From f0d0bc1503f22b0bee2d706bfdbfa54a54535e91 Mon Sep 17 00:00:00 2001
From: Derek Crudgington <derek@federated.company>
Date: Wed, 14 Sep 2022 12:03:30 +0000
Subject: [PATCH] First commit

---
 fstack/lib/checks.sh    | 105 +++++++++++++++++++
 fstack/lib/dns.sh       | 223 ++++++++++++++++++++++++++++++++++++++++
 fstack/lib/ldap.sh      | 216 ++++++++++++++++++++++++++++++++++++++
 fstack/lib/mail.sh      | 200 +++++++++++++++++++++++++++++++++++
 fstack/lib/network.sh   |  17 +++
 fstack/lib/nextcloud.sh | 145 ++++++++++++++++++++++++++
 install-federated.sh    | 102 ++++++++++++++++++
 7 files changed, 1008 insertions(+)
 create mode 100644 fstack/lib/checks.sh
 create mode 100644 fstack/lib/dns.sh
 create mode 100644 fstack/lib/ldap.sh
 create mode 100644 fstack/lib/mail.sh
 create mode 100644 fstack/lib/network.sh
 create mode 100644 fstack/lib/nextcloud.sh
 create mode 100755 install-federated.sh

diff --git a/fstack/lib/checks.sh b/fstack/lib/checks.sh
new file mode 100644
index 0000000..e34feb2
--- /dev/null
+++ b/fstack/lib/checks.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+#
+# Federated Stack Checks
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+check_docker() {
+  OSRELEASE=`lsb_release -a 2>/dev/null | grep ID | awk -F: '{ print $2 }' | xargs`
+
+  if ! command -v docker &> /dev/null; then
+      echo -ne "\n* Couldn't find docker, installing.."
+      spin &
+      SPINPID=$!
+    
+      # Install Docker on Ubuntu  
+      if [ $OSRELEASE == "Ubuntu" ]; then
+        # Update list of packages	
+        sudo apt-get update -y &> /dev/null
+        [ $? -ne 0 ] && failcheck "Couldn't run sudo apt-get update"
+
+	# Install packages which let apt use packages over HTTPS
+        sudo apt install apt-transport-https ca-certificates curl software-properties-common -y &> /dev/null
+        [ $? -ne 0 ] && failcheck "Couldn't run sudo apt install for https packages"
+
+        # Add GPG key for the official Docker repository to this system
+        curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - &> /dev/null
+        [ $? -ne 0 ] && failcheck "Couldn't run curl to add Docker GPG key"
+
+	# Add the docker repository to our APT sources list
+        sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable" -y &> /dev/null
+        [ $? -ne 0 ] && failcheck "Couldn't run sudo add-apt-repository"
+
+	# Install docker packages
+	sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin docker-compose -y &> /dev/null
+        [ $? -ne 0 ] && failcheck "Couldn't run sudo apt install docker packages"
+      fi
+      kill -9 $SPINPID &> /dev/null
+      echo -ne "done."
+  fi
+
+  if ! command -v docker-compose &> /dev/null; then
+    echo -ne "\n* Couldn't find docker-compose, installing.."
+    spin &
+    SPINPID=$!
+
+    # Install Docker compose on Ubuntu  
+    if [ $OSRELEASE == "Ubuntu" ]; then
+      sudo apt-get install docker-compose -y &> /dev/null
+    fi
+
+    kill -9 $SPINPID &> /dev/null
+    echo -ne "done."
+  fi
+}
+check_ports() {
+  EXTERNALIP=`dig @resolver4.opendns.com myip.opendns.com +short 2> /dev/null`
+  [ $? -ne 0 ] && failcheck "Couldn't run dig, dns is not working"
+
+  # Check if ss command exists
+  if command -v ss &> /dev/null; then
+    # Check every port we need if it's in use
+    for i in 25 53 80 143 389 587 993 8000; do
+      SS=`ss -tulwn | grep LISTEN | awk '{ print $5 }' | awk -F: '{ print $NF }' | grep "^$i$" | head -1`
+      # If port 53 (dns) in use by system-resolvd (Ubuntu) then auto fix
+      if [ "$SS" == 53 ]; then
+        if [ $OSRELEASE == "Ubuntu" ]; then
+          grep "127\.0" /etc/resolv.conf &> /dev/null
+            if [ $? -eq 0 ]; then
+              echo -ne "\n* Port 53 in use by systemd-resolved, fixing.."
+              spin &
+              SPINPID=$!
+
+              # Install resolvconf to fix
+              sudo apt install resolvconf -y &> /dev/null
+              [ $? -eq 0 ] && echo -ne "." || failcheck "Failed running sudo apt install resolvconf" 
+
+	      # Shut down systemd-resolved
+	      systemctl stop systemd-resolved
+	      [ $? -ne 0 ] && failcheck "Failed running systemctl stop systemd-resolved"
+
+              # Put nameserver entries so will exist on reboot
+              echo "nameserver 8.8.8.8" > /etc/resolvconf/resolv.conf.d/tail
+              echo "nameserver 8.8.8.8" > /run/resolvconf/resolv.conf
+
+	      kill -9 $SPINPID &> /dev/null
+              echo -ne "done."
+            else
+	      echo -ne "\nFAILED - Port 53 (dns) is already in use\n\n" && exit 2
+            fi
+        fi
+      elif [ "$SS" == "$i" ]; then
+	failcheck "FAILED - Port $i is already in use" 
+      fi
+    done
+  fi
+
+  # Check Port 53 (dns) with nc
+#  elif command -v nc &> /dev/null; then
+#    nc -z $EXTERNALIP 53 &> /dev/null
+#    [ $? -eq 0 ] && failcheck "Port 53 (dns) is already in use."
+#
+#    nc -z 127.0.0.1 53 &> /dev/null
+#    [ $? -eq 0 ] && failcheck "Port 53 (dns) is already in use."
+#  fi
+}
diff --git a/fstack/lib/dns.sh b/fstack/lib/dns.sh
new file mode 100644
index 0000000..a642a74
--- /dev/null
+++ b/fstack/lib/dns.sh
@@ -0,0 +1,223 @@
+#!/bin/bash
+#
+# Federated Stack DNS
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_dns() {
+  echo -ne "\n* Configuring fstack/dns container.."
+  spin &
+  SPINPID=$!
+  EXTERNAL_IP_LASTDIGIT=`echo $EXTERNALIP | awk -F . '{ print $4 }'`
+  EXTERNALIP_INADDR=`echo $EXTERNALIP | awk -F . '{ print $3"."$2"."$1".in-addr.arpa"}'`
+  EXTERNALIP_INADDR_CAPS=`echo $EXTERNALIP | awk -F . '{ print $3"."$2"."$1".IN-ADDR.ARPA"}'`
+  mkdir -p fstack/dns/data/root
+  mkdir -p fstack/dns/data/etc/bind/zones
+  mkdir -p fstack/dns/data/var/log/letsencrypt
+
+cat > fstack/dns/docker-compose.yml <<'EOF'
+version: '3.8'
+
+services:
+  dns:
+    image: alpine:latest
+    container_name: dns
+    hostname: dns
+    restart: always
+    working_dir: /root
+    networks:
+      fstack:
+        ipv4_address: 172.99.0.10
+    volumes:
+      - ./data/etc/bind:/etc/bind
+      - ./data/etc/letsencrypt:/etc/letsencrypt
+      - ./data/var/log/letsencrypt:/var/log/letsencrypt
+      - ./data/root:/root
+    ports:
+      - "53:53/udp"
+      - "53:53/tcp"
+    command: [ "/root/dns-cert.sh" ]
+
+networks:
+  fstack:
+    external: true
+EOF
+
+cat > fstack/dns/data/root/dns-cert.sh <<'EOF'
+#!/bin/sh -x
+
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+if [ ! -e /etc/bind/.firstdone ]; then
+  # Install bind and certbot packages
+  apk add --no-cache bind
+  apk add --no-cache certbot
+
+  # Install ACME DNS script
+  if [ ! -e /root/acme-dns-auth.py ]; then
+    wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
+    chmod +x acme-dns-auth.py
+  fi
+  [ ! -e /usr/bin/python ] && ln -s /usr/bin/python3 /usr/bin/python 
+
+  # Run rndc to create bind keys for rndc to run
+  rndc-confgen -a
+  cat /etc/bind/rndc.key >> /etc/bind/named.conf
+
+  # Run Certbot and insert CNAME record into bind configuration
+  DOMAIN=`ls /etc/bind/zones | head -1`
+  echo "Trying to certbot for DOMAIN $DOMAIN"
+  CNAME_RECORD=`certbot certonly --manual --manual-auth-hook /root/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.$DOMAIN -d $DOMAIN --agree-tos --email hostmaster@$DOMAIN -n 2>1 | grep acme-dns | awk '{ print $3 }'`
+  echo "Got CNAME record: $CNAME_RECORD"
+  echo "$CNAME_RECORD" > /etc/bind/.cnamerecord
+  echo -e "_acme-challenge\tIN\tCNAME\t$CNAME_RECORD" >> /etc/bind/zones/$DOMAIN
+
+  # Reload Bind configuration without restarting the container or process
+  named -f -g &
+  crond &
+#  rndc reload $DOMAIN
+#  rndc reload
+  sleep 7
+
+  # Run Certbot again to generate the certificate
+  certbot certonly --manual --manual-auth-hook /root/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.$DOMAIN -d $DOMAIN --agree-tos --email hostmaster@$DOMAIN -n &> /dev/null
+  if [ $? -eq 0 ]; then
+    echo "[fstack]: SUCCESS generating certificates for $DOMAIN!"
+    echo "[fstack]: Certificates are at /etc/letsencrypt/live/$DOMAIN"
+    echo -ne "#!/bin/sh\n\n/usr/bin/certbot renew -q" > /etc/periodic/15min/certbot-renew.sh
+    chmod +x /etc/periodic/15min/certbot-renew.sh
+  else
+    touch /etc/bind/.failedcert
+    touch /etc/bind/.firstdone
+    echo "[fstack]: FAILED generating certificates for $DOMAIN"
+    echo "[fstack]: Check that you have DNS setup properly"
+    exit 2;
+  fi
+
+  touch /etc/bind/.firstdone
+  wait -n
+elif [ -e /etc/bind/.firstdone ] && [ -e /etc/bind/.failedcert ]; then
+  DOMAIN=`ls /etc/bind/zones | head -1`
+  named -f -g &
+  crond &
+  sleep 7
+
+  # Run Certbot again to generate the certificate
+  certbot certonly --manual --manual-auth-hook /root/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.$DOMAIN -d $DOMAIN --agree-tos --email hostmaster@$DOMAIN -n &> /dev/null 
+  if [ $? -eq 0 ]; then
+    rm /etc/bind/.failedcert
+    echo "[fstack]: SUCCESS generating certificates for $DOMAIN!"
+    echo "[fstack]: Certificates are at /etc/letsencrypt/live/$DOMAIN"
+  else
+    touch /etc/bind/.failedcert
+    echo "[fstack]: FAILED generating certificates for $DOMAIN"
+    echo "[fstack]: Check that you have DNS setup properly"
+    exit 2;
+  fi
+  wait -n
+else
+  [ ! `pgrep -x named` ] && named -f -g && crond
+fi
+EOF
+
+  chmod +x fstack/dns/data/root/dns-cert.sh
+
+cat > fstack/dns/data/etc/bind/named.conf <<EOF
+options {
+    directory "/var/bind";
+
+    listen-on { any; };
+    listen-on-v6 { none; };
+    allow-transfer {  none; };
+    allow-recursion { none; };
+    recursion no;
+    dnssec-validation auto;
+};
+zone "$DOMAIN" {
+    type master;
+    file "/etc/bind/zones/$DOMAIN";
+};
+zone "$EXTERNALIP_INADDR" {
+    type master;
+    file "/etc/bind/zones/$DOMAIN.rev";
+};
+controls {
+    inet 127.0.0.1 port 953
+    allow { 127.0.0.1; } keys { "rndc-key"; };
+};
+EOF
+
+cat > fstack/dns/data/etc/bind/zones/$DOMAIN <<EOF
+\$TTL	2d
+\$ORIGIN $DOMAIN.
+$DOMAIN.	IN      SOA     ns1.$DOMAIN. hostmaster.$DOMAIN. (
+	                18	; Serial
+       	                12h	; Refresh
+              		15m     ; Retry
+	            	3w	; Expire
+	             	3h	; Negative Cache TTL
+			)
+	IN	NS	ns1.$DOMAIN.
+	IN	NS	ns2.$DOMAIN.
+	MX	10 	mail.$DOMAIN.
+	IN	TXT	"v=spf1 mx a:mail.$DOMAIN ~all"
+ns1	IN	A	$EXTERNALIP
+ns2	IN      A       $EXTERNALIP
+mail	IN      A       $EXTERNALIP
+www	IN      A       $EXTERNALIP
+computer	IN	A	$EXTERNALIP
+$DOMAIN.	IN	A	$EXTERNALIP
+EOF
+
+cat > fstack/dns/data/etc/bind/zones/$DOMAIN.rev <<EOF
+\$TTL    2d
+\$ORIGIN $EXTERNALIP_INADDR_CAPS.
+@       IN      SOA     ns1.$DOMAIN. hostmaster.$DOMAIN. (
+                12	; Serial
+                12h	; Refresh
+                15m     ; Retry
+                3w	; Expire
+                3h	; Negative Cache TTL
+		)
+	IN	NS	ns1.$DOMAIN.
+	IN	NS	ns2.$DOMAIN.
+$EXTERNAL_IP_LASTDIGIT       IN      PTR     computer.$DOMAIN.
+EOF
+
+echo -ne "done."
+kill $SPINPID &> /dev/null
+}
+
+start_dns() {
+  echo -ne "\n* Starting fstack/dns service.."
+  spin &
+  SPINPID=$!
+
+  if [ $DEBUG ]; then
+    # Start fstack/dns with output to console for debug
+    docker-compose -f fstack/dns/docker-compose.yml -p dns up
+    [ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service fstack/dns"
+  else
+    # Start fstack/dns with output to /dev/null
+    docker-compose -f fstack/dns/docker-compose.yml -p dns up -d &> /dev/null
+
+    # Keep trying to see that certificates are generated
+    RETRY="18"
+    while [ $RETRY -gt 0 ]; do
+      ls fstack/dns/data/etc/letsencrypt/live/$DOMAIN/*.pem &> /dev/null
+      if [ $? -eq 0 ]; then
+        kill -9 $SPINPID &> /dev/null
+        echo -ne "done."
+#      echo -ne "* Certificates at fstack/dns/data/etc/letsencrypt/live/$DOMAIN\n"
+        break
+      else
+        if [ "$RETRY" == 1 ]; then
+          docker-compose -f fstack/dns/docker-compose.yml -p dns down &> /dev/null
+          fail "There was a problem starting service fstack/dns\nCheck the output of 'docker logs dns' or turn on\ndebug with -d"
+        fi
+        ((RETRY--))
+        sleep 9 
+      fi
+    done
+  fi
+}
diff --git a/fstack/lib/ldap.sh b/fstack/lib/ldap.sh
new file mode 100644
index 0000000..92b5ecc
--- /dev/null
+++ b/fstack/lib/ldap.sh
@@ -0,0 +1,216 @@
+#!/bin/bash
+#
+# Federated Stack LDAP
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_ldap() {
+  echo -ne "\n* Configuring fstack/ldap container.."
+  spin &
+  SPINPID=$!
+
+  if [ ! -d "fstack/ldap" ]; then
+    mkdir -p fstack/ldap/data &> /dev/null
+    mkdir -p fstack/ldap/data/var/lib/ldap &> /dev/null
+    mkdir -p fstack/ldap/data/etc/ldap/slap.d &> /dev/null
+    mkdir -p fstack/ldap/data/certs &> /dev/null
+    mkdir -p fstack/ldap/data/root &> /dev/null
+    cp -rf fstack/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem fstack/ldap/data/certs/
+  fi
+
+  DOMAIN_ARRAY=(${DOMAIN//./ })
+  DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
+  DOMAIN_LAST=${DOMAIN_ARRAY[1]}
+  LDAPADMINPASS=`echo -n $ADMINPASS | openssl dgst -sha1 -binary | openssl enc -base64 | awk '{print "{SHA}"$0}'`
+
+cat > fstack/ldap/docker-compose.yml <<EOF
+version: '3.8'
+services:
+  ldap:
+    image: osixia/openldap:latest
+    container_name: ldap
+    hostname: ldap.$DOMAIN
+    domainname: $DOMAIN
+    restart: always
+    working_dir: /root
+    networks:
+      fstack:
+        ipv4_address: 172.99.0.11
+    volumes:
+      - ./data/var/lib/ldap:/var/lib/ldap
+      - ./data/etc/ldap/slapd.d:/etc/ldap/slapd.d
+      - ./data/certs:/container/service/slapd/assets/certs
+      - ./data/root:/root
+    environment:
+      - LDAP_ORGANISATION=$COMPANY
+      - LDAP_DOMAIN=$DOMAIN
+      - LDAP_ADMIN_PASSWORD=$ADMINPASS
+      - LDAP_RFC2307BIS_SCHEMA=true
+      - LDAP_REMOVE_CONFIG_AFTER_SETUP=true
+      - LDAP_TLS=true
+      - LDAP_TLS_CRT_FILENAME=fullchain1.pem
+      - LDAP_TLS_KEY_FILENAME=privkey1.pem
+      - LDAP_TLS_CA_CRT_FILENAME=chain1.pem
+      - LDAP_TLS_VERIFY_CLIENT=try
+
+  ldapadmin:
+    image: wheelybird/ldap-user-manager:latest
+    container_name: ldapadmin
+    hostname: ldapadmin.$DOMAIN
+    domainname: $DOMAIN
+    restart: always
+    networks:
+      fstack:
+        ipv4_address: 172.99.0.12
+    ports:
+      - 8080:80
+      - 8443:443
+    volumes:
+      - ./data/certs:/opt/ssl
+    environment:
+      - SERVER_HOSTNAME=ldapadmin.$DOMAIN
+      - LDAP_URI=ldap://ldap.$DOMAIN
+      - LDAP_BASE_DN=dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+      - LDAP_REQUIRE_STARTTLS=true
+      - LDAP_ADMINS_GROUP=admins
+      - LDAP_ADMIN_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+      - LDAP_ADMIN_BIND_PWD=$ADMINPASS
+      - NO_HTTPS=false
+      - SERVER_CERT_FILENAME=fullchain1.pem
+      - SERVER_KEY_FILENAME=privkey1.pem
+      - CA_CERT_FILENAME=chain1.pem
+    depends_on:
+      - ldap
+
+networks:
+  fstack:
+    external: true
+EOF
+ 
+cat > fstack/ldap/data/root/ldap.ldif <<EOF
+dn: ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+ou: people
+objectClass: organizationalUnit
+structuralObjectClass: organizationalUnit
+
+dn: ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+ou: groups
+objectClass: organizationalUnit
+structuralObjectClass: organizationalUnit
+
+dn: cn=lastGID,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+objectClass: device
+objectClass: top
+description: Records the last GID used to create a Posix group. This prevent
+ s the re-use of a GID from a deleted group.
+structuralObjectClass: device
+cn: lastGID
+
+dn: cn=lastUID,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+objectClass: device
+objectClass: top
+description: Records the last UID used to create a Posix account. This preve
+ nts the re-use of a UID from a deleted account.
+structuralObjectClass: device
+cn: lastUID
+
+dn: cn=everybody,ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+objectClass: top
+objectClass: posixGroup
+objectClass: groupOfUniqueNames
+cn: everybody
+uniqueMember: uid=admin-federated,ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+gidNumber: 2001
+structuralObjectClass: groupOfUniqueNames
+
+dn: cn=admins,ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+objectClass: top
+objectClass: posixGroup
+objectClass: groupOfUniqueNames
+cn: admins
+uniqueMember: uid=admin-$DOMAIN_FIRST,ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+gidNumber: 2002
+structuralObjectClass: groupOfUniqueNames
+
+dn: uid=admin,ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+sn: admin
+uid: admin
+mail: admin@$DOMAIN
+mailalias: admin@$DOMAIN
+cn: admin
+mailEnabled: true
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: PostfixBookMailAccount
+objectClass: posixAccount
+userPassword: $LDAPADMINPASS
+uidNumber: 2001
+gidNumber: 2001
+loginShell: /bin/bash
+homeDirectory: /home/admin
+structuralObjectClass: inetOrgPerson
+memberOf: cn=everybody,ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+memberOf: cn=admins,ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+EOF
+
+cat > fstack/ldap/data/root/ldap.sh <<'EOF'
+#!/bin/sh
+
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+if [ ! -f .initialized ]; then
+  echo "Importing default scheme ldap.ldif into LDAP"
+
+  slapadd -v -l /root/ldap.ldif
+  [ $? -ne 0 ] && echo "FAILED importing ldap.dif" && exit 2
+
+  touch .initialized
+fi 
+EOF
+
+chmod +x fstack/ldap/data/root/ldap.sh
+
+kill -9 $SPINPID &> /dev/null
+echo -ne "done."
+}
+
+start_ldap() {
+  # Start fstack/ldap with output to /dev/null
+  echo -ne "\n* Starting fstack/ldap service.."
+  spin &
+  SPINPID=$!
+
+  if [ $DEBUG ]; then
+    # Start fstack/ldap with output to console for debug
+    docker-compose -f fstack/ldap/docker-compose.yml -p ldap up
+    [ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service fstack/dns"
+  else
+    docker-compose -f fstack/ldap/docker-compose.yml -p ldap up -d &> /dev/null
+
+    # Keep trying ldap port to make sure it's up
+    # before we proceed
+    RETRY="23"
+    while [ $RETRY -gt 0 ]; do
+      nc -z 172.99.0.11 636 &> /dev/null
+      if [ $? -eq 0 ]; then
+        break
+      else
+        if [ "$RETRY" == 1 ]; then
+          docker-compose -f fstack/ldap/docker-compose.yml -p ldap down &> /dev/null
+          kill -9 $SPINPID &> /dev/null
+          fail "There was a problem starting service fstack/ldap\nCheck the output of 'docker logs ldap' or turn on\ndebug with -d"
+        fi
+        ((RETRY--))
+        sleep 7
+      fi
+    done
+  fi
+
+  # Run our ldap.sh script inside the ldap container
+  # This imports the inital LDAP configuration
+  docker exec -it ldap /root/ldap.sh &> /dev/null
+  [ $? -ne 0 ] && fail "Couldn't run ldap.sh inside ldap container"
+
+  kill -9 $SPINPID &> /dev/null
+  echo -ne "done."
+}
diff --git a/fstack/lib/mail.sh b/fstack/lib/mail.sh
new file mode 100644
index 0000000..9914ce0
--- /dev/null
+++ b/fstack/lib/mail.sh
@@ -0,0 +1,200 @@
+#!/bin/bash
+#
+# Federated Stack Mail
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_mail() {
+  echo -ne "\n* Configuring fstack/mail container.."
+  spin &
+  SPINPID=$!
+
+  if [ ! -d "fstack/mail" ]; then
+    mkdir -p fstack/mail/data/root/certs &> /dev/null
+    mkdir -p fstack/mail/data/var/mail &> /dev/null
+    mkdir -p fstack/mail/data/var/mail-state &> /dev/null
+    mkdir -p fstack/mail/data/var/log/mail &> /dev/null
+    mkdir -p fstack/mail/data/tmp/docker-mailserver &> /dev/null
+    mkdir -p fstack/mail/data/etc/apache2/sites-enabled &> /dev/null
+    cp -rf fstack/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem fstack/mail/data/root/certs/
+  fi
+
+#  DOMAIN_ARRAY=(${DOMAIN//./ })
+#  DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
+#  DOMAIN_LAST=${DOMAIN_ARRAY[1]}
+
+cat > fstack/mail/docker-compose.yml <<EOF
+version: '3.8'
+
+services:
+  mail:
+    image: docker.io/mailserver/docker-mailserver:latest
+    container_name: mail
+    hostname: mail.$DOMAIN
+    domainname: $DOMAIN
+    restart: always
+    networks:
+      fstack:
+        ipv4_address: 172.99.0.13
+    ports:
+      - "25:25"
+      - "143:143"
+      - "465:465"
+      - "587:587"
+      - "993:993"
+    volumes:
+      - ./data/root/certs:/root/certs
+      - ./data/var/mail:/var/mail/
+      - ./data/var/mail-state:/var/mail-state/
+      - ./data/var/log/mail:/var/log/mail/
+      - ./data/tmp/docker-mailserver:/tmp/docker-mailserver/
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      - ENABLE_SPAMASSASSIN=1
+      - SPAMASSASSIN_SPAM_TO_INBOX=1
+      - ENABLE_CLAMAV=0
+      - ENABLE_FAIL2BAN=0
+      - ENABLE_POSTGREY=1
+      - ONE_DIR=1
+      - DMS_DEBUG=0
+      - LOG_LEVEL=debug
+      - ENABLE_LDAP=1
+      - SSL_TYPE=manual
+      - SSL_CERT_PATH=/root/certs/fullchain1.pem
+      - SSL_KEY_PATH=/root/certs/privkey1.pem
+      - LDAP_START_TLS=yes
+      - DOVECOT_TLS=yes
+      - SASLAUTHD_LDAP_START_TLS=yes
+      - LDAP_SERVER_HOST=ldap.$DOMAIN
+      - LDAP_SEARCH_BASE=ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+      - LDAP_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+      - LDAP_BIND_PW=$ADMINPASS
+      - LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
+      - LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
+      - LDAP_QUERY_FILTER_ALIAS=(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=inetOrgPerson)(mailEnabled=TRUE)))
+      - LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
+        # DOVECOT
+      - DOVECOT_PASS_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
+      - DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
+      - DOVECOT_USER_ATTRS=homeDirectory=home,=uid=5000,=gid=5000
+        # SASLAUTHD
+      - ENABLE_SASLAUTHD=1
+      - SASLAUTHD_MECHANISMS=ldap
+      - SASLAUTHD_LDAP_SERVER=ldap.$DOMAIN
+      - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+      - SASLAUTHD_LDAP_PASSWORD=$ADMINPASS
+      - SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+      - SASLAUTHD_LDAP_FILTER=(&(objectClass=inetOrgPerson)(uid=%U))
+      - POSTMASTER_ADDRESS=postmaster@localhost.localdomain
+      - POSTFIX_MESSAGE_SIZE_LIMIT=100000000
+    cap_add:
+      - NET_ADMIN
+      - SYS_PTRACE
+
+  webmail:
+    image: roundcube/roundcubemail:latest
+    container_name: webmail
+    hostname: webmail.$DOMAIN
+    domainname: $DOMAIN
+    restart: always
+    networks:
+      fstack:
+        ipv4_address: 172.99.0.14
+    ports:
+      - 9002:80
+      - 9443:443
+    volumes:
+      - ./data/root/certs:/root/certs
+      - ./data/etc/apache2/sites-enabled:/etc/apache2/sites-enabled
+      - ./data/var/roundcube:/var/roundcube
+    environment:
+      - ROUNDCUBEMAIL_DEFAULT_HOST=tls://mail.$DOMAIN
+      - ROUNDCUBEMAIL_SMTP_SERVER=tls://mail.$DOMAIN
+      - ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE=4096M
+    depends_on:
+      - mail
+
+networks:
+  fstack:
+    external: true
+EOF
+
+cat > fstack/mail/data/etc/apache2/sites-enabled/000-default.conf <<'EOF'
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+
+<VirtualHost *:80>
+ ServerAdmin admin@localhost
+ DocumentRoot /var/www/html
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
+
+<VirtualHost *:443>
+ SSLEngine on
+ SSLCertificateFile /root/certs/fullchain1.pem
+ SSLCertificateKeyFile /root/certs/privkey1.pem
+
+ ServerAdmin admin@localhost
+ DocumentRoot /var/www/html
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
+EOF
+
+  kill -9 $SPINPID &> /dev/null
+  echo -ne "done."
+}
+
+start_mail() {
+  echo -ne "\n* Starting fstack/mail service.."
+  spin &
+  SPINPID=$!
+
+  if [ $DEBUG ]; then
+    # Start fstack/mail with output to console for debug
+    docker-compose -f fstack/mail/docker-compose.yml -p mail up
+    [ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service fstack/mail"
+  else
+    docker-compose -f fstack/mail/docker-compose.yml -p mail up -d &> /dev/null
+
+    # Keep trying mail port 25 to make sure it's up
+    # before we proceed
+    RETRY="23"
+    while [ $RETRY -gt 0 ]; do
+      nc -z 172.99.0.13 25 &> /dev/null
+      if [ $? -eq 0 ]; then
+        break
+      else
+        if [ "$RETRY" == 1 ]; then
+          docker-compose -f fstack/mail/docker-compose.yml -p mail down &> /dev/null
+          kill -9 $SPINPID &> /dev/null
+          fail "There was a problem starting service fstack/mail\nCheck the output of 'docker logs mail' or turn on\ndebug with -d"
+        fi
+        ((RETRY--))
+        sleep 7
+      fi
+    done
+  fi
+
+  # Generate the DKIM DNS key
+  docker exec -it mail setup config dkim keysize 2048 domain $DOMAIN &> /dev/null
+  [ $? -ne 0 ] && fail "Couldn't generate DKIM record"
+
+  # Insert the DKIM DNS TXT entry into fstack/dns container
+  cat fstack/mail/data/tmp/docker-mailserver/opendkim/keys/$DOMAIN/mail.txt >> fstack/dns/data/etc/bind/zones/$DOMAIN
+  [ $? -ne 0 ] && fail "Couldn't insert DKIM record into fstack/dns container"
+
+  # Insert the DMARC DNS TXT entry into fstack/dns container
+  echo "_dmarc.$DOMAIN. IN TXT \"v=DMARC1; p=none; rua=mailto:admin@$DOMAIN; ruf=mailto:admin@$DOMAIN; sp=none; ri=86400\"" >> fstack/dns/data/etc/bind/zones/$DOMAIN
+  [ $? -ne 0 ] && fail "Couldn't insert DMARC record into fstack/dns container"
+
+  # Reload DNS configuration in fstack/dns container 
+  docker exec -it dns rndc reload $DOMAIN &> /dev/null
+  [ $? -ne 0 ] && fail "Couldn't run rndc reload DOMAIN on fstack/dns container"
+
+  docker exec -it dns rndc reload &> /dev/null
+  [ $? -ne 0 ] && fail "Couldn't run rndc reload on fstack/dns container"
+  
+  kill -9 $SPINPID &> /dev/null
+  echo -ne "done."
+}
diff --git a/fstack/lib/network.sh b/fstack/lib/network.sh
new file mode 100644
index 0000000..0ad0963
--- /dev/null
+++ b/fstack/lib/network.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+#
+# Federated Stack Network
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_network() {
+  echo -ne "\n* Configuring federated network.."
+  spin &
+  SPINPID=$!
+
+  docker network create --subnet 172.99.0.0/16 fstack &> /dev/null
+  [ $? -ne 0 ] && fail "Couldn't run docker network create"
+
+  echo -ne "done."
+  kill -9 $SPINPID &> /dev/null
+}
diff --git a/fstack/lib/nextcloud.sh b/fstack/lib/nextcloud.sh
new file mode 100644
index 0000000..20ee447
--- /dev/null
+++ b/fstack/lib/nextcloud.sh
@@ -0,0 +1,145 @@
+#!/bin/bash
+#
+# Federated Stack NextCloud
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_nextcloud() {
+  echo -ne "\n* Configuring fstack/nextcloud container.."
+  spin &
+  SPINPID=$!
+
+#  if [ ! -d "fstack/nextcloud" ]; then
+    mkdir -p fstack/nextcloud/data/root/certs &> /dev/null
+    mkdir -p fstack/nextcloud/data/var/www/html &> /dev/null
+    cp -rf fstack/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem fstack/nextcloud/data/root/certs/
+#  fi
+
+  DOMAIN_ARRAY=(${DOMAIN//./ })
+  DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
+  DOMAIN_LAST=${DOMAIN_ARRAY[1]}
+
+cat > fstack/nextcloud/docker-compose.yml <<EOF
+version: '3.8'
+
+services:
+  nextcloud:
+    image: nextcloud:latest
+    container_name: nextcloud
+    hostname: nextcloud.$DOMAIN
+    domainname: $DOMAIN
+    restart: always
+    networks:
+      fstack:
+        ipv4_address: 172.99.0.15
+    ports:
+      - "8000:80"
+    volumes:
+      - ./data/root:/root
+      - ./data/var/www/html:/var/www/html
+    environment:
+      - SQLITE_DATABASE=db1
+      - NEXTCLOUD_ADMIN_USER=nextcloud
+      - NEXTCLOUD_ADMIN_PASSWORD=$ADMINPASS
+        #      - NEXTCLOUD_TRUSTED_DOMAINS=northendnetwork.com
+        #      - VIRTUAL_HOST=nextcloud.northendnetwork.com
+        #      - NEXTCLOUD_LDAP_HOST=ldap.northendnetwork.com
+
+networks:
+  fstack:
+    external: true
+EOF
+
+cat > fstack/nextcloud/data/root/nextcloud.sh <<EOF
+#!/bin/sh
+
+./occ app:enable user_ldap
+./occ ldap:create-empty-config
+./occ ldap:set-config s01 ldapHost 'ldaps://ldap.$DOMAIN'
+./occ ldap:set-config s01 ldapAgentName cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+./occ ldap:set-config s01 ldapAgentPassword $ADMINPASS
+./occ ldap:set-config s01 ldapBase ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+./occ ldap:set-config s01 ldapBaseGroups ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+./occ ldap:set-config s01 ldapBaseUsers ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
+./occ ldap:set-config s01 ldapEmailAttribute mail
+./occ ldap:set-config s01 ldapGidNumber gidNumber
+./occ ldap:set-config s01 ldapGroupDisplayName cn
+./occ ldap:set-config s01 ldapGroupFilter '(&(|(objectclass=inetOrgPerson)))'
+./occ ldap:set-config s01 ldapGroupFilterMode 0
+./occ ldap:set-config s01 ldapGroupFilterObjectclass inetOrgPerson
+./occ ldap:set-config s01 ldapGroupMemberAssocAttr gidNumber
+./occ ldap:set-config s01 ldapLoginFilter '(&(|(objectclass=inetOrgPerson))(uid=%uid))'
+./occ ldap:set-config s01 ldapLoginFilterEmail 0
+./occ ldap:set-config s01 ldapLoginFilterMode 0
+./occ ldap:set-config s01 ldapLoginFilterUsername 1
+./occ ldap:set-config s01 ldapLoginFilterEmail 0
+./occ ldap:set-config s01 ldapMatchingRuleInChainState unknown
+./occ ldap:set-config s01 ldapNestedGroups 0
+./occ ldap:set-config s01 ldapPagingSize 500 
+./occ ldap:set-config s01 ldapPort 636
+./occ ldap:set-config s01 ldapTLS 1 
+./occ ldap:set-config s01 ldapUserAvatarRule default
+./occ ldap:set-config s01 ldapUserDisplayName cn
+./occ ldap:set-config s01 ldapUserFilter '(|(objectclass=inetOrgPerson))'
+./occ ldap:set-config s01 ldapUserFilterMode 0 
+./occ ldap:set-config s01 ldapUserFilterObjectclass inetOrgPerson
+./occ ldap:set-config s01 ldapUuidGroupAttribute auto
+./occ ldap:set-config s01 ldapUuidUserAttribute auto 
+./occ ldap:set-config s01 turnOffCertCheck 0 
+./occ ldap:set-config s01 turnOnPasswordChange 0 
+./occ ldap:set-config s01 useMemberOfToDetectMembership 1 
+./occ ldap:set-config s01 ldapConfigurationActive 1 
+./occ config:system:delete trusted_domains
+./occ config:system:set trusted_domains 1 --value=*
+EOF
+
+chmod +x fstack/nextcloud/data/root/nextcloud.sh
+
+  kill -9 $SPINPID &> /dev/null
+  echo -ne "done."
+}
+
+start_nextcloud() {
+  echo -ne "\n* Starting fstack/nextcloud service.."
+  spin &
+  SPINPID=$!
+
+  if [ $DEBUG ]; then
+    # Start fstack/nextcloud with output to console for debug
+    docker-compose -f fstack/nextcloud/docker-compose.yml -p nextcloud up
+    [ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service fstack/nextcloud"
+  else
+    docker-compose -f fstack/nextcloud/docker-compose.yml -p nextcloud up -d &> /dev/null
+
+    # Keep trying nextcloud port 8000 to make sure it's up
+    # before we proceed
+    RETRY="23"
+    while [ $RETRY -gt 0 ]; do
+      nc -z 172.99.0.15 80 &> /dev/null
+      if [ $? -eq 0 ]; then
+        break
+      else
+        if [ "$RETRY" == 1 ]; then
+          docker-compose -f fstack/nextcloud/docker-compose.yml -p nextcloud down &> /dev/null
+          kill -9 $SPINPID &> /dev/null
+          fail "There was a problem starting service fstack/nextcloud\nCheck the output of 'docker logs nextcloud' or turn on\ndebug with -d"
+        fi
+        ((RETRY--))
+        sleep 7
+      fi
+    done
+  fi
+
+  # Set nextcloud.sh executable
+  docker exec -it nextcloud mv /root/nextcloud.sh /var/www/html/
+  docker exec -it nextcloud chown www-data:root /var/www/html/nextcloud.sh
+  docker exec -it nextcloud chmod 755 /var/www/html/nextcloud.sh
+  [ $? -ne 0 ] && fail "Couldn't chown nextcloud.sh in fstack/nextcloud container"
+
+  # Run nextcloud.sh - Setup LDAP, configuration for nextcloud
+  docker exec -it -u 33 nextcloud /var/www/html/nextcloud.sh &> /dev/null
+  [ $? -ne 0 ] && fail "Couldn't run nextcloud.sh inside fstack/nextcloud container"
+  
+  kill -9 $SPINPID &> /dev/null
+  echo -ne "done."
+}
diff --git a/install-federated.sh b/install-federated.sh
new file mode 100755
index 0000000..17e8363
--- /dev/null
+++ b/install-federated.sh
@@ -0,0 +1,102 @@
+#!/bin/bash
+#
+# Federated Stack installation script
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+trap cleanup `seq 0 15`
+
+cleanup() {
+   kill -9 $SPINPID &> /dev/null
+   exit 2
+}
+spin() {
+  spinner="/|\\-/|\\-"
+  while :
+  do
+    for i in `seq 0 7`
+    do
+      echo -n "${spinner:$i:1}"
+      echo -en "\010"
+      sleep 1
+    done
+  done
+}
+fail() {
+  echo -ne "FAILED\n\n$1\n\n"
+  kill -9 $SPINPID &> /dev/null
+#  [ -d "fstack/dns" ] && rm -rf fstack/dns
+#  docker network rm fstack &> /dev/null
+  exit 2;
+}
+failcheck() {
+  echo -ne "\n\nFAILED - $1\n\n"
+  exit 2;
+}
+get_config() {
+#  FSTACKURL="http://137.184.95.3:8000"
+#  [ ! -d "fstack/lib" ] && mkdir -p fstack/lib
+
+  # Download each library file
+#  for i in checks network dns ldap mail; do
+#    if [ ! -f "fstack/lib/$i.sh" ]; then
+#      curl $FSTACKURL/$i.sh -o fstack/lib/$i.sh -s -f &> /dev/null
+#      [ $? -ne 0 ] && failcheck "Couldn't download $i.sh"
+#    fi
+#  done
+
+  . fstack/lib/checks.sh
+  . fstack/lib/network.sh
+  . fstack/lib/dns.sh
+  . fstack/lib/ldap.sh
+  . fstack/lib/mail.sh
+  . fstack/lib/nextcloud.sh
+
+  echo -ne "\nFederated Stack install script\n\n"
+  read -p '* Enter domain name (domain.com): ' DOMAIN
+  read -p '* Enter company name (Domain Company): ' COMPANY
+  read -sp '* Enter admin password to use for initial login: ' ADMINPASS
+  [ -z "$DOMAIN" ] && failcheck "Must enter a domain name"
+  [ -z "$COMPANY" ] && failcheck "Must enter a company name"
+  [ -z "$ADMINPASS" ] && failcheck "Must enter a admin password"
+}
+
+while getopts d OPTION; do
+  case "$OPTION" in
+    d) DEBUG=ON;;
+  esac
+done
+
+# Download lib scripts and take in setup variables
+get_config
+
+echo -ne "\n\nStarting Federated install for $DOMAIN\n"
+
+# Check that we have docker installed.  Check that
+# we have all ports available and ont in use
+check_docker
+check_ports
+
+# Configure docker private network
+config_network
+
+# Configure fstack/dns container and start it
+config_dns
+start_dns
+
+# Configure fstack/ldap container and start it
+config_ldap
+start_ldap
+
+# Configure fstack/mail container and start it
+config_mail
+start_mail
+
+# Configure fstack/nextcloud container and start it
+config_nextcloud
+start_nextcloud
+
+# Print out fstack environment details
+echo -ne "\n\nInstall completed successfully.\n\n" 
+echo -ne "Certificates at fstack/dns/data/etc/letsencrypt/archive/$DOMAIN\n"
+echo -ne "Webmail is at http://www.$DOMAIN:9002\n"
+echo -ne "Login user: admin Password: Provided at start\n"