Add debian 13

debian-13/apps/apt-cacher-ng/apt-cacher-ng.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+if [ -d "/var/cache/apt-cacher-ng" ]; then
+	chown apt-cacher-ng:apt-cacher-ng apt-cacher-ng
+fi
+
+apt install -y rinetd apt-cacher-ng
+
+cat > /etc/apt-cacher-ng/backend_archlx << "EOF"
+#### HTTPS not supported ####
+
+http://archlinux.puzzle.ch/
+EOF
+systemctl restart apt-cacher-ng
+
+sed -i '/^# bindadress.*/a 0.0.0.0         8080      127.0.0.1       3142' /etc/rinetd.conf
+sed -i '/^# bindadress.*/a 0.0.0.0         80        127.0.0.1       3142' /etc/rinetd.conf
+systemctl restart rinetd
+
+echo "Acquire::http { Proxy \"http://127.0.0.1\"; };" > /etc/apt/apt.conf.d/02proxy
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # apt-cacher-ng' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-13/apps/bind9/bind9.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+apt install -y bind9
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # DNS' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-13/apps/docker/docker.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+swapoff -a
+sed -i "/swap/d" /etc/fstab
+
+apt remove -y iptables-persistent
+apt autoremove -y
+apt install -y ca-certificates curl gnupg lsb-release
+
+curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian   bullseye stable" > /etc/apt/sources.list.d/docker.list
+
+sysctl -w net/netfilter/nf_conntrack_max=131072
+
+apt update
+apt dist-upgrade
+apt install -y docker-ce
+apt install -y docker-compose
+
+systemctl enable docker.service
+systemctl start docker.service
+
+sleep 3

debian-13/apps/iperf3/iperf3.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+apt install -y iperf3
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 5201 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 5201 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # IPERF' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-13/apps/naemon/naemon.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+apt install -y sudo lsb-release
+
+chmod u+s /usr/bin/ping
+
+curl -s -o /etc/apt/trusted.gpg.d/naemon.asc "https://build.opensuse.org/projects/home:naemon/signing_keys/download?kind=gpg"
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/naemon.asc] http://download.opensuse.org/repositories/home:/naemon/Debian_$(lsb_release -rs)/ ./" >> /etc/apt/sources.list.d/naemon-stable.list
+apt update
+apt install -y naemon nagios-nrpe-plugin
+
+echo "<html></html>" > /var/www/html/index.html
+a2ensite default-ssl.conf
+a2enmod ssl
+systemctl reload apache2
+
+chown www-data:www-data /etc/thruk/cgi.cfg
+chown www-data:www-data /etc/thruk/htpasswd
+systemctl enable naemon.service
+
+cat << 'EOF' > /etc/naemon/conf.d/commands-custom.cfg
+define command {
+  command_name                   check_https
+  command_line                   $USER1$/check_http -S -H $HOSTADDRESS$ $ARG1$
+}
+
+define command {
+  command_name                   check-dns
+  command_line                   $USER1$/check_dns -H netm.ch -s $HOSTADDRESS$
+}
+
+define command {
+  command_name                   check-ntp
+  command_line                   $USER1$/check_ntp -H $HOSTADDRESS$
+}
+EOF
+chown naemon:naemon /etc/naemon/conf.d/commands-custom.cfg
+chmod 664 /etc/naemon/conf.d/commands-custom.cfg
+
+cat << 'EOF' > /etc/naemon/conf.d/commands-snmp.cfg
+define command {
+  command_name                   check-snmp-users
+  command_line                   $USER1$/check_snmp -H $HOSTADDRESS$ -o 1.3.6.1.2.1.25.1.5.0 -C $ARG1$ -w 0 -c 1
+}
+
+define command {
+  command_name                   check-snmp-uptime
+  command_line                   $USER1$/check_snmp -H $HOSTADDRESS$ -o 1.3.6.1.2.1.1.3.0 -C opsview -w 360000:
+}
+EOF
+chown naemon:naemon /etc/naemon/conf.d/commands-snmp.cfg
+chmod 664 /etc/naemon/conf.d/commands-snmp.cfg
+
+cat << 'EOF' > /etc/naemon/conf.d/commands-nrpe.cfg
+define command {
+	command_name    nrpe_check_ping
+	command_line    $USER1$/check_nrpe -H $ARG1$ -c check_ping -a $HOSTADDRESS$
+}
+
+define command {
+	command_name    nrpe_check_tcp
+	command_line    $USER1$/check_nrpe -H $ARG1$ -c check_tcp -a $HOSTADDRESS$ $ARG2$
+}
+
+define command {
+	command_name    nrpe_check_ssh
+	command_line    $USER1$/check_nrpe -H $ARG1$ -c check_ssh -a $HOSTADDRESS$
+}
+
+define command {
+	command_name    nrpe_check_http
+	command_line    $USER1$/check_nrpe -H $ARG1$ -c check_http -a $HOSTADDRESS$ $ARG2$
+}
+
+define command {
+	command_name    nrpe_check_https
+	command_line    $USER1$/check_nrpe -H $ARG1$ -c check_https -a $HOSTADDRESS$ $ARG2$
+}
+
+define command {
+	command_name    nrpe-check-host-alive
+	command_line    $USER1$/check_nrpe -H $ARG1$ -c check_ping -a $HOSTADDRESS$
+}
+
+define command {
+	command_name    nrpe_snmp_win_uptime
+	command_line    $USER1$/check_nrpe_snmp_win_uptime $ARG1$ $HOSTADDRESS$ $ARG3$ $ARG4$
+}
+
+define command {
+	command_name    nrpe_snmp_win_part
+	command_line    $USER1$/check_nrpe_snmp_win_part $ARG1$ $HOSTADDRESS$ $ARG2$ $ARG3$ $ARG4$
+}
+EOF
+chown naemon:naemon /etc/naemon/conf.d/commands-nrpe.cfg
+chmod 664 /etc/naemon/conf.d/commands-nrpe.cfg
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # HTTPS' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-13/apps/nextcloud-30/nextcloud-30.sh

@@ -0,0 +1,116 @@
+#!/bin/bash 
+
+# https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html
+
+IPV4=$(ip addr | grep 'inet ' | grep -v '127.0' | head -n1 | awk '{print $2}' | cut -f1 -d /)
+DBNAME=$(whiptail --title "DB" --inputbox "DB Name :" 0 30 "nextcloud" 3>&1 1>&2 2>&3)
+DBUSER=$(whiptail --title "DB" --inputbox "DB User :" 0 30 "nextcloud" 3>&1 1>&2 2>&3)
+DBPASS=$(whiptail --title "DB" --inputbox "DB Pass :" 0 30 "nextcloud" 3>&1 1>&2 2>&3)
+DATAPATH=$(whiptail --title "DATA" --inputbox "DATA Path :" 0 30 "/srv/nextcloud/data" 3>&1 1>&2 2>&3)
+NCUSER=$(whiptail --title "NextCloud" --inputbox "Admin Name :" 0 30 "admin" 3>&1 1>&2 2>&3)
+NCPASS=$(whiptail --title "NextCloud" --inputbox "Admin Pass :" 0 30 "admin" 3>&1 1>&2 2>&3)
+
+
+apt install -y sudo apache2 coturn bzip2
+apt install -y php8.2 php8.2-curl php8.2-gd php8.2-mbstring php8.2-zip php-xml php-bz2 php8.2-intl php8.2-fpm php-apcu php-memcached php-redis php-imagick php8.2-bcmath php8.2-gmp libapache2-mod-php8.2
+apt install -y php8.2-mysql mariadb-server
+apt install -y smbclient ffmpeg libmagickcore-6.q16-6-extra
+
+a2dissite 000-default
+a2dissite default-ssl.conf
+a2enmod rewrite
+a2enmod headers
+a2enmod env
+a2enmod dir
+a2enmod mime
+a2enmod ssl
+
+sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/8.2/apache2/php.ini
+sed -i "s/;opcache.interned_strings_buffer.*/opcache.interned_strings_buffer=20/g" /etc/php/8.2/apache2/php.ini
+sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/8.2/fpm/php.ini
+sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/8.2/cli/php.ini
+echo "apc.enable_cli=1" >> /etc/php/8.2/cli/php.ini
+
+mysql -e "CREATE DATABASE ${DBNAME};CREATE USER '${DBUSER}'@'localhost' IDENTIFIED BY '${DBPASS}';GRANT ALL ON ${DBNAME}.* TO '${DBUSER}'@'localhost' WITH GRANT OPTION;FLUSH PRIVILEGES;"
+
+wget https://download.nextcloud.com/server/releases/latest-30.tar.bz2
+tar -xvf latest-30.tar.bz2
+mv nextcloud /var/www
+chown -R www-data:www-data /var/www/nextcloud
+mkdir -p ${DATAPATH}
+chown -R www-data:www-data ${DATAPATH}
+
+cat > /etc/apache2/sites-available/nextcloud.conf << "EOF"
+<VirtualHost *:443>
+	Protocols h2 http:/1.1
+	DocumentRoot "/var/www/nextcloud"
+	#ServerName nextcloud.your-domain.com
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+	Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
+	SSLEngine on
+	SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+	SSLCertificateChainFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLProtocol TLSv1.2
+
+	<Directory /var/www/nextcloud/>
+		Options +FollowSymlinks
+		AllowOverride All
+		<IfModule mod_dav.c>
+			Dav off
+		</IfModule>
+		SetEnv HOME /var/www/nextcloud
+		SetEnv HTTP_HOME /var/www/nextcloud
+		Satisfy Any
+	</Directory>
+
+</VirtualHost>
+EOF
+
+a2ensite nextcloud
+systemctl restart apache2
+
+cd /var/www/nextcloud/
+sudo -u www-data php occ maintenance:install \
+	--database "mysql" \
+	--database-name "${DBNAME}" \
+	--database-user "${DBUSER}" \
+	--database-pass "${DBPASS}" \
+	--admin-user "${NCUSER}" \
+	--admin-pass "${NCPASS}" \
+	--data-dir "${DATAPATH}"
+sed -i "s/0 => 'localhost/0 => '${IPV4}/" /var/www/nextcloud/config/config.php
+sed -i "s/\/\/localhost/\/\/${IPV4}/" /var/www/nextcloud/config/config.php
+sed -i "s/http:/https:/" /var/www/nextcloud/config/config.php
+sed -i "/^);*/i\ \ 'memcache.local' => '\\\\OC\\\\Memcache\\\\APCu'," /var/www/nextcloud/config/config.php
+sed -i "/^);*/i\ \ 'default_phone_region' => 'CH'," /var/www/nextcloud/config/config.php
+echo "*/5  *  *  *  * php -f /var/www/nextcloud/cron.php" | crontab -u www-data -
+sudo -u www-data php occ background:cron
+sudo -u www-data php occ config:system:set maintenance_window_start --type=integer --value=1
+sudo -u www-data php occ maintenance:repair --include-expensive
+sudo -u www-data php occ db:add-missing-indices
+
+cat >> /etc/turnserver.conf << "EOF"
+listening-port=8080
+listening-ip=0.0.0.0
+fingerprint
+use-auth-secret
+static-auth-secret=AUTHSECRET
+# realm=nextcloud.dom.lan
+total-quota=0
+bps-capacity=0
+stale-nonce
+no-multicast-peers
+EOF
+AUTHSECRET=$(openssl rand -hex 32)
+sed -i "s/AUTHSECRET/${AUTHSECRET}/" /etc/turnserver.conf
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NextCloud' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # TurnServer' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-13/apps/nextcloud-latest/nextcloud-latest.sh

@@ -0,0 +1,112 @@
+#!/bin/bash 
+
+# https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html
+
+IPV4=$(ip addr | grep 'inet ' | grep -v '127.0' | head -n1 | awk '{print $2}' | cut -f1 -d /)
+DBNAME=$(whiptail --title "DB" --inputbox "DB Name :" 0 30 "nextcloud" 3>&1 1>&2 2>&3)
+DBUSER=$(whiptail --title "DB" --inputbox "DB User :" 0 30 "nextcloud" 3>&1 1>&2 2>&3)
+DBPASS=$(whiptail --title "DB" --inputbox "DB Pass :" 0 30 "nextcloud" 3>&1 1>&2 2>&3)
+DATAPATH=$(whiptail --title "DATA" --inputbox "DATA Path :" 0 30 "/srv/nextcloud/data" 3>&1 1>&2 2>&3)
+NCUSER=$(whiptail --title "NextCloud" --inputbox "Admin Name :" 0 30 "admin" 3>&1 1>&2 2>&3)
+NCPASS=$(whiptail --title "NextCloud" --inputbox "Admin Pass :" 0 30 "admin" 3>&1 1>&2 2>&3)
+
+
+apt install -y sudo apache2 coturn
+apt install -y php7.4 php7.4-curl php7.4-gd php7.4-mbstring php7.4-zip php-xml php-bz2 php7.4-intl php7.4-fpm php-apcu php-memcached php-redis php-imagick php7.4-bcmath php7.4-gmp libapache2-mod-php7.4
+apt install -y php7.4-mysql mariadb-server
+apt install -y smbclient ffmpeg libmagickcore-6.q16-6-extra
+
+a2dissite 000-default
+a2dissite default-ssl.conf
+a2enmod rewrite
+a2enmod headers
+a2enmod env
+a2enmod dir
+a2enmod mime
+a2enmod ssl
+
+sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/apache2/php.ini
+sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/fpm/php.ini
+sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/cli/php.ini
+echo "apc.enable_cli=1" >> /etc/php/7.4/cli/php.ini
+
+mysql -e "CREATE DATABASE ${DBNAME};CREATE USER '${DBUSER}'@'localhost' IDENTIFIED BY '${DBPASS}';GRANT ALL ON ${DBNAME}.* TO '${DBUSER}'@'localhost' WITH GRANT OPTION;FLUSH PRIVILEGES;"
+
+wget https://download.nextcloud.com/server/releases/latest.tar.bz2
+tar -xvf latest.tar.bz2
+mv nextcloud /var/www
+chown -R www-data:www-data /var/www/nextcloud
+mkdir -p ${DATAPATH}
+chown -R www-data:www-data ${DATAPATH}
+
+cat > /etc/apache2/sites-available/nextcloud.conf << "EOF"
+<VirtualHost *:443>
+	Protocols h2 http:/1.1
+	DocumentRoot "/var/www/nextcloud"
+	#ServerName nextcloud.your-domain.com
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+	Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
+	SSLEngine on
+	SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+	SSLCertificateChainFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLProtocol TLSv1.2
+
+	<Directory /var/www/nextcloud/>
+		Options +FollowSymlinks
+		AllowOverride All
+		<IfModule mod_dav.c>
+			Dav off
+		</IfModule>
+		SetEnv HOME /var/www/nextcloud
+		SetEnv HTTP_HOME /var/www/nextcloud
+		Satisfy Any
+	</Directory>
+
+</VirtualHost>
+EOF
+
+a2ensite nextcloud
+systemctl restart apache2
+
+cd /var/www/nextcloud/
+sudo -u www-data php occ maintenance:install \
+	--database "mysql" \
+	--database-name "${DBNAME}" \
+	--database-user "${DBUSER}" \
+	--database-pass "${DBPASS}" \
+	--admin-user "${NCUSER}" \
+	--admin-pass "${NCPASS}" \
+	--data-dir "${DATAPATH}"
+sed -i "s/0 => 'localhost/0 => '${IPV4}/" /var/www/nextcloud/config/config.php
+sed -i "s/\/\/localhost/\/\/${IPV4}/" /var/www/nextcloud/config/config.php
+sed -i "s/http:/https:/" /var/www/nextcloud/config/config.php
+sed -i "/^);*/i\ \ 'memcache.local' => '\\\\OC\\\\Memcache\\\\APCu'," /var/www/nextcloud/config/config.php
+sed -i "/^);*/i\ \ 'default_phone_region' => 'CH'," /var/www/nextcloud/config/config.php
+echo "*/5  *  *  *  * php -f /var/www/nextcloud/cron.php" | crontab -u www-data -
+sudo -u www-data php occ background:cron
+
+cat >> /etc/turnserver.conf << "EOF"
+listening-port=8080
+listening-ip=0.0.0.0
+fingerprint
+use-auth-secret
+static-auth-secret=AUTHSECRET
+# realm=nextcloud.dom.lan
+total-quota=0
+bps-capacity=0
+stale-nonce
+no-multicast-peers
+EOF
+AUTHSECRET=$(openssl rand -hex 32)
+sed "s/AUTHSECRET/${AUTHSECRET}/" turnserver.conf
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NextCloud' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # TurnServer' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-13/apps/nodejs-20/nodejs-20.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+mkdir /srv/node
+curl -sL https://deb.nodesource.com/setup_20.x | bash -
+apt install -y nodejs
+npm i -g nodemon
+
+cat > /etc/systemd/system/nodejs.service << EOF
+[Service]
+ExecStart=/usr/bin/node app.js
+WorkingDirectory=/srv/node
+Restart=always
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=node
+#User=websites
+#Group=websites
+Environment=NODE_ENV=production
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /srv/node/app.js << "EOF"
+var http = require('http')
+
+http.createServer(function (req, res) {
+  res.writeHead(200, {'Content-Type': 'text/plain'})
+  res.write('Hello World!')
+  res.end()
+}).listen(80)
+EOF
+
+systemctl daemon-reload
+systemctl enable nodejs.service
+systemctl start nodejs.service
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NodeJS' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-13/apps/nodejs-22/nodejs-22.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+mkdir /srv/node
+curl -sL https://deb.nodesource.com/setup_22.x | bash -
+apt install -y nodejs
+npm i -g nodemon
+
+cat > /etc/systemd/system/nodejs.service << EOF
+[Service]
+ExecStart=/usr/bin/node app.js
+WorkingDirectory=/srv/node
+Restart=always
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=node
+#User=websites
+#Group=websites
+Environment=NODE_ENV=production
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /srv/node/app.js << "EOF"
+var http = require('http')
+
+http.createServer(function (req, res) {
+  res.writeHead(200, {'Content-Type': 'text/plain'})
+  res.write('Hello World!')
+  res.end()
+}).listen(80)
+EOF
+
+systemctl daemon-reload
+systemctl enable nodejs.service
+systemctl start nodejs.service
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NodeJS' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-13/apps/nodejs-24/nodejs-24.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+mkdir /srv/node
+curl -sL https://deb.nodesource.com/setup_24.x | bash -
+apt install -y nodejs
+npm i -g nodemon
+
+cat > /etc/systemd/system/nodejs.service << EOF
+[Service]
+ExecStart=/usr/bin/node app.js
+WorkingDirectory=/srv/node
+Restart=always
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=node
+#User=websites
+#Group=websites
+Environment=NODE_ENV=production
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /srv/node/app.js << "EOF"
+var http = require('http')
+
+http.createServer(function (req, res) {
+  res.writeHead(200, {'Content-Type': 'text/plain'})
+  res.write('Hello World!')
+  res.end()
+}).listen(80)
+EOF
+
+systemctl daemon-reload
+systemctl enable nodejs.service
+systemctl start nodejs.service
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NodeJS' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-13/apps/portainer/portainer.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker run -d --name="portainer" --restart=unless-stopped -p 8000:8000 -p 9000:9000 -p 9443:9443 -v /var/run/docker.sock:/var/run/docker.sock -v /srv/portainer/data:/data portainer/portainer-ce

debian-13/apps/rinetd/rinetd.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+apt install -y rinetd
+
+nano /etc/rinetd.conf
+systemctl restart rinetd
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # RINETD' /etc/iptables/rules.v4
+	nano /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-13/apps/tang/tang.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+apt install -y tang
+
+# systemctl edit tangd.socket
+# systemctl daemon-reload
+systemctl enable tangd.socket
+systemctl start tangd.socket
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # TANGD' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi

debian-13/apps/tor-gw/tor-gw.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+apt install -y tor
+
+echo "nameserver 127.0.0.1" > /etc/resolv.conf
+
+cat >> /etc/tor/torrc << EOF
+VirtualAddrNetwork 10.192.0.0/10
+AutomapHostsSuffixes .onion,.exit
+AutomapHostsOnResolve 1
+TransPort 0.0.0.0:9040
+DNSPort 0.0.0.0:53
+EOF
+
+service tor restart
+
+cat > /etc/iptables/rules.v4 << EOF
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+EOF
+iptables-restore /etc/iptables/rules.v4
+
+iptables -t nat -A PREROUTING ! -i lo -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 22
+iptables -t nat -A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
+iptables -t nat -A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
+iptables-save > /etc/iptables/rules.v4
+
+sed -i '/net.ipv4.ip_forward/s/^#//g' /etc/sysctl.conf
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+echo ""
+echo ""
+echo ""
+ip a | grep "inet "
+
+echo ""
+echo "Note for Firefox :"
+echo "You need to enable dot onion in about:config."
+echo "network.dns.blockDotOnion = False"

debian-13/apps/traefik/traefik.sh

@@ -0,0 +1,288 @@
+#!/bin/bash
+
+RELEASE=$(whiptail --title "Traefik" --inputbox "Release :" 0 30 "2.7.1" 3>&1 1>&2 2>&3)
+ACCOUNT=$(whiptail --title "Traefik" --inputbox "ACME E-Mail :" 0 30 "" 3>&1 1>&2 2>&3)
+
+main() {
+	Traefik-etc-certs-selfsigned
+	Traefik-etc-services
+	Traefik-etc-config
+	Traefik-etc-iptable
+	Traefik-bin-update-traefik
+	Traefik-service
+}
+
+
+Traefik-etc-certs-selfsigned() {
+	mkdir -p /etc/traefik/certs
+	openssl ecparam -name secp256r1 -genkey -out /etc/traefik/certs/self.key
+	openssl req -new -x509 -key /etc/traefik/certs/self.key -sha256 -nodes -out /etc/traefik/certs/self.crt -days 3650
+}
+
+Traefik-etc-services() {
+	mkdir -p /etc/traefik/services
+	Traefik-etc-services-shared
+	Traefik-etc-services-default
+}
+
+Traefik-etc-services-shared() {
+	cat >> /etc/traefik/services/_shared.yaml << "EOF"
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: "/etc/traefik/certs/self.crt"
+        keyFile: "/etc/traefik/certs/self.key"
+
+  options:
+    default:
+      minVersion: "VersionTLS12"
+      # sniStrict: true
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+
+    mintls13:
+      minVersion: "VersionTLS13"
+
+http:
+  middlewares:
+    to-https:
+      redirectScheme:
+        scheme: "https"
+        permanent: true
+    to-no-www:
+      redirectRegex:
+        regex: "^https://www.(.*)"
+        replacement: "https://${1}"
+        permanent: true
+
+    hsts-min:
+      headers:
+        sslRedirect: true
+        stsIncludeSubdomains: false
+        stsPreload: true
+        stsSeconds: 63072000
+        contentTypeNosniff: true
+        accessControlMaxAge: 100
+        addVaryheader: true
+    hsts_light:
+      headers:
+        sslRedirect: true
+        frameDeny: true
+        stsIncludeSubdomains: false
+        stsPreload: true
+        stsSeconds: 63072000
+        contentTypeNosniff: true
+        accessControlMaxAge: 100
+        addVaryheader: true
+    hsts:
+      headers:
+        sslRedirect: true
+        frameDeny: true
+        stsIncludeSubdomains: false
+        stsPreload: true
+        stsSeconds: 63072000
+        contentTypeNosniff: true
+        accessControlMaxAge: 100
+        addVaryheader: true
+        referrerPolicy: "origin-when-cross-origin"
+    hsts-strict:
+      headers:
+        sslRedirect: true
+        frameDeny: true
+        stsIncludeSubdomains: false
+        stsPreload: true
+        stsSeconds: 63072000
+        contentTypeNosniff: true
+        accessControlMaxAge: 100
+        addVaryheader: true
+        contentSecurityPolicy: "script-src 'self'"
+        referrerPolicy: "origin-when-cross-origin"
+
+  services:
+    dummy:
+      loadBalancer:
+        servers:
+          - url: "https://127.0.0.1:2"
+ 
+    # matomo:
+    #  loadBalancer:
+    #    servers:
+    #      - url: "https://x.x.x.x:xxx"
+EOF
+}
+
+Traefik-etc-services-default() {
+	cat >> /etc/traefik/services/_default.yaml << "EOF"
+http:
+  routers:
+    _default:
+      entryPoints:
+        - http
+      rule: "PathPrefix(`/`)"
+      # priority: 100
+      # service: _default-matomo
+      service: _default
+
+    _default-secure:
+      entryPoints:
+        - https
+      rule: "PathPrefix(`/`)"
+      # priority: 100
+      # service: _default-matomo
+      service: _default
+      tls:
+        acmev2-staging
+
+  services:
+    # _default-matomo:
+    #  mirroring:
+    #    service: _default
+    #    maxBodySize: 1024
+    #    mirrors:
+    #      - name: matomo
+    #        percent: 100
+
+    _default:
+      loadBalancer:
+        servers:
+          - url: https://127.0.0.1:2
+EOF
+}
+
+Traefik-etc-config() {
+	cat >> /etc/traefik/traefik.yaml << "EOF"
+entryPoints:
+  http:
+   address: ":80"
+  https:
+   address: ":443"
+  traefik:
+   address: ":8099"
+
+api:
+  dashboard: true
+  insecure: true
+
+serversTransport:
+  insecureSkipVerify: true
+
+providers:
+  file:
+    directory: "/etc/traefik/services/"
+    watch: true
+
+certificatesResolvers:
+  acmev2:
+    acme:
+      email: "X{ACCOUNT}"
+      caserver: "https://acme-v02.api.letsencrypt.org/directory"
+      storage: "/etc/traefik/certs/acmev2.json"
+      keyType: "EC384"
+      tlsChallenge: {}
+  acmev2-staging:
+    acme:
+      email: "X{ACCOUNT}"
+      caserver: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      storage: "/etc/traefik/certs/acmev2-staging.json"
+      keyType: "EC384"
+      tlsChallenge: {}
+EOF
+
+sed -i "s/X{ACCOUNT}/${ACCOUNT}/g" /etc/traefik/traefik.yaml
+
+}
+
+Traefik-etc-iptable() {
+  if [ -f "/etc/iptables/rules.v4" ]; then
+    sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8099 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+    sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+    sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+    sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Traefik' /etc/iptables/rules.v4
+    iptables-restore /etc/iptables/rules.v4
+  fi
+}
+
+Traefik-bin-update-traefik() {
+	cat >> /usr/local/bin/update-traefik << "EOF"
+#/bin/bash
+
+getcurrentversion() {
+  if [ -f /var/opt/traefik/version ]; then
+    cat /var/opt/traefik/version
+  else
+    echo "0"
+  fi
+}
+getlatestversion() {
+  if ! GITHUBTAGNAME=$(curl -sL "https://api.github.com/repos/traefik/traefik/releases/latest" | jq -r ".tag_name"); then
+    echo "Error in Github API"
+    return 1
+  fi
+  if [ "${GITHUBTAGNAME}" == "" ]; then
+    echo "Error in Github API"
+    return 1
+  fi
+  local -r GITHUBVERSION=${GITHUBTAGNAME//[[:alpha:]-]/}
+  if [ "${GITHUBVERSION}" == "" ]; then
+    echo "Error in Github API"
+    return 1
+  fi
+  echo "${GITHUBVERSION}"
+}
+update() {
+  VERSION=${1}
+  mkdir -p /tmp/traefik
+  cd /tmp/traefik
+  wget https://github.com/traefik/traefik/releases/download/v${VERSION}/traefik_v${VERSION}_linux_amd64.tar.gz
+  tar -xf traefik_v${VERSION}_linux_amd64.tar.gz
+  systemctl stop traefik
+  cp traefik /usr/local/bin
+  systemctl start traefik
+  if [ ! -d /var/opt/traefik ]; then
+    mkdir -p /var/opt/traefik
+  fi
+  echo "${VERSION}" > /var/opt/traefik/version
+  rm -R /tmp/traefik
+}
+
+CURVER=$(getcurrentversion)
+LATESTVER=$(getlatestversion)
+
+if [ "${CURVER}" != "${LATESTVER}" ]; then
+  echo "${CURVER} -> ${LATESTVER}"
+  update "${LATESTVER}"
+fi
+EOF
+	chmod 755 /usr/local/bin/update-traefik
+	update-traefik ${RELEASE}
+}
+
+Traefik-service() {
+	cat >> /etc/systemd/system/traefik.service << "EOF"
+[Unit]
+Description=Traefik
+After=network.target auditd.service
+
+[Service]
+ExecStart=/usr/local/bin/traefik -configFile /etc/traefik/traefik.yaml
+ExecReload=/bin/killall traefik
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+EOF
+	
+	systemctl daemon-reload
+	systemctl enable traefik
+	systemctl restart traefik
+}
+
+
+main

debian-13/apps/zm-builder/zm-builder.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+apt -y install apache2 docker-compose
+rm -r /var/www/html/*
+
+cat << 'EOF' > /usr/local/bin/mtm-zmbuild
+#!/bin/bash
+BUILDVER=${1}
+BUILDNO=${2}
+BUILDCHAIN=${3}
+
+show_help() {
+	echo "mtm-zmbuild version buildno buildchain"
+	echo ""
+	echo "Example :"
+	echo "  mtm-zmbuild 10.0.5 4574 10.0.5,10.0.4,10.0.3,10.0.2,10.0.1,10.0.0-GA,10.0.0"
+	echo "  mtm-zmbuild 10.0.4 4518 10.0.4,10.0.3,10.0.2,10.0.1,10.0.0-GA,10.0.0"
+}
+
+if [ "${BUILDVER}" == "" ] || [ "${BUILDNO}" == "" ] || [ "${BUILDCHAIN}" == "" ]; then
+	show_help
+	exit 1
+fi
+
+mkdir -p /root/zimbra/${BUILDVER}-${BUILDNO}
+{
+	echo "#!/bin/bash"
+	echo "BUILDVER=${BUILDVER}"
+	echo "BUILDCHAIN=${BUILDCHAIN}"
+	echo "BUILDNO=${BUILDNO}"
+	echo "apt -y install software-properties-common openjdk-8-jdk ant ant-optional ant-contrib ruby git maven build-essential debhelper rclone rsync"
+	echo "git clone --depth 1 --branch ${BUILDVER} https://github.com/Zimbra/zm-build.git"
+	echo "cd zm-build"
+	echo "ENV_CACHE_CLEAR_FLAG=true ./build.pl --ant-options -DskipTests=true --git-default-tag=${BUILDCHAIN} --build-release-no=${BUILDVER} --build-type=FOSS --build-release=Daffodil --build-release-candidate=GA --build-thirdparty-server=files.zimbra.com --build-no=${BUILDNO} --no-interactive"
+	echo "cp /home/build/BUILDS/UBUNTU*/zcs-*.tgz /root"
+	echo "exit"
+} > /root/zimbra/${BUILDVER}-${BUILDNO}/build
+docker run -it --rm -u root -v /root/zimbra/${BUILDVER}-${BUILDNO}:/root zimbra/zm-base-os:devcore-ubuntu-20.04 bash /root/build
+rm -r /root/zimbra/${BUILDVER}-${BUILDNO}/.*
+cp /root/zimbra/${BUILDVER}-${BUILDNO}/zcs-*.tgz /var/www/html/zcs-${BUILDVER}.tgz
+EOF
+chmod +x /usr/local/bin/mtm-zmbuild
+
+if [ -f "/etc/iptables/rules.v4" ]; then
+	sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+	iptables-restore /etc/iptables/rules.v4
+fi