+[Service]
+ExecStart=/usr/bin/node app.js
+WorkingDirectory=/srv/node
+Restart=always
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=node
+#User=websites
+#Group=websites
+Environment=NODE_ENV=production
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /srv/node/app.js << "EOF"
+var http = require('http')
+
+http.createServer(function (req, res) {
+  res.writeHead(200, {'Content-Type': 'text/plain'})
+  res.write('Hello World!')
+  res.end()
+}).listen(80)
+EOF
+
+systemctl daemon-reload
+systemctl enable nodejs.service
+systemctl start nodejs.service
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NodeJS' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/nodejs-20/nodejs-20.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+mkdir /srv/node
+curl -sL https://deb.nodesource.com/setup_20.x | bash -
+apt install -y nodejs
+npm i -g nodemon
+
+cat > /etc/systemd/system/nodejs.service << EOF
+[Service]
+ExecStart=/usr/bin/node app.js
+WorkingDirectory=/srv/node
+Restart=always
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=node
+#User=websites
+#Group=websites
+Environment=NODE_ENV=production
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /srv/node/app.js << "EOF"
+var http = require('http')
+
+http.createServer(function (req, res) {
+  res.writeHead(200, {'Content-Type': 'text/plain'})
+  res.write('Hello World!')
+  res.end()
+}).listen(80)
+EOF
+
+systemctl daemon-reload
+systemctl enable nodejs.service
+systemctl start nodejs.service
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NodeJS' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/portainer/portainer.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker run -d --name="portainer" --restart=unless-stopped -p 8000:8000 -p 9000:9000 -p 9443:9443 -v /var/run/docker.sock:/var/run/docker.sock -v /srv/portainer/data:/data portainer/portainer-ce

debian-12/apps/proxmox-8/proxmox-8.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+exit 1
+
+HOSTNAME=$(hostname -s)
+FQDN=$(hostname)
+IPV4INT=$(ip addr | grep '<BROADCAST' | head -n1 | awk '{print $2}' | cut -f1 -d :)
+NETFILE=/etc/network/interfaces.d/${IPV4INT}
+if test -f "${NETFILE}"; then
+	IPV4=$(cat ${NETFILE} | grep address | awk '{print $2}')
+	IPV4MASK=24
+	IPV4GW=$(cat ${NETFILE} | grep gateway | awk '{print $2}')
+else
+	IPV4=$(ip addr | grep 'inet ' | grep -v '127.0' | head -n1 | awk '{print $2}' | cut -f1 -d /)
+	IPV4MASK=$(ip addr | grep 'inet ' | grep -v '127.0' | head -n1 | awk '{print $2}' | cut -f2 -d /)
+	IPV4GW=$(ip route | grep default | awk '{print $3}')
+fi
+
+echo "127.0.0.1        localhost.localdomain localhost" > /etc/hosts
+echo "${IPV4}     ${FQDN} ${HOSTNAME}" >> /etc/hosts
+
+apt remove -y iptables-persistent
+rm -R /etc/iptables
+
+echo "deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription" >> /etc/apt/sources.list
+wget http://download.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
+
+apt update
+apt -y full-upgrade
+export DEBIAN_FRONTEND=noninteractive
+apt install -y proxmox-ve postfix open-iscsi ifupdown2
+apt remove -y os-prober linux-image-* 
+update-grub
+
+echo "# deb https://enterprise.proxmox.com/debian/pve bullseye pve-enterprise" > /etc/apt/sources.list.d/pve-enterprise.list
+
+NETFILE=/etc/network/interfaces.new
+echo "" >> ${NETFILE}
+echo "auto vmbr0" >> ${NETFILE}
+echo "iface vmbr0 inet static" >> ${NETFILE}
+echo "        address ${IPV4}/${IPV4MASK}" >> ${NETFILE}
+echo "        gateway ${IPV4GW}" >> ${NETFILE}
+echo "        bridge-ports ${IPV4INT}" >> ${NETFILE}
+echo "        bridge-stp off" >> ${NETFILE}
+echo "        bridge-fd 0" >> ${NETFILE}
+
+rm /etc/network/interfaces.d/*

debian-12/apps/rinetd/rinetd.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+apt install -y rinetd
+
+nano /etc/rinetd.conf
+systemctl restart rinetd
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # RINETD' /etc/iptables/rules.v4
+	nano /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/tang/tang.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+apt install -y tang
+
+# systemctl edit tangd.socket
+# systemctl daemon-reload
+systemctl enable tangd.socket
+systemctl start tangd.socket
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # TANGD' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/tor-gw/tor-gw.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+apt install -y tor
+
+echo "nameserver 127.0.0.1" > /etc/resolv.conf
+
+cat >> /etc/tor/torrc << EOF
+VirtualAddrNetwork 10.192.0.0/10
+AutomapHostsSuffixes .onion,.exit
+AutomapHostsOnResolve 1
+TransPort 0.0.0.0:9040
+DNSPort 0.0.0.0:53
+EOF
+
+service tor restart
+
+cat > /etc/iptables/rules.v4 << EOF
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+EOF
+iptables-restore /etc/iptables/rules.v4
+
+iptables -t nat -A PREROUTING ! -i lo -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 22
+iptables -t nat -A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
+iptables -t nat -A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
+iptables-save > /etc/iptables/rules.v4
+
+sed -i '/net.ipv4.ip_forward/s/^#//g' /etc/sysctl.conf
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+echo ""
+echo ""
+echo ""
+ip a | grep "inet "
+
+echo ""
+echo "Note for Firefox :"
+echo "You need to enable dot onion in about:config."
+echo "network.dns.blockDotOnion = False"

debian-12/apps/traefik/traefik.sh

@@ -0,0 +1,288 @@
+#!/bin/bash
+
+RELEASE=$(whiptail --title "Traefik" --inputbox "Release :" 0 30 "2.7.1" 3>&1 1>&2 2>&3)
+ACCOUNT=$(whiptail --title "Traefik" --inputbox "ACME E-Mail :" 0 30 "" 3>&1 1>&2 2>&3)
+
+main() {
+	Traefik-etc-certs-selfsigned
+	Traefik-etc-services
+	Traefik-etc-config
+	Traefik-etc-iptable
+	Traefik-bin-update-traefik
+	Traefik-service
+}
+
+
+Traefik-etc-certs-selfsigned() {
+	mkdir -p /etc/traefik/certs
+	openssl ecparam -name secp256r1 -genkey -out /etc/traefik/certs/self.key
+	openssl req -new -x509 -key /etc/traefik/certs/self.key -sha256 -nodes -out /etc/traefik/certs/self.crt -days 3650
+}
+
+Traefik-etc-services() {
+	mkdir -p /etc/traefik/services
+	Traefik-etc-services-shared
+	Traefik-etc-services-default
+}
+
+Traefik-etc-services-shared() {
+	cat >> /etc/traefik/services/_shared.yaml << "EOF"
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: "/etc/traefik/certs/self.crt"
+        keyFile: "/etc/traefik/certs/self.key"
+
+  options:
+    default:
+      minVersion: "VersionTLS12"
+      # sniStrict: true
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+
+    mintls13:
+      minVersion: "VersionTLS13"
+
+http:
+  middlewares:
+    to-https:
+      redirectScheme:
+        scheme: "https"
+        permanent: true
+    to-no-www:
+      redirectRegex:
+        regex: "^https://www.(.*)"
+        replacement: "https://${1}"
+        permanent: true
+
+    hsts-min:
+      headers:
+        sslRedirect: true
+        stsIncludeSubdomains: false
+        stsPreload: true
+        stsSeconds: 63072000
+        contentTypeNosniff: true
+        accessControlMaxAge: 100
+        addVaryheader: true
+    hsts_light:
+      headers:
+        sslRedirect: true
+        frameDeny: true
+        stsIncludeSubdomains: false
+        stsPreload: true
+        stsSeconds: 63072000
+        contentTypeNosniff: true
+        accessControlMaxAge: 100
+        addVaryheader: true
+    hsts:
+      headers:
+        sslRedirect: true
+        frameDeny: true
+        stsIncludeSubdomains: false
+        stsPreload: true
+        stsSeconds: 63072000
+        contentTypeNosniff: true
+        accessControlMaxAge: 100
+        addVaryheader: true
+        referrerPolicy: "origin-when-cross-origin"
+    hsts-strict:
+      headers:
+        sslRedirect: true
+        frameDeny: true
+        stsIncludeSubdomains: false
+        stsPreload: true
+        stsSeconds: 63072000
+        contentTypeNosniff: true
+        accessControlMaxAge: 100
+        addVaryheader: true
+        contentSecurityPolicy: "script-src 'self'"
+        referrerPolicy: "origin-when-cross-origin"
+
+  services:
+    dummy:
+      loadBalancer:
+        servers:
+          - url: "https://127.0.0.1:2"
+ 
+    # matomo:
+    #  loadBalancer:
+    #    servers:
+    #      - url: "https://x.x.x.x:xxx"
+EOF
+}
+
+Traefik-etc-services-default() {
+	cat >> /etc/traefik/services/_default.yaml << "EOF"
+http:
+  routers:
+    _default:
+      entryPoints:
+        - http
+      rule: "PathPrefix(`/`)"
+      # priority: 100
+      # service: _default-matomo
+      service: _default
+
+    _default-secure:
+      entryPoints:
+        - https
+      rule: "PathPrefix(`/`)"
+      # priority: 100
+      # service: _default-matomo
+      service: _default
+      tls:
+        acmev2-staging
+
+  services:
+    # _default-matomo:
+    #  mirroring:
+    #    service: _default
+    #    maxBodySize: 1024
+    #    mirrors:
+    #      - name: matomo
+    #        percent: 100
+
+    _default:
+      loadBalancer:
+        servers:
+          - url: https://127.0.0.1:2
+EOF
+}
+
+Traefik-etc-config() {
+	cat >> /etc/traefik/traefik.yaml << "EOF"
+entryPoints:
+  http:
+   address: ":80"
+  https:
+   address: ":443"
+  traefik:
+   address: ":8099"
+
+api:
+  dashboard: true
+  insecure: true
+
+serversTransport:
+  insecureSkipVerify: true
+
+providers:
+  file:
+    directory: "/etc/traefik/services/"
+    watch: true
+
+certificatesResolvers:
+  acmev2:
+    acme:
+      email: "X{ACCOUNT}"
+      caserver: "https://acme-v02.api.letsencrypt.org/directory"
+      storage: "/etc/traefik/certs/acmev2.json"
+      keyType: "EC384"
+      tlsChallenge: {}
+  acmev2-staging:
+    acme:
+      email: "X{ACCOUNT}"
+      caserver: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      storage: "/etc/traefik/certs/acmev2-staging.json"
+      keyType: "EC384"
+      tlsChallenge: {}
+EOF
+
+sed -i "s/X{ACCOUNT}/${ACCOUNT}/g" /etc/traefik/traefik.yaml
+
+}
+
+Traefik-etc-iptable() {
+  if [ -f "/etc/iptables/rules.v4" ]; then
+    sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8099 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+    sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+    sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+    sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Traefik' /etc/iptables/rules.v4
+    iptables-restore /etc/iptables/rules.v4
+  fi
+}
+
+Traefik-bin-update-traefik() {
+	cat >> /usr/local/bin/update-traefik << "EOF"
+#/bin/bash
+
+getcurrentversion() {
+  if [ -f /var/opt/traefik/version ]; then
+    cat /var/opt/traefik/version
+  else
+    echo "0"
+  fi
+}
+getlatestversion() {
+  if ! GITHUBTAGNAME=$(curl -sL "https://api.github.com/repos/traefik/traefik/releases/latest" | jq -r ".tag_name"); then
+    echo "Error in Github API"
+    return 1
+  fi
+  if [ "${GITHUBTAGNAME}" == "" ]; then
+    echo "Error in Github API"
+    return 1
+  fi
+  local -r GITHUBVERSION=${GITHUBTAGNAME//[[:alpha:]-]/}
+  if [ "${GITHUBVERSION}" == "" ]; then
+    echo "Error in Github API"
+    return 1
+  fi
+  echo "${GITHUBVERSION}"
+}
+update() {
+  VERSION=${1}
+  mkdir -p /tmp/traefik
+  cd /tmp/traefik
+  wget https://github.com/traefik/traefik/releases/download/v${VERSION}/traefik_v${VERSION}_linux_amd64.tar.gz
+  tar -xf traefik_v${VERSION}_linux_amd64.tar.gz
+  systemctl stop traefik
+  cp traefik /usr/local/bin
+  systemctl start traefik
+  if [ ! -d /var/opt/traefik ]; then
+    mkdir -p /var/opt/traefik
+  fi
+  echo "${VERSION}" > /var/opt/traefik/version
+  rm -R /tmp/traefik
+}
+
+CURVER=$(getcurrentversion)
+LATESTVER=$(getlatestversion)
+
+if [ "${CURVER}" != "${LATESTVER}" ]; then
+  echo "${CURVER} -> ${LATESTVER}"
+  update "${LATESTVER}"
+fi
+EOF
+	chmod 755 /usr/local/bin/update-traefik
+	update-traefik ${RELEASE}
+}
+
+Traefik-service() {
+	cat >> /etc/systemd/system/traefik.service << "EOF"
+[Unit]
+Description=Traefik
+After=network.target auditd.service
+
+[Service]
+ExecStart=/usr/local/bin/traefik -configFile /etc/traefik/traefik.yaml
+ExecReload=/bin/killall traefik
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+EOF
+	
+	systemctl daemon-reload
+	systemctl enable traefik
+	systemctl restart traefik
+}
+
+
+main

debian-12/apps/webmin/webmin.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+echo "deb https://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list
+wget https://download.webmin.com/jcameron-key.asc
+cat jcameron-key.asc | gpg --dearmor >/etc/apt/trusted.gpg.d/jcameron-key.gpg
+
+apt update
+apt-get -y install webmin
+
+systemctl daemon-reload
+systemctl start webmin
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^COMMIT.*/i # Webmin' /etc/iptables/rules.v4
+	sed -i '/^COMMIT.*/i -A INPUT -p tcp -m tcp --dport 10000 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-12/apps/zm-builder/zm-builder.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+apt -y install apache2 docker-compose
+rm -r /var/www/html/*
+
+cat << 'EOF' > /usr/local/bin/mtm-zmbuild
+#!/bin/bash
+BUILDVER=${1}
+BUILDNO=${2}
+BUILDCHAIN=${3}
+
+show_help() {
+	echo "mtm-zmbuild version buildno buildchain"
+	echo ""
+	echo "Example :"
+	echo "  mtm-zmbuild 10.0.5 4574 10.0.5,10.0.4,10.0.3,10.0.2,10.0.1,10.0.0-GA,10.0.0"
+	echo "  mtm-zmbuild 10.0.4 4518 10.0.4,10.0.3,10.0.2,10.0.1,10.0.0-GA,10.0.0"
+}
+
+if [ "${BUILDVER}" == "" ] || [ "${BUILDNO}" == "" ] || [ "${BUILDCHAIN}" == "" ]; then
+	show_help
+	exit 1
+fi
+
+mkdir -p /root/zimbra/${BUILDVER}-${BUILDNO}
+{
+	echo "#!/bin/bash"
+	echo "BUILDVER=${BUILDVER}"
+	echo "BUILDCHAIN=${BUILDCHAIN}"
+	echo "BUILDNO=${BUILDNO}"
+	echo "apt -y install software-properties-common openjdk-8-jdk ant ant-optional ant-contrib ruby git maven build-essential debhelper rclone rsync"
+	echo "git clone --depth 1 --branch ${BUILDVER} https://github.com/Zimbra/zm-build.git"
+	echo "cd zm-build"
+	echo "ENV_CACHE_CLEAR_FLAG=true ./build.pl --ant-options -DskipTests=true --git-default-tag=${BUILDCHAIN} --build-release-no=${BUILDVER} --build-type=FOSS --build-release=Daffodil --build-release-candidate=GA --build-thirdparty-server=files.zimbra.com --build-no=${BUILDNO} --no-interactive"
+	echo "cp /home/build/BUILDS/UBUNTU*/zcs-*.tgz /root"
+	echo "exit"
+} > /root/zimbra/${BUILDVER}-${BUILDNO}/build
+docker run -it --rm -u root -v /root/zimbra/${BUILDVER}-${BUILDNO}:/root zimbra/zm-base-os:devcore-ubuntu-20.04 bash /root/build
+rm -r /root/zimbra/${BUILDVER}-${BUILDNO}/.*
+cp /root/zimbra/${BUILDVER}-${BUILDNO}/zcs-*.tgz /var/www/html/zcs-${BUILDVER}.tgz
+EOF
+chmod +x /usr/local/bin/mtm-zmbuild
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi