6 роки тому · e5e3c5f2be
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -123,6 +123,17 @@ services:
    volumes:
      - ${GITEA_DATA_VOLUME_PATH}:/data

  hauk:
    build:
      context: ./images/hauk/
    image: bingen/${ARCH}-hauk
    depends_on:
      - openldap
    env_file:
      - hauk.env
    ports:
      - "4080:80"

  pihole:
    image: pihole/pihole:latest
    env_file:
--- a/hauk.env.template
+++ b/hauk.env.template
@@ -0,0 +1,5 @@
 # LDAP
 LDAP_SERVER_HOST=openldap
 LDAP_BIND_DN=uid=${LDAP_HAUK_UID},ou=services,dc=${ORGANIZATION},dc=${EXTENSION}
 LDAP_BIND_PWD_FILE=/run/secrets/ldap_pwd
 LDAP_SEARCH_BASE=ou=people,dc=${ORGANIZATION},dc=${EXTENSION}
--- a/images/haproxy/haproxy.cfg
+++ b/images/haproxy/haproxy.cfg
@@ -22,10 +22,12 @@ frontend https-in
    #acl gitea-acl ssl_fc_sni ${GITEA_URL}
    acl nextcloud-acl ssl_fc_sni_reg ^${NEXTCLOUD_SERVER_NAME}\.
    acl gitea-acl ssl_fc_sni_reg ^${GITEA_SERVER_NAME}\.
    acl hauk-acl ssl_fc_sni_reg ^${HAUK_SERVER_NAME}\.

    use_backend letsencrypt-backend if letsencrypt-acl
    use_backend nextcloud if nextcloud-acl
    use_backend gitea if gitea-acl
    use_backend hauk if hauk-acl

    default_backend nextcloud

@@ -45,6 +47,9 @@ backend gitea

    server gitea gitea:2443 maxconn 32 check ssl verify none

 backend hauk
    server hauk hauk:80 maxconn 32

 frontend http-in
    bind *:80
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
@@ -52,17 +57,22 @@ frontend http-in
    #acl is_gitea hdr_end(host) -i ${GITEA_URL}
    acl is_nextcloud hdr_reg(host) ^${NEXTCLOUD_SERVER_NAME}\.
    acl is_gitea hdr_reg(host) ^${GITEA_SERVER_NAME}\.
    acl is_hauk hdr_reg(host) ^${HAUK_SERVER_NAME}\.

    use_backend letsencrypt-backend if letsencrypt-acl
    use_backend nextcloud-insecure if is_nextcloud
    use_backend gitea-insecure if is_gitea
    use_backend hauk-insecure if is_hauk
    default_backend pihole-insecure

 backend nextcloud-insecure
    server nextcloud nextcloud:80 maxconn 32

 backend gitea-insecure
    server gitea gitea:2080 maxconn 32
    server gitea gitea:3000 maxconn 32

 backend hauk-insecure
    server hauk hauk:80 maxconn 32

 backend pihole-insecure
    server pihole pihole:80 maxconn 32
--- a/images/haproxy/startup.sh
+++ b/images/haproxy/startup.sh
@@ -16,8 +16,10 @@ haproxy -f $CFG_LE_FILE -D -p /tmp/haproxy.pid

 # Get Let's Encrypt certificates
 HAPROXY_CERTS=""
 SERVER_NAMES="${NEXTCLOUD_SERVER_NAME} ${GITEA_SERVER_NAME} ${HAUK_SERVER_NAME}"
 #echo Server names: $SERVER_NAMES
 for domain in ${DOMAINS}; do
    for server_name in ${NEXTCLOUD_SERVER_NAME} ${GITEA_SERVER_NAME}; do
    for server_name in ${SERVER_NAMES}; do
        _URL=${server_name}.${domain};
        echo ${_URL}
        HAPROXY_CERTS="${HAPROXY_CERTS} crt /etc/letsencrypt/haproxy/${_URL}.pem";
@@ -39,7 +41,8 @@ done
 #sed -i "s/\${GITEA_URL}/${GITEA_URL}/g" $CFG_FILE
 sed -i "s/\${NEXTCLOUD_SERVER_NAME}/${NEXTCLOUD_SERVER_NAME}/g" $CFG_FILE
 sed -i "s/\${GITEA_SERVER_NAME}/${GITEA_SERVER_NAME}/g" $CFG_FILE
 echo sed -i "s/\${HAPROXY_CERTS}/${HAPROXY_CERTS}/g" ${CFG_FILE}
 sed -i "s/\${HAUK_SERVER_NAME}/${HAUK_SERVER_NAME}/g" $CFG_FILE
 #echo sed -i "s/\${HAPROXY_CERTS}/${HAPROXY_CERTS}/g" ${CFG_FILE}
 sed -i "s/\${HAPROXY_CERTS}/${HAPROXY_CERTS//\//\\/}/g" ${CFG_FILE}

 #cat ${CFG_FILE}
--- a/images/hauk/Dockerfile
+++ b/images/hauk/Dockerfile
@@ -0,0 +1,9 @@
 FROM bilde2910/hauk:stable-1.x

 COPY config.php /etc/hauk/

 COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 RUN chmod 755 /usr/local/bin/docker-entrypoint.sh

 ENTRYPOINT []
 CMD ["/usr/local/bin/docker-entrypoint.sh"]
--- a/images/hauk/config.php
+++ b/images/hauk/config.php
@@ -0,0 +1,280 @@
 <?php const CONFIG = array(

 // The type of storage backend Hauk will use. Valid values include:
 // MEMCACHED, REDIS
 //
 // For MEMCACHED, you need either the `memcached` or `memcache` extensions
 // enabled in PHP.
 //
 // For REDIS, you need `redis` extension enabled. Note that `redis` depends on
 // `igbinary`, so if you get an error that a redis extension was not found, even
 // though you enabled `redis`, you may have to also install and enable
 // `igbinary` in PHP.
 "storage_backend"       => MEMCACHED,

 /*----------------------------------------------------------------------------*\
 |  MEMCACHED SPECIFIC SETTINGS                                                 |
 \*----------------------------------------------------------------------------*/

 // Connection to memcached for data storage. To connect via UNIX socket instead
 // of TCP, set host to 'unix:///path/to/memcached.sock' and port to 0.
 "memcached_host"        => 'localhost',
 "memcached_port"        => 11211,

 // If you use SASL authentication, change both `memcached_binary` and
 // `memcached_use_sasl` to true, and enter your SASL username and password.
 // Note: SASL authentication is only supported in the PHP `memcached` extension!
 // If you are using `memcache` and need SASL, consider switching to `memcached`.
 "memcached_binary"      => false,
 "memcached_use_sasl"    => false,
 "memcached_sasl_user"   => "",
 "memcached_sasl_pass"   => "",

 // A prefix to use for all variables sent to memcached. Useful if you have a
 // shared memcached instance or run multiple instances of Hauk.
 "memcached_prefix"  => 'hauk',

 /*----------------------------------------------------------------------------*\
 |  REDIS SPECIFIC SETTINGS                                                     |
 \*----------------------------------------------------------------------------*/

 // Connection to Redis for data storage. To connect via UNIX socket instead of
 // TCP, set host to '/path/to/redis.sock'.
 "redis_host"            => 'localhost',
 "redis_port"            => 6379,

 // If you use password authentication in Redis, set `redis_use_auth` to true and
 // enter the password in `redis_auth`.
 "redis_use_auth"        => false,
 "redis_auth"            => '',

 // A prefix to use for all variables sent to Redis. Useful if you have a shared
 // Redis instance or run multiple instances of Hauk.
 "redis_prefix"          => 'hauk',

 /*----------------------------------------------------------------------------*\
 |  AUTHENTICATION                                                              |
 \*----------------------------------------------------------------------------*/

 // Users must be authenticated to use the Hauk server. The default
 // authentication method is using a static server password that is shared by all
 // users, without the need for a username. You can, however, use other
 // authentication methods. Valid values here include:
 //
 // - PASSWORD: Use a static, shared server password for everyone
 // - HTPASSWD: Require a username and separate password for each user
 // - LDAP: Authenticate users against an LDAP server
 "auth_method"       => LDAP,

 /*----------------------------------------------------------------------------*\
 |  PASSWORD AUTHENTICATION                                                     |
 \*----------------------------------------------------------------------------*/

 // A hashed password that is required for creating sessions and posting location
 // data to Hauk. To generate this value on the terminal:
 //   - MD5 (insecure!):     openssl passwd -1
 //   - bcrypt (secure):     htpasswd -nBC 10 "" | tail -c +2
 "password_hash"     => 'HAUK_PASSWORD_HASH',
 // Default value above is empty string (no password) and is VERY INSECURE.
 // Trust me, you really should change this unless you intentionally want a
 // public instance that anyone in the world can use freely.
 //
 // Also note that users have the option to save the server password locally on
 // their devices using a "Remember password" checkbox. If they choose to do so,
 // the password will be stored in plain text (unhashed) on their devices. You
 // are encouraged to generate a random password to prevent risks associated with
 // credential reuse, should the password somehow be leaked from their devices.

 /*----------------------------------------------------------------------------*\
 |  HTPASSWD AUTHENTICATION                                                     |
 \*----------------------------------------------------------------------------*/

 // A file that contains a pairing between users and hashed passwords. To
 // generate this file on the terminal:
 //   - htpasswd -cBC 10 /etc/hauk/users.htpasswd <username>
 // To add additional users to an existing file:
 //   - htpasswd -BC 10 /etc/hauk/users.htpasswd <username>
 "htpasswd_path"     => '/etc/hauk/users.htpasswd',

 /*----------------------------------------------------------------------------*\
 |  LDAP AUTHENTICATION                                                         |
 \*----------------------------------------------------------------------------*/

 // URI that points to the LDAP server. Use "ldap://" for unencrypted LDAP as
 // well as when using StartTLS, use "ldaps://" for regular LDAP over TLS. Port
 // number is typically 389 (ldap) or 636 (ldaps).
 "ldap_uri"          => 'ldap://LDAP_SERVER_HOST:389',

 // Whether or not you wish to use StartTLS. StartTLS cannot be used in
 // combination with `ldaps`.
 "ldap_start_tls"    => false,

 // Base DN to search for users.
 "ldap_base_dn"      => 'LDAP_SEARCH_BASE',

 // DN to bind to to perform user search. This should ideally be a read-only
 // account as the password is stored in plain-text in this config file.
 "ldap_bind_dn"      => 'LDAP_BIND_DN',
 "ldap_bind_pass"    => 'LDAP_BIND_PWD',

 // A filter that finds the user trying to authenticate. %s is substituted with
 // the username provided by the user in the app.
 //
 // You can also use this to restrict access to Hauk to only authorized users if
 // you do not wish to grant all LDAP users permission to use your Hauk instance.
 // For example, (&(uid=%s)(memberOf=cn=HaukUsers,ou=Groups,dc=example,dc=com))
 // will only let the user connect if they are part of the "HaukUsers" group in
 // the "Groups" OU.
 "ldap_user_filter"  => '(&(objectclass=*)(|(uniqueIdentifier=%s)(mail=%s)))',

 /*----------------------------------------------------------------------------*\
 |  GENERAL SETTINGS                                                            |
 \*----------------------------------------------------------------------------*/

 // Hauk v1.4 and on allows you to request a custom link ID instead of having the
 // server randomly generate one. Custom links can use characters A-Z, a-z, 0-9,
 // - (dash), and _ (underscore). If you want to disallow the option to request
 // custom links, set this to false.
 //
 // If a user requests particular custom link that is already in use, that user
 // will not have their request honored and will get a randomly generated link
 // instead.
 "allow_link_req"    => true,

 // If you want certain links to only be usable by some users, you can reserve
 // them here. The following example reserves https://example.com/?WheresAlice
 // for user "alice" only, and reserves https://example.com/?TheRealBob
 // for use by both "bob" and "charlie".
 //
 // If you use Tasker or another automation platform to automatically start
 // sharing to a specific link ID, it's a good idea to specify it here so that
 // others cannot use it while you are inactive.
 //
 // Note that for this setting to have any effect, you have to specify an
 // auth_method that requires both a username and a password, such as HTPASSWD.
 "reserved_links"    => [
    'WheresAlice'       => ['alice'],
    'TheRealBob'        => ['bob', 'charlie'],
 ],

 // If you want to enable pre-approved custom links only, you can choose to
 // enable reservation whitelist mode. If this setting is set to true, custom
 // link IDs will only be accepted if they are present in the reserved_links
 // array above - requests to share to other links than those in the array will
 // not be honored.
 "reserve_whitelist" => false,

 // The type of links to generate when making new links for shares. Can be any
 // of the following:
 //
 // | Link style                 | Example                               | No. of combinations   | Avg. bruteforce time          |
 // +----------------------------+---------------------------------------+-----------------------+-------------------------------+
 // | LINK_4_PLUS_4_UPPER_CASE   | V8LQ-H2UM                             | 1.79 * 10^12 (34^8)   | 28.3 years                    |
 // | LINK_4_PLUS_4_LOWER_CASE   | qae3-ulna                             | 2.82 * 10^12 (36^8)   | 44.7 years                    |
 // | LINK_4_PLUS_4_MIXED_CASE   | HEq3-tgJ1                             | 1.28 * 10^14 (58^8)   | 2030 years                    |
 // | LINK_UUID_V4               | 09c8a3b1-e78f-48b1-a604-0da49e99cb5d  | 5.32 * 10^36 (2^122)  | 84.2 septillion years         |
 // | LINK_16_HEX                | 6cde14c4c6551b41                      | 1.84 * 10^19 (2^64)   | 292 million years             |
 // | LINK_16_UPPER_CASE         | WVHA2FNMRT9HSKJK                      | 3.19 * 10^24 (34^16)  | 50.6 trillion years           |
 // | LINK_16_LOWER_CASE         | bdyslxszs14cj359                      | 7.95 * 10^24 (36^16)  | 126 trillion years            |
 // | LINK_16_MIXED_CASE         | 1Ayh2yUXDe3sdF3S                      | 1.64 * 10^28 (58^16)  | 260 quadrillion years         |
 // | LINK_32_HEX                | 22adf21f11491ae8f3ae128e23a6782f      | 3.40 * 10^38 (2^128)  | 5.39 octillion years          |
 // | LINK_32_UPPER_CASE         | R88M1Z2KPL27XN8MF73KCRYPHJD4QQMT      | 1.02 * 10^49 (34^32)  | 161 undecillion years         |
 // | LINK_32_LOWER_CASE         | itgbolrbq1c02eot5o46c5wixhdrdb5m      | 6.33 * 10^49 (36^32)  | 1 duodecillion years          |
 // | LINK_32_MIXED_CASE         | qf5pqr2UKTUT6vREPPSTuqSKkCMojF17      | 2.69 * 10^56 (58^32)  | 4.26 quattuordecillion years  |
 //
 // For any MIXED_CASE variants, upper-case I and lower-case L will not appear
 // because they are visually very similar and are easily confused. For the same
 // reason, MIXED_CASE and UPPER_CASE variants will not generate 0 and O.
 //
 // The default value is LINK_4_PLUS_4_UPPER_CASE, which is still considered very
 // secure. The bruteforce times in the table below are the average time it would
 // take to find a valid sharing link, when there is one link active, at 1000
 // guesses per second. For the default setting, this means it would take almost
 // 45 years to find the link.
 //
 // This is assuming that the link is active 24/7 for that entire time. If you
 // only have a link active 2% of the time, it would take over 2200 years.
 //
 // At 1000 guesses per second, you will likely notice that your server is
 // noticeably slower and rapidly filling up with access logs.
 //
 // Very long links are also time-consuming to type, should you find yourself
 // in need of typing in a link manually on another computer. This is the reason
 // that short links are default.
 //
 // ---- PLEASE NOTE ----
 // This option is provided to you only because several people have requested it
 // as a convenience. You are free to change it, but you should know that
 // changing the default here gives you, for all intents and purposes, no
 // security advantage in practice.
 //
 "link_style"        => LINK_4_PLUS_4_UPPER_CASE,

 // Leaflet tile URI template for the map frontend. Here are some examples:
 //
 // - OpenStreetMap directly:
 //      https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png
 // - Mapbox:
 //      https://api.tiles.mapbox.com/v4/mapbox.streets/{z}/{x}/{y}.png?access_token=YOUR_ACCESS_TOKEN
 // - Thunderforest:
 //      https://{s}.tile.thunderforest.com/neighbourhood/{z}/{x}/{y}.png?apikey=YOUR_API_KEY
 // - Esri:
 //      https://server.arcgisonline.com/ArcGIS/rest/services/World_Street_Map/MapServer/tile/{z}/{y}/{x}
 // - OpenMapSurfer:
 //      https://maps.heigit.org/openmapsurfer/tiles/roads/webmercator/{z}/{x}/{y}.png
 // - Hydda (OSM Sweden):
 //      https://{s}.tile.openstreetmap.se/hydda/full/{z}/{x}/{y}.png
 //
 // Make sure you have permission to use the source you choose, and also use a
 // proper attribution for that provider.
 "map_tile_uri"      => 'https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png',

 // Attribution HTML code to be displayed in the bottom right corner of the map.
 // The default value is suitable for OpenStreetMap tiles.
 "map_attribution"   => 'Map data &copy; <a href="https://www.openstreetmap.org/">OpenStreetMap</a> contributors, <a href="https://creativecommons.org/licenses/by-sa/2.0/">CC-BY-SA</a>',

 // Default and maximum zoom levels allowed on the map (0-20), higher value means
 // closer zooming.
 "default_zoom"      => 14,
 "max_zoom"          => 19,

 // Maximum duration of a single location share, in seconds.
 "max_duration"      => 86400,

 // Minimum time between each location update, in seconds.
 "min_interval"      => 1,

 // The time that should pass without any location updates received, in seconds,
 // before the user is marked "offline" on the map.
 "offline_timeout"   => 30,

 // The timeout in seconds for map update requests from the map view. If a web
 // request takes this long without a response, the map viewer is considered
 // offline and will get a warning notifying them that they have lost their
 // network connection.
 "request_timeout"   => 10,

 // Maximum number of data points stored for each share before old points are
 // deleted. Map clients will see up to this amount of data points when they load
 // the page.
 "max_cached_pts"    => 3,

 // Maximum number of data points that may be visible on the map at any time.
 // This is used to draw trails behind the current location map marker. Higher
 // values will show longer trails, but may reduce performance.
 "max_shown_pts"     => 100,

 // Number of seconds of data that should be used to calculate velocity.
 "v_data_points"     => 2,

 // The color of the marker trails. HTML color name or #rrggbb hex color code.
 "trail_color"       => '#d80037',

 // The unit of measurement of velocity. Valid are:
 // KILOMETERS_PER_HOUR, MILES_PER_HOUR, METERS_PER_SECOND
 "velocity_unit"     => KILOMETERS_PER_HOUR,

 // The publicly accessible URL to reach Hauk, with trailing slash.
 "public_url"        => 'https://HAUK_SERVER_NAME.DOMAIN/'

 );
--- a/images/hauk/docker-entrypoint.sh
+++ b/images/hauk/docker-entrypoint.sh
@@ -0,0 +1,25 @@
 #!/bin/bash

 # set LDAP password from secret
 if [ ! -z $LDAP_BIND_PWD_FILE -a -f $LDAP_BIND_PWD_FILE ]; then
    LDAP_BIND_PWD=`cat $LDAP_BIND_PWD_FILE`;
 fi

 PASSWORD_HASH=$(htpasswd -nbBC 10 "" ${HAUK_SERVER_PWD} | tail -c +2)

 # ### Conf file ###

 echo Tweaking config files
 CONF_FILE=/etc/hauk/config.php

 #echo ${LDAP_SERVER_HOST}, ${LDAP_BIND_DN}, ${#LDAP_BIND_PWD}, ${LDAP_SEARCH_BASE}

 sed -i "s/HAUK_PASSWORD_HASH/${PASSWORD_HASH}/g" ${CONF_FILE}
 sed -i "s/HAUK_SERVER_NAME/${HAUK_SERVER_NAME}/g" ${CONF_FILE}
 sed -i "s/DOMAIN/${DOMAIN}/g" ${CONF_FILE}
 sed -i "s/LDAP_SERVER_HOST/${LDAP_SERVER_HOST}/g" ${CONF_FILE}
 sed -i "s/LDAP_SEARCH_BASE/${LDAP_SEARCH_BASE}/g" ${CONF_FILE}
 sed -i "s/LDAP_BIND_DN/${LDAP_BIND_DN}/g" ${CONF_FILE}
 sed -i "s/LDAP_BIND_PWD/${LDAP_BIND_PWD}/g" ${CONF_FILE}

 ./start.sh
--- a/images/openldap/data/serviceimport_hauk.ldif
+++ b/images/openldap/data/serviceimport_hauk.ldif
@@ -0,0 +1,8 @@
 # hauk
 dn: uid=${LDAP_HAUK_UID},ou=services,dc=${LDAP_ORGANIZATION},dc=${LDAP_EXTENSION}
 objectClass: simpleSecurityObject
 objectClass: account
 objectClass: top
 uid: ${LDAP_HAUK_UID}
 userPassword: ${LDAP_HAUK_PWD}

--- a/images/openldap/startup.sh
+++ b/images/openldap/startup.sh
@@ -24,6 +24,9 @@ fi
 if [ ! -z $LDAP_GITEA_PWD_FILE -a -f $LDAP_GITEA_PWD_FILE ]; then
    LDAP_GITEA_PWD=`cat $LDAP_GITEA_PWD_FILE`;
 fi
 if [ ! -z $LDAP_HAUK_PWD_FILE -a -f $LDAP_HAUK_PWD_FILE ]; then
    LDAP_HAUK_PWD=`cat $LDAP_HAUK_PWD_FILE`;
 fi

 echo slapd slapd/internal/generated_adminpw password ${LDAP_ADMIN_PWD} | debconf-set-selections \
    && echo slapd slapd/internal/adminpw password ${LDAP_ADMIN_PWD} | debconf-set-selections \
@@ -71,9 +74,11 @@ function replace {
    sed -i "s/\${LDAP_MAIL_UID}/${LDAP_MAIL_UID}/g" $1
    sed -i "s/\${LDAP_NEXTCLOUD_UID}/${LDAP_NEXTCLOUD_UID}/g" $1
    sed -i "s/\${LDAP_GITEA_UID}/${LDAP_GITEA_UID}/g" $1
    sed -i "s/\${LDAP_HAUK_UID}/${LDAP_HAUK_UID}/g" $1
    sed -i "s/\${LDAP_MAIL_PWD}/${LDAP_MAIL_PWD}/g" $1
    sed -i "s/\${LDAP_NEXTCLOUD_PWD}/${LDAP_NEXTCLOUD_PWD}/g" $1
    sed -i "s/\${LDAP_GITEA_PWD}/${LDAP_GITEA_PWD}/g" $1
    sed -i "s/\${LDAP_HAUK_PWD}/${LDAP_HAUK_PWD}/g" $1
 }
 ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/data/_postfix-book.ldif
 for i in `ls /tmp/data/[^_]*.ldif`; do
--- a/setup.sh
+++ b/setup.sh
@@ -6,6 +6,7 @@ PWD_GEN='< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo;'
 DEFAULT_LDAP_MAIL_UID='mail'
 DEFAULT_LDAP_NEXTCLOUD_UID='nextcloud'
 DEFAULT_LDAP_GITEA_UID='git'
 DEFAULT_LDAP_HAUK_UID='hauk'

 read -p "Main domain: " domain
 while [[ ! $domain =~ ^.*\.[a-z]{2,}$ ]]; do
@@ -60,6 +61,16 @@ if [[ ${#ldap_gitea_pwd} -eq 0 ]]; then
    ldap_gitea_pwd=`eval "$PWD_GEN"`
 fi

 read -p "LDAP Hauk Bind DN uid ($DEFAULT_LDAP_HAUK_UID): " ldap_hauk_uid
 if [[ ${#ldap_hauk_uid} -eq 0 ]]; then
    ldap_hauk_uid=$DEFAULT_LDAP_HAUK_UID
 fi

 read -p "LDAP Hauk Bind DN Pwd (a random one will be generated if empty): " ldap_hauk_pwd
 if [[ ${#ldap_hauk_pwd} -eq 0 ]]; then
    ldap_hauk_pwd=`eval "$PWD_GEN"`
 fi

 read -p "Nextcloud Admin User Pwd (a random one will be generated if empty): " nextcloud_admin_pwd
 if [[ ${#nextcloud_admin_pwd} -eq 0 ]]; then
    nextcloud_admin_pwd=`eval "$PWD_GEN"`
@@ -121,6 +132,7 @@ echo Your Volumes path is:                 $volumes
 echo Your LDAP Mail Bind DN Uid is:        $ldap_mail_uid
 echo Your LDAP Nextcloud Bind DN Uid is:   $ldap_nextcloud_uid
 echo Your LDAP Gitea Bind DN Uid is:       $ldap_gitea_uid
 echo Your LDAP Hauk Bind DN Uid is:        $ldap_hauk_uid
 echo Your Admin email. Let\'s Encrypt...:  $admin_email
 echo Your Paperless Web Server User:       $paperless_webserver_user
 echo Your SFTP User:                       $paperless_ftp_user
@@ -141,6 +153,7 @@ echo $ldap_pwd | docker secret create ldap_pwd -
 echo $ldap_mail_pwd | docker secret create ldap_mail_pwd -
 echo $ldap_nextcloud_pwd | docker secret create ldap_nextcloud_pwd -
 echo $ldap_gitea_pwd | docker secret create ldap_gitea_pwd -
 echo $ldap_hauk_pwd | docker secret create ldap_hauk_pwd -
 echo $nextcloud_admin_pwd | docker secret create nextcloud_admin_pwd -
 echo $nextcloud_salt | docker secret create nextcloud_salt -
 echo $nextcloud_secret | docker secret create nextcloud_secret -
@@ -165,6 +178,7 @@ cp haproxy.env.template haproxy.env
 cp paperless.env.template paperless.env
 cp sftp.env.template sftp.env
 cp gitea.env.template gitea.env
 cp hauk.env.template hauk.env
 cp pihole.env.template pihole.env

 # IP for Pi-Hole
@@ -179,6 +193,7 @@ for i in `ls *.env .env`; do
    sed -i "s/\${LDAP_MAIL_UID}/${ldap_mail_uid}/g" $i
    sed -i "s/\${LDAP_NEXTCLOUD_UID}/${ldap_nextcloud_uid}/g" $i
    sed -i "s/\${LDAP_GITEA_UID}/${ldap_gitea_uid}/g" $i
    sed -i "s/\${LDAP_HAUK_UID}/${ldap_hauk_uid}/g" $i
    sed -i "s/\${ADMIN_EMAIL}/${admin_email}/g" $i
    sed -i "s/\${PAPERLESS_WEBSERVER_USER}/${paperless_webserver_user}/g" $i
    sed -i "s/\${PAPERLESS_FTP_USER}/${paperless_ftp_user}/g" $i
@@ -199,11 +214,17 @@ echo "NEXTCLOUD_BACKUP_PATH=${NEXTCLOUD_BACKUP_PATH}" >> nextcloud.env
 echo "" >> gitea.env
 echo "GITEA_SERVER_NAME=${GITEA_SERVER_NAME}" >> gitea.env
 echo "GITEA_HTTP_PORT=${GITEA_HTTP_PORT}" >> gitea.env
 echo "" >> hauk.env
 echo "HAUK_SERVER_NAME=${HAUK_SERVER_NAME}" >> hauk.env
 echo "" >> paperless.env
 echo "PAPERLESS_CONSUMPTION_DIR=${PAPERLESS_CONSUMPTION_PATH}" >> paperless.env
 echo "PAPERLESS_EXPORT_DIR=${PAPERLESS_EXPORT_PATH}" >> paperless.env
 echo "" >> sftp.env
 echo "PAPERLESS_CONSUMPTION_DIR=${PAPERLESS_CONSUMPTION_PATH}" >> sftp.env
 echo "" >> haproxy.env
 echo "NEXTCLOUD_SERVER_NAME=${NEXTCLOUD_SERVER_NAME}" >> haproxy.env
 echo "GITEA_SERVER_NAME=${GITEA_SERVER_NAME}" >> haproxy.env
 echo "HAUK_SERVER_NAME=${HAUK_SERVER_NAME}" >> haproxy.env

 echo $'\E[33m'
 echo "//////////////////////////////////////////////////"
--- a/setup_noswarm.sh
+++ b/setup_noswarm.sh
@@ -6,6 +6,7 @@ PWD_GEN='< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo;'
 DEFAULT_LDAP_MAIL_UID='mail'
 DEFAULT_LDAP_NEXTCLOUD_UID='nextcloud'
 DEFAULT_LDAP_GITEA_UID='git'
 DEFAULT_LDAP_HAUK_UID='hauk'

 # main domain
 read -p "Add main domain: " domain
@@ -74,6 +75,16 @@ if [[ ${#ldap_gitea_pwd} -eq 0 ]]; then
    ldap_gitea_pwd=`eval "$PWD_GEN"`
 fi

 read -p "LDAP Hauk Bind DN uid ($DEFAULT_LDAP_HAUK_UID): " ldap_hauk_uid
 if [[ ${#ldap_hauk_uid} -eq 0 ]]; then
    ldap_hauk_uid=$DEFAULT_LDAP_HAUK_UID
 fi

 read -p "LDAP Hauk Bind DN Pwd (a random one will be generated if empty): " ldap_hauk_pwd
 if [[ ${#ldap_hauk_pwd} -eq 0 ]]; then
    ldap_hauk_pwd=`eval "$PWD_GEN"`
 fi

 read -p "Nextcloud Admin User Pwd (a random one will be generated if empty): " nextcloud_admin_pwd
 if [[ ${#nextcloud_admin_pwd} -eq 0 ]]; then
    nextcloud_admin_pwd=`eval "$PWD_GEN"`
@@ -84,6 +95,11 @@ if [[ ${#gitea_admin_pwd} -eq 0 ]]; then
    gitea_admin_pwd=`eval "$PWD_GEN"`
 fi

 read -p "Hauk Server Pwd (a random one will be generated if empty): " hauk_server_pwd
 if [[ ${#hauk_server_pwd} -eq 0 ]]; then
    hauk_server_pwd=`eval "$PWD_GEN"`
 fi

 read -p "Pi-Hole Web User Pwd (a random one will be generated if empty): " pihole_web_pwd
 if [[ ${#pihole_web_pwd} -eq 0 ]]; then
    pihole_web_pwd=`eval "$PWD_GEN"`
@@ -136,6 +152,7 @@ echo Your Volumes path is:                 $volumes
 echo Your LDAP Mail Bind DN Uid is:        $ldap_mail_uid
 echo Your LDAP Nextcloud Bind DN Uid is:   $ldap_nextcloud_uid
 echo Your LDAP Gitea Bind DN Uid is:       $ldap_gitea_uid
 echo Your LDAP Hauk Bind DN Uid is:        $ldap_hauk_uid
 echo Your Admin email. Let\'s Encrypt...:  $admin_email
 echo Your Paperless Web Server User:       $paperless_webserver_user
 echo Your SFTP User:                       $paperless_ftp_user
@@ -165,6 +182,7 @@ cp haproxy.env.template haproxy.env
 cp paperless.env.template paperless.env
 cp sftp.env.template sftp.env
 cp gitea.env.template gitea.env
 cp hauk.env.template hauk.env
 cp pihole.env.template pihole.env
 chmod 600 *.env

@@ -176,9 +194,11 @@ echo LDAP_ADMIN_PWD=$ldap_pwd >> openldap.env
 echo LDAP_MAIL_PWD=$ldap_mail_pwd >> openldap.env
 echo LDAP_NEXTCLOUD_PWD=$ldap_nextcloud_pwd >> openldap.env
 echo LDAP_GITEA_PWD=$ldap_gitea_pwd >> openldap.env
 echo LDAP_HAUK_PWD=$ldap_hauk_pwd >> openldap.env
 echo LDAP_BIND_PWD=$ldap_mail_pwd >> mail.env
 echo LDAP_BIND_PWD=$ldap_nextcloud_pwd >> nextcloud.env
 echo LDAP_BIND_PWD=$ldap_gitea_pwd >> gitea.env
 echo LDAP_BIND_PWD=$ldap_hauk_pwd >> hauk.env

 echo NEXTCLOUD_ADMIN_PWD=$nextcloud_admin_pwd >> nextcloud.env
 echo NEXTCLOUD_SALT=$nextcloud_salt >> nextcloud.env
@@ -188,6 +208,7 @@ echo NEXTCLOUD_SECRET=$nextcloud_secret >> nextcloud.env
 #echo PAPERLESS_PASSPHRASE=$paperless_passphrase >> paperless.env
 echo PAPERLESS_FTP_PWD=$paperless_ftp_pwd >> sftp.env
 echo GITEA_ADMIN_PWD=$gitea_admin_pwd >> gitea.env
 echo HAUK_SERVER_PWD=$hauk_server_pwd >> hauk.env
 #echo $pihole_web_pwd | docker secret create pihole_web_pwd -
 sed -i "s/\${PIHOLE_WEB_PWD}/${pihole_web_pwd}/g" pihole.env

@@ -204,6 +225,7 @@ for i in `ls *.env .env`; do
    sed -i "s/\${LDAP_MAIL_UID}/${ldap_mail_uid}/g" $i
    sed -i "s/\${LDAP_NEXTCLOUD_UID}/${ldap_nextcloud_uid}/g" $i
    sed -i "s/\${LDAP_GITEA_UID}/${ldap_gitea_uid}/g" $i
    sed -i "s/\${LDAP_HAUK_UID}/${ldap_hauk_uid}/g" $i
    sed -i "s/\${ADMIN_EMAIL}/${admin_email}/g" $i
    sed -i "s/\${PAPERLESS_WEBSERVER_USER}/${paperless_webserver_user}/g" $i
    sed -i "s/\${PAPERLESS_FTP_USER}/${paperless_ftp_user}/g" $i
@@ -242,6 +264,7 @@ echo "PAPERLESS_CONSUMPTION_DIR=${PAPERLESS_CONSUMPTION_PATH}" >> sftp.env
 echo "" >> haproxy.env
 echo "NEXTCLOUD_SERVER_NAME=${NEXTCLOUD_SERVER_NAME}" >> haproxy.env
 echo "GITEA_SERVER_NAME=${GITEA_SERVER_NAME}" >> haproxy.env
 echo "HAUK_SERVER_NAME=${HAUK_SERVER_NAME}" >> haproxy.env

 echo $'\E[33m'
 echo "//////////////////////////////////////////////////"