Merge branch 'tmp'

.gitignore

@@ -0,0 +1,3 @@
+.env
+*~
+getmailrc-*

.gitmodules

@@ -0,0 +1,24 @@
+[submodule "images/rpi-mariadb"]
+	path = images/rpi-mariadb
+	url = git@github.com:bingen/rpi-mariadb.git
+[submodule "rpi-nextcloud"]
+	path = rpi-nextcloud
+	url = git@github.com:bingen/rpi-nextcloud.git
+[submodule "images/rpi-openldap"]
+	path = images/rpi-openldap
+	url = git@github.com:bingen/rpi-openldap.git
+[submodule "images/rpi-nextcloud"]
+	path = images/rpi-nextcloud
+	url = git@github.com:bingen/rpi-nextcloud.git
+[submodule "images/rpi-haproxy"]
+	path = images/rpi-haproxy
+	url = git@github.com:bingen/rpi-haproxy.git
+[submodule "images/rpi-email"]
+	path = images/rpi-email
+	url = git@github.com:bingen/rpi-email.git
+[submodule "images/rpi-nginx"]
+	path = images/rpi-nginx
+	url = git@github.com:bingen/rpi-nginx.git
+[submodule "images/rpi-nginx-php"]
+	path = images/rpi-nginx-php
+	url = git@github.com:bingen/rpi-nginx-php.git

README.md

@@ -0,0 +1,259 @@
+# Docker Home Server for Raspberry Pi
+
+Flash Hypriot
+-------------
+
+You can check last images [here](http://blog.hypriot.com/downloads/) and use [flash tool](https://github.com/hypriot/flash) to flash your RespberryPi SD:
+
+    flash --hostname your-hostname https://github.com/hypriot/image-builder-rpi/releases/download/v1.4.0/hypriotos-rpi-v1.4.0.img.zip
+
+SSH into each RPI:
+
+    ssh pirate@you-rpi-ip
+
+As of version 1.4, default credentials are pirate/hypriot. You can use arp-scan to guess the IP. You can also use:
+
+    function getip() { (traceroute $1 2>&1 | head -n 1 | cut -d\( -f 2 | cut -d\) -f 1) }
+
+Change default password:
+
+    passwd
+
+You can also set up paswwordless access with:
+
+    ssh-copy-id -i ~/.ssh/your-key_rsa.pub pirate@your-rpi -o "IdentitiesOnly yes"
+
+And also add an entry to you ~/.ssh/config file:
+
+    Host your-rpi-1 your-rpi-2 ...
+        Hostname %h.local
+        User pirate
+        IdentityFile ~/.ssh/your-key_rsa
+        IdentitiesOnly yes
+        StrictHostKeyChecking no
+
+If you want, you can also add this config snippet to all your nodes and add your private key to each `~/.ssh` folder to be able to connect from one RPI to another.
+
+(?) Add regular user to docker group
+
+    sudo usermod -aG docker pirate
+
+(Optional) In case you see annoying warning messages about locales from perl:
+
+    sudo dpkg-reconfigure locales
+
+(Optional) Install some useful packages
+
+    sudo aptitude update && sudo aptitude install rsync zsh
+
+(Optional) Encrypt external hard disk
+-------------------------------------
+
+    sudo aptitude install cryptsetup
+    sudo fdisk /dev/sdX
+    sudo cryptsetup --verify-passphrase luksFormat /dev/sdX1 -c aes -s 256 -h sha256
+    sudo cryptsetup luksOpen /dev/sdX1 volumes
+    sudo mkfs -t ext4 -m 1 -O dir_index,sparse_super /dev/mapper/volumes
+    #mount -t auto /dev/mapper/volumes /media/volumes
+
+    sudo dd if=/dev/urandom of=/root/volumes_luks_pwd bs=1024 count=4
+    sudo chmod 0400 /root/volumes_luks_pwd
+    sudo cryptsetup luksAddKey /dev/sdX1 /root/volumes_luks_pwd
+
+Add to /etc/crypttab:
+
+    volumes      /dev/disk/by-uuid/uuid-of-your-drive  /root/volumes_luks_pwd  luks
+
+and add to /etc/fstab:
+
+    /dev/mapper/volumes  /media/volumes     ext4    defaults        0       2
+
+NFS
+---
+
+Install server on main host:
+
+    sudo aptitude install nfs-kernel-server
+    sudo mkdir -p /export/volumes
+    sudo mount --bind /media/volumes /export/volumes
+
+And add the following line to /etc/fstab toavoid repeating it on startup:
+
+    /media/volumes       /export/volumes    none    bind            0       0
+
+And to /etc/exports:
+
+    /export         192.168.1.0/24(rw,fsid=0,insecure,no_subtree_check,async)
+    /export/volumes 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async,no_root_squash)
+
+(changing network/mask by your local values)
+
+On the other nodes:
+
+    sudo aptitude install nfs-common
+
+And add to fstab:
+
+    your-main-host:/export/volumes /media/volumes nfs auto,user 0 0
+
+Swap file
+---------
+
+http://jermsmit.com/my-raspberry-pi-needs-a-swap/
+
+    dd if=/dev/zero of=/media/volumes/swap bs=1M count=2048
+    chmod 600 /media/volumes/swap
+    mkswap /media/volumes/swap
+    swapon /media/volumes/swap
+
+Add to /etc/fstab:
+
+    /media/volumes/swap               swap                    swap    defaults        0 0
+
+Repeat for worker nodes (changing name of swap file)
+
+Swarm
+-----
+
+Login to the main RPI and start the swarm:
+
+    docker swarm init --listen-addr eth0
+
+And join from the other ones, just copy-paste command provided by the master from them:
+
+    docker swarm join --token your-token your-main_rpi:2377
+
+
+Data and volumes
+----------------
+
+If you have existing data, create folders (otherwise setup script will do it) and copy it data:
+
+    sudo mkdir -p /media/volumes/mail/data
+    sudo mkdir -p /media/volumes/mail/state
+    sudo mkdir -p /media/volumes/nextcloud
+
+    sudo chown -R pirate:pirate /media/volumes/*
+
+    sudo mkdir -p /media/volumes/openldap/data
+    sudo mkdir -p /media/volumes/openldap/config
+    sudo mkdir -p /media/volumes/openldap/certs
+    sudo chown -R 999 /media/volumes/openldap*
+
+From your current installation:
+
+    rsync -auv --delete -e "ssh -i ~/.ssh/your-key_rsa" /var/www/nextcloud/data your-main-host:/media/volumes/nextcloud/
+    mysqldump --lock-tables -u nextcloud -p -h localhost nextcloud > /var/www/nextcloud/nextcloud_db_backup.sql
+    rsync -auv --delete -e "ssh -i ~/.ssh/your-key_rsa" /srv/vmail/ your-main-host:/media/volumes/mail/data
+
+
+Configuration and deployment
+----------------------------
+
+    ./setup.sh
+
+(Optional, can be downloaded from registry, unless you changed them) Build aux images:
+
+    cd ~/docker_home_server/images/rpi-nginx
+    docker build . -t bingen/rpi-nginx
+    cd ~/docker_home_server/images/rpi-nginx-php5
+    docker build . -t bingen/rpi-nginx-php5
+    cd ../../
+
+(Optional, can be downloaded from registry, unless you changed them) Build images:
+
+    docker-compose build
+
+Deploy docker stack
+
+    deploy.sh your-stack-name
+
+Other useful commands
+---------------------
+
+    docker node ls
+
+    docker stack ls
+    docker stack ps your-stack-name
+
+To see logs of a docker swarm/stack service:
+https://github.com/docker/docker/issues/23710
+
+    docker logs $(docker inspect --format "{{.Status.ContainerStatus.ContainerID}}" `docker stack ps your-stack-name | grep your-service-name | cut -f1 -d' '`)
+
+To shutdown the stack:
+
+    docker stack rm your-stack-name
+
+To get into containers:
+
+    docker ps # in the swarm node containing it
+    docker exec -ti 5105b27d9cf0 bash
+
+To view swarm token:
+
+    docker swarm join-token worker
+
+Openldap
+--------
+
+    ldapsearch -x -w your-admin-ldap-password -D cn=admin,dc=your-domain,dc=com -b dc=your-domain,dc=com -LLL
+
+To reset a user's password:
+Copy this into a file, `user_pwd.ldif`:
+
+    dn: uniqueIdentifier=your-user,ou=people,dc=your-domain,dc=com
+    changetype: modify
+    replace: userPassword
+    userPassword: {SSHA}Rs60p+2QKxAFRnA6vtWV71SI6Jz57CDF
+
+And the run:
+
+    ldapadd -W -D "cn=admin,dc=your-domain,dc=com" -f user_pwd.ldif
+
+You generate the password with:
+
+    slappaswwd -s your-password
+
+MariaDB
+-------
+
+If you have existing data, make sure root password matches and access from outside ('%') is allowed.
+
+Nextcloud
+---------
+
+After first run, set DATA_CHOWN=0, explain why... (TODO)
+
+Need to log in as admin for the first time and enable Apps manually.
+
+Dynamic DNS
+-----------
+
+Check your domain registration provider
+
+Fail2ban
+--------
+
+Install fail2ban in you docker swarm master node if you want to allow ssh connections from outside.
+
+    sudo aptitude install fail2ban
+
+Have a look at the [documentation](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8) for configuration.
+
+Port mapping
+------------
+
+Get into your router admin page and redirect ports:
+
+- `80`, `443` for Web (Nextcloud and eventually other through HaProxy)
+- `25`, `143`, `587`, `993` for mail server
+- `22` for ssh
+
+to your docker swarm master node IP.
+
+TODO
+----
+
+- Use PHP7 for Nextcloud
+- Alternative: run your own registry for images.

deploy.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+STACK_NAME=$1
+
+if [ $# -eq 0 ]; then
+    echo "You must pass stack name as a parameter"
+    exit 1
+fi
+
+docker stack rm ${STACK_NAME}
+
+docker-compose build
+docker push bingen/rpi-openldap
+docker push bingen/rpi-mariadb
+docker push bingen/rpi-haproxy
+docker push bingen/rpi-mailserver
+docker push bingen/rpi-nextcloud
+
+# seen here: https://github.com/docker/docker/issues/29133#issuecomment-278198683
+env $(cat .env | grep "^[A-Z]" | xargs) \
+    docker stack deploy --compose-file docker-compose.yml ${STACK_NAME}
+
+echo Wait for services to start
+sleep 60
+
+host=$(docker stack ps ${STACK_NAME} | grep Running | grep openldap | awk '{ print $4 }')
+#echo Host=$host
+if [ -z $host ]; then
+    echo "No host found!";
+    exit 1;
+fi
+container=$(ssh $host 'docker ps | grep openldap | cut -f1 -d" "')
+#echo Container=$container
+if [ -z $container ]; then
+    echo "Qué me estás container?!";
+    exit 1;
+fi
+
+# read variables, for mail data path
+. .env
+# Replace Mail data path for users
+find images/rpi-openldap/users -type f -exec \
+     sed -i "s/\${MAIL_DATA_PATH}/${MAIL_DATA_PATH//\//\\/}/g" {} \;
+
+echo Copying user files to Host $host
+scp -r images/rpi-openldap/users $host:/tmp/
+
+echo Copying user files to Container $container in Host $host
+ssh $host "docker cp /tmp/users $container:/tmp/"
+
+echo Adding users to openldap
+ssh $host \
+    "for i in \$(ls /tmp/users/userimport*.ldif); do \
+        ls \$i;
+        docker exec ${container} sh -c \
+        'slapadd -l '\$i; \
+    done;"
+#'ldapadd -w \$(cat \${LDAP_ADMIN_PWD_FILE}) -D cn=admin,dc=\${LDAP_ORGANIZATION},dc=\${LDAP_EXTENSION} -f '\$i; \
+
+echo Removing copied user files
+ssh $host "docker exec ${container} sh -c 'rm -Rf /tmp/users'"
+ssh $host "rm -Rf /tmp/users"

docker-compose.yml

@@ -0,0 +1,163 @@
+version: '3.1'
+services:
+  openldap:
+    build:
+      context: ./images/rpi-openldap/
+    image: bingen/rpi-openldap:latest
+    deploy:
+      replicas: 1
+    secrets:
+      - source: ldap_pwd
+        target: admin_pwd
+        uid: '999'
+        mode: 0440
+      - source: ldap_mail_pwd
+        target: mail_pwd
+        uid: '999'
+        mode: 0440
+      - source: ldap_nextcloud_pwd
+        target: nextcloud_pwd
+        uid: '999'
+        mode: 0440
+    # container_name: openldap
+    tty: true
+    stdin_open: true
+    env_file:
+      - openldap.env
+    networks:
+      - default
+    #ports:
+      #- "389:389"
+      #- "639:639"
+      #- "8080:80"
+    volumes:
+      - ${LDAP_DATA_PATH}:/var/lib/ldap
+      - ${LDAP_CONFIG_PATH}:/etc/ldap/slapd.d
+      - ${LDAP_CERTS_PATH}:/container/service/slapd/assets/certs/
+    hostname: openldap.${LDAP_DOMAIN}
+
+  db:
+    build:
+      context: ./images/rpi-mariadb/
+    image: bingen/rpi-mariadb:latest
+    deploy:
+      replicas: 1
+    secrets:
+      - source: db_pwd
+        target: admin_pwd
+        mode: 0440
+    environment:
+      - MYSQL_ROOT_PWD_FILE=/run/secrets/admin_pwd
+    #container_name: mariadb
+    networks:
+      - default
+    #ports:
+      #- "3306:3306"
+    volumes:
+      #- ${DB_CONFIG_PATH}:/etc/mysql
+      - ${DB_DATA_PATH}:/var/lib/mysql
+
+  haproxy:
+    build:
+      context: ./images/rpi-haproxy/
+    image: bingen/rpi-haproxy:latest
+    depends_on:
+      # For DNS resolution
+      - nextcloud
+    deploy:
+      replicas: 1
+    env_file:
+      - haproxy.env
+    networks:
+      - default
+    ports:
+      - "80:80"
+      - "443:443"
+  mail:
+    build:
+      context: ./images/rpi-email/
+    image: bingen/rpi-mailserver:latest
+    depends_on:
+      - openldap
+    deploy:
+      replicas: 1
+    secrets:
+      - source: ldap_mail_pwd
+        target: ldap_pwd
+        uid: '999'
+        mode: 0440
+    hostname: ${MAIL_HOSTNAME}.${MAIL_DOMAIN}
+    #domainname: ${MAIL_DOMAIN}
+    env_file:
+      - mail.env
+    networks:
+      - default
+    ports:
+      - "25:25"
+      - "143:143"
+      - "587:587"
+      - "993:993"
+    volumes:
+      - ${MAIL_DATA_VOLUME_PATH}:${MAIL_DATA_PATH}
+      #- ${MAIL_STATE_VOLUME_PATH}:${MAIL_STATE_PATH}
+    cap_add:
+      - NET_ADMIN
+
+  nextcloud:
+    build:
+      context: ./images/rpi-nextcloud/
+      args:
+        - NEXTCLOUD_VERSION=${NEXTCLOUD_VERSION}
+        - NEXTCLOUD_DATA_PATH=${NEXTCLOUD_DATA_PATH}
+    image: bingen/rpi-nextcloud:latest
+    depends_on:
+      - db
+      - openldap
+      #- haproxy
+    secrets:
+      - source: nextcloud_admin_pwd
+        target: admin_pwd
+        uid: '999'
+        mode: 0440
+      - source: ldap_nextcloud_pwd
+        target: ldap_pwd
+        uid: '999'
+        mode: 0440
+      - source: db_pwd
+        target: mysql_pwd
+        mode: 0440
+    env_file:
+      - nextcloud.env
+    networks:
+      - default
+    ports:
+      - "8000:80"
+      - "8443:443"
+    volumes:
+      - ${NEXTCLOUD_DATA_VOLUME_PATH}:${NEXTCLOUD_DATA_PATH}
+
+  #padlock:
+
+  #gitlab:
+
+  #turtl:
+
+  #wordpress:
+
+  #transmission:
+    #image: lsioarmhf/transmission:15.01.17
+
+secrets:
+  db_pwd:
+    external: true
+  ldap_pwd:
+    external: true
+  ldap_mail_pwd:
+    external: true
+  ldap_nextcloud_pwd:
+    external: true
+  nextcloud_admin_pwd:
+    external: true
+networks:
+  default:
+    driver: overlay

env.template

@@ -0,0 +1,31 @@
+# modify and copy to .env
+
+# DB
+DB_DATA_PATH=${VOLUMES_PATH}/mariadb/data
+#DB_CONFIG_PATH=${VOLUMES_PATH}/mariadb/config
+
+# LDAP
+LDAP_DOMAIN=${DOMAIN}
+LDAP_ORGANIZATION=${ORGANIZATION}
+LDAP_EXTENSION=${EXTENSION}
+LDAP_ADMIN_PWD_FILE=/run/secrets/admin_pwd
+LDAP_DATA_PATH=${VOLUMES_PATH}/openldap/data
+LDAP_CONFIG_PATH=${VOLUMES_PATH}/openldap/config
+LDAP_CERTS_PATH=${VOLUMES_PATH}/openldap/certs
+
+# MAIL
+
+MAIL_HOSTNAME=mail
+MAIL_DOMAIN=${DOMAIN}
+MAIL_DATA_VOLUME_PATH=${VOLUMES_PATH}/mail
+#MAIL_STATE_VOLUME_PATH=${VOLUMES_PATH}/mail/state
+MAIL_DATA_PATH=/srv/vmail
+#MAIL_STATE_PATH=/var/mail-state
+
+# NEXTCLOUD
+
+NEXTCLOUD_VERSION=nextcloud-11.0.2
+# Internal data path
+NEXTCLOUD_DATA_PATH=/srv/nextcloud/data
+# external Volume path
+NEXTCLOUD_DATA_VOLUME_PATH=${VOLUMES_PATH}/nextcloud/data

haproxy.env.template

@@ -0,0 +1 @@
+NEXTCLOUD_URL=nextcloud.${DOMAIN}

images/rpi-email

@@ -0,0 +1 @@
+Subproject commit 8bd86ab2e91d2fbb74cae3551264fa593b8c07fb

images/rpi-haproxy

@@ -0,0 +1 @@
+Subproject commit 36de66b8e7cc7762d5051d7fbd0aa1a1542c3d2c

images/rpi-mariadb

@@ -0,0 +1 @@
+Subproject commit f5e8d2b03c0304fd6d6b3e9dbf62b85eeb55326c

images/rpi-nextcloud

@@ -0,0 +1 @@
+Subproject commit 10c73c0a9e08dede7e28a6c6d3746f714ef070c9

images/rpi-nginx

@@ -0,0 +1 @@
+Subproject commit 19686aa1b81b85589e62f012e379d857d3becf43

images/rpi-nginx-php

@@ -0,0 +1 @@
+Subproject commit c5d459989fa6fff796108fde7be7a57453015c2e

images/rpi-openldap

@@ -0,0 +1 @@
+Subproject commit fc9d5fc06fc81b7c5a7660851b92b16c00fb2b0a

mail.env.template

@@ -0,0 +1,7 @@
+DOMAIN=${DOMAIN}
+LDAP_SERVER_HOST=openldap
+LDAP_BIND_DN=uid=${MAIL_LDAP_UID},ou=services,dc=${ORGANIZATION},dc=${EXTENSION}
+LDAP_BIND_PWD_FILE=/run/secrets/ldap_pwd
+LDAP_SEARCH_BASE=ou=people,dc=${ORGANIZATION},dc=${EXTENSION}
+VIRTUAL_DOMAINS=()
+DATA_CHOWN=1

nextcloud.env.template

@@ -0,0 +1,15 @@
+NEXTCLOUD_DOMAIN=${DOMAIN}
+NEXTCLOUD_SERVER_NAME=nextcloud
+NEXTCLOUD_ADMIN_PWD_FILE=/run/secrets/admin_pwd
+DATA_CHOWN=1
+# LDAP
+LDAP_SERVER_HOST=openldap
+LDAP_BIND_DN=uid=${NEXTCLOUD_LDAP_UID},ou=services,dc=${ORGANIZATION},dc=${EXTENSION}
+LDAP_BIND_PWD_FILE=/run/secrets/ldap_pwd
+#LDAP_SEARCH_BASE=ou=people,dc=${ORGANIZATION},dc=${EXTENSION}
+LDAP_SEARCH_BASE=dc=${ORGANIZATION},dc=${EXTENSION}
+# DB
+MYSQL_ROOT_PWD_FILE=/run/secrets/mysql_pwd
+DB_HOST=db
+NEXTCLOUD_DB_NAME=nextcloud
+NEXTCLOUD_DB_USER=nextcloud

openldap.env.template

@@ -0,0 +1,25 @@
+VOLUMES_PATH=${VOLUMES_PATH}
+LDAP_DOMAIN=${DOMAIN}
+LDAP_ORGANIZATION=${ORGANIZATION}
+LDAP_EXTENSION=${EXTENSION}
+LDAP_ADMIN_PWD_FILE=/run/secrets/admin_pwd
+LDAP_MAIL_PWD_FILE=/run/secrets/mail_pwd
+LDAP_NEXTCLOUD_PWD_FILE=/run/secrets/nextcloud_pwd
+DEBUG_LEVEL=0
+#BKP_FILE=/tmp/ldap_bkp.ldif
+LDAP_BACKEND="hdb"
+LDAP_LOG_LEVEL="256"
+LDAP_BASE_DN=""
+LDAP_READONLY_USER="false"
+LDAP_BACKEND="hdb"
+LDAP_TLS="true"
+LDAP_TLS_CRT_FILENAME="ldap.crt"
+LDAP_TLS_KEY_FILENAME="ldap.key"
+LDAP_TLS_CA_CRT_FILENAME="ca.crt"
+LDAP_TLS_ENFORCE="false"
+LDAP_TLS_CIPHER_SUITE="SECURE256:-VERS-SSL3.0"
+LDAP_TLS_PROTOCOL_MIN="3.1"
+LDAP_TLS_VERIFY_CLIENT="demand"
+LDAP_REPLICATION="false"
+LDAP_REMOVE_CONFIG_AFTER_SETUP="true"
+LDAP_SSL_HELPER_PREFIX="ldap"

rpi-nextcloud

@@ -0,0 +1 @@
+Subproject commit 10c73c0a9e08dede7e28a6c6d3746f714ef070c9

setup.sh

@@ -0,0 +1,131 @@
+#!/bin/bash
+
+DEFAULT_VOLUMES=/media/volumes
+PWD_GEN='< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo;'
+#PWD_GEN='openssl rand -base64 20'
+DEFAULT_LDAP_MAIL_UID='mail'
+DEFAULT_LDAP_NEXTCLOUD_UID='nextcloud'
+
+read -p "Main domain: " domain
+while [[ ! $domain =~ ^.*\.[a-z]{2,}$ ]]; do
+    read -p "Please Enter a valid domain: " domain
+done
+# TODO: more than 1 level domains
+org=`echo $domain | cut -f1 -d'.'`
+ext=`echo $domain | cut -f2 -d'.'`
+
+read -p "Volumes path ($DEFAULT_VOLUMES): " volumes
+if [[ ${#volumes} -eq 0 ]]; then
+    volumes=$DEFAULT_VOLUMES
+fi
+
+read -p "DB admin password (a random one will be generated if empty): " db_pwd
+if [[ ${#db_pwd} -eq 0 ]]; then
+    db_pwd=`eval "$PWD_GEN"`
+fi
+
+read -p "LDAP admin password (a random one will be generated if empty): " ldap_pwd
+if [[ ${#ldap_pwd} -eq 0 ]]; then
+    ldap_pwd=`eval "$PWD_GEN"`
+fi
+
+read -p "LDAP Mail Bind DN uid ($DEFAULT_LDAP_MAIL_UID): " ldap_mail_uid
+if [[ ${#ldap_mail_uid} -eq 0 ]]; then
+    ldap_mail_uid=$DEFAULT_LDAP_MAIL_UID
+fi
+
+read -p "LDAP Mail Bind DN Pwd (a random one will be generated if empty): " ldap_mail_pwd
+if [[ ${#ldap_mail_pwd} -eq 0 ]]; then
+    ldap_mail_pwd=`eval "$PWD_GEN"`
+fi
+
+read -p "LDAP Nextcloud Bind DN uid ($DEFAULT_LDAP_NEXTCLOUD_UID): " ldap_nextcloud_uid
+if [[ ${#ldap_nextcloud_uid} -eq 0 ]]; then
+    ldap_nextcloud_uid=$DEFAULT_LDAP_NEXTCLOUD_UID
+fi
+
+read -p "LDAP Nextcloud Bind DN Pwd (a random one will be generated if empty): " ldap_nextcloud_pwd
+if [[ ${#ldap_nextcloud_pwd} -eq 0 ]]; then
+    ldap_nextcloud_pwd=`eval "$PWD_GEN"`
+fi
+
+read -p "Nextcloud Admin User Pwd (a random one will be generated if empty): " nextcloud_admin_pwd
+if [[ ${#nextcloud_admin_pwd} -eq 0 ]]; then
+    nextcloud_admin_pwd=`eval "$PWD_GEN"`
+fi
+
+echo $'\E[33m'
+echo "//////////////////////////////////////////////////"
+echo "///////////////// PLEASE CONFIRM /////////////////"
+echo "//////////////////////////////////////////////////"
+echo $'\E[1;30m'
+
+echo Your domain is:                       $domain
+echo Your Volumes path is:                 $volumes
+echo Your LDAP Mail Bind DN Uid is:        $ldap_mail_uid
+echo Your LDAP Nextcloud Bind DN Uid is:   $ldap_nextcloud_uid
+
+echo $'\E[1;37m'
+read -p "Are These Settings Correct? Yes (y), No (n): " confirm
+while [[ ! $confirm =~ ^[yYnN]{1}$ ]]; do
+    read -p "Please Enter 'y' or 'n' To Confirm Settings: " confirm
+done
+
+if [[ $confirm != [yY] ]]; then
+    exit 1
+fi
+
+# Generate docker secrets
+echo $db_pwd | docker secret create db_pwd -
+echo $ldap_pwd | docker secret create ldap_pwd -
+echo $ldap_mail_pwd | docker secret create ldap_mail_pwd -
+echo $ldap_nextcloud_pwd | docker secret create ldap_nextcloud_pwd -
+echo $nextcloud_admin_pwd | docker secret create nextcloud_admin_pwd -
+
+echo $'\E[33m'
+echo "//////////////////////////////////////////////////"
+echo "///////////// COPYING TEMPLATE FILES /////////////"
+echo "//////////////////////////////////////////////////"
+echo $'\E[1;30m'
+
+cp env.template .env
+cp openldap.env.template openldap.env
+cp mail.env.template mail.env
+cp nextcloud.env.template nextcloud.env
+cp haproxy.env.template haproxy.env
+
+for i in `ls *.env .env`; do
+    sed -i "s/\${DOMAIN}/${domain}/g" $i
+    sed -i "s/\${ORGANIZATION}/${org}/g" $i
+    sed -i "s/\${EXTENSION}/${ext}/g" $i
+    sed -i "s/\${VOLUMES_PATH}/${volumes//\//\\/}/g" $i
+    sed -i "s/\${MAIL_LDAP_UID}/${ldap_mail_uid}/g" $i
+    sed -i "s/\${NEXTCLOUD_LDAP_UID}/${ldap_nextcloud_uid}/g" $i
+    #sed -i "s/\${}/$/g" $i
+done;
+
+# read variables
+. .env
+# repeated env variables
+echo "\nNEXTCLOUD_DB_BACKUP=${NEXTCLOUD_DATA_PATH}/nextcloud_db_backup.sql" >> nextcloud.env
+echo "\nMAIL_DATA_PATH=${MAIL_DATA_PATH}" >> mail.env
+echo "\nNEXTCLOUD_DATA_PATH=${NEXTCLOUD_DATA_PATH}" >> nextcloud.env
+
+echo $'\E[33m'
+echo "//////////////////////////////////////////////////"
+echo "//////////////// CREATING FOLDERS ////////////////"
+echo "//////////////////////////////////////////////////"
+echo $'\E[1;30m'
+
+# openldap
+sudo mkdir -p ${LDAP_DATA_PATH}
+sudo mkdir -p ${LDAP_CONFIG_PATH}
+sudo mkdir -p ${LDAP_CERTS_PATH}
+# db
+sudo mkdir -p ${DB_DATA_PATH}
+#sudo mkdir -p ${DB_CONFIG_PATH}
+# mail
+sudo mkdir -p ${MAIL_DATA_PATH}
+sudo mkdir -p ${MAIL_STATE_PATH}
+# nextcloud
+sudo mkdir -p ${NEXTCLOUD_DATA_PATH}