copied over install scripts to adapt

Install_Scripts/debian/install.sh

@@ -0,0 +1,61 @@
+#!/bin/sh
+
+#move to script directory so all relative paths work
+cd "$(dirname "$0")"
+
+#includes
+. ./resources/config.sh
+. ./resources/colors.sh
+. ./resources/environment.sh
+
+# removes the cd img from the /etc/apt/sources.list file (not needed after base install)
+sed -i '/cdrom:/d' /etc/apt/sources.list
+
+#Update to latest packages
+verbose "Update installed packages"
+apt-get update && apt-get upgrade -y
+
+#Add dependencies
+apt-get install -y wget
+apt-get install -y lsb-release
+apt-get install -y systemd
+apt-get install -y systemd-sysv
+apt-get install -y ca-certificates
+apt-get install -y dialog
+apt-get install -y nano
+apt-get install -y net-tools
+
+#SNMP
+apt-get install -y snmpd
+echo "rocommunity public" > /etc/snmp/snmpd.conf
+service snmpd restart
+
+#IPTables
+resources/iptables.sh
+
+#sngrep
+resources/sngrep.sh
+
+#FusionPBX
+resources/fusionpbx.sh
+
+#PHP
+resources/php.sh
+
+#NGINX web server
+resources/nginx.sh
+
+#FreeSWITCH
+resources/switch.sh
+
+#Fail2ban
+resources/fail2ban.sh
+
+#Postgres
+resources/postgresql.sh
+
+#set the ip address
+server_address=$(hostname -I)
+
+#add the database schema, user and groups
+resources/finish.sh

Install_Scripts/debian/pre-install.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+#upgrade the packages
+apt-get update && apt-get upgrade -y
+
+#install packages
+apt-get install -y git lsb-release
+
+#get the install script
+cd /usr/src && git clone https://github.com/fusionpbx/fusionpbx-install.sh.git
+
+#change the working directory
+cd /usr/src/fusionpbx-install.sh/debian

Install_Scripts/debian/resources/arguments.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+
+#Process command line options only if we haven't been processed once
+if [ -z "$CPU_CHECK" ]; then
+	export script_name=`basename "$0"`
+	ARGS=$(getopt -n '$script_name' -o h -l help,use-switch-source,use-switch-package-all,use-switch-master,use-switch-package-unofficial-arm,use-php5-package,use-system-master,no-cpu-check -- "$@")
+	
+	if [ $? -ne 0 ]; then
+		error "Failed parsing options."
+		exit 1
+	fi
+	
+	export USE_SWITCH_SOURCE=false
+	export USE_SWITCH_PACKAGE_ALL=false
+	export USE_SWITCH_PACKAGE_UNOFFICIAL_ARM=false
+	export USE_PHP5_PACKAGE=false
+	export USE_SWITCH_MASTER=false
+	export USE_SYSTEM_MASTER=false
+	export CPU_CHECK=true
+	HELP=false
+	
+	while true; do
+	  case "$1" in
+		--use-switch-source ) export USE_SWITCH_SOURCE=true; shift ;;
+		--use-switch-package-all ) export USE_SWITCH_PACKAGE_ALL=true; shift ;;
+		--use-switch-master ) export USE_SWITCH_MASTER=true; shift ;;
+		--use-system-master ) export USE_SYSTEM_MASTER=true; shift ;;
+		--use-php5-package ) export USE_PHP5_PACKAGE=true; shift ;;
+		--use-switch-package-unofficial-arm ) export USE_SWITCH_PACKAGE_UNOFFICIAL_ARM=true; export USE_PHP5_PACKAGE=true; shift ;;
+		--no-cpu-check ) export CPU_CHECK=false; shift ;;
+		-h | --help ) HELP=true; shift ;;
+		-- ) shift; break ;;
+		* ) break ;;
+	  esac
+	done
+	
+	if [ .$HELP = .true ]; then
+		warning "Debian installer script"
+		warning "	--use-switch-source will use freeswitch from source rather than ${green}(default:packages)"
+		warning "	--use-switch-package-all if using packages use the meta-all package"
+		warning "	--use-switch-package-unofficial-arm if your system is arm and you are using packages, use the unofficial arm repo and force php5* packages"
+		warning "	--use-php5-package use php5* packages instead of ${green}(default:php7.0)"
+		warning "	--use-switch-master will use master branch/packages for the switch instead of ${green}(default:stable)"
+		warning "	--use-system-master will use master branch/packages for the system instead of ${green}(default:stable)"
+		warning "	--no-cpu-check disable the cpu check ${green}(default:check)"
+		exit;
+	fi
+fi

Install_Scripts/debian/resources/backup/fusionpbx-backup

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+export PGPASSWORD="zzz"
+db_host=127.0.0.1
+db_port=5432
+
+now=$(date +%Y-%m-%d)
+mkdir -p /var/backups/fusionpbx/postgresql
+
+echo "Backup Started"
+
+#delete postgres backups
+find /var/backups/fusionpbx/postgresql/fusionpbx_pgsql* -mtime +4 -exec rm -f {} \;
+
+#delete the main backup
+find /var/backups/fusionpbx/*.tgz -mtime +2 -exec rm -f {} \;
+
+#backup the database
+pg_dump --verbose -Fc --host=$db_host --port=$db_port -U fusionpbx fusionpbx --schema=public -f /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql
+
+#package
+#tar --exclude='/var/lib/freeswitch/recordings/*/archive' -zvcf /var/backups/fusionpbx/backup_$now.tgz /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql /var/www/fusionpbx /usr/share/freeswitch/scripts /var/lib/freeswitch/storage /var/lib/freeswitch/recordings /etc/fusionpbx /etc/freeswitch /usr/share/freeswitch/sounds/music/
+
+#source
+#tar -zvcf /var/backups/fusionpbx/backup_$now.tgz /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql /var/www/fusionpbx /usr/local/freeswitch/scripts /usr/local/freeswitch/storage /usr/local/freeswitch/recordings /etc/fusionpbx /usr/local/freeswitch/conf /usr/local/freeswitch/sounds/music/
+
+echo "Backup Completed"

Install_Scripts/debian/resources/backup/fusionpbx-maintenance

@@ -0,0 +1,137 @@
+#!/bin/sh
+
+#settings
+export PGPASSWORD="zzz"
+db_host=127.0.0.1
+db_port=5432
+switch_package=true # true or false
+
+purge_voicemail=false
+purge_call_recordings=false
+purge_cdrs=false
+purge_fax=false
+purge_switch_logs=true
+purge_php_sessions=true
+purge_database_transactions=true
+purge_email_queue=false
+purge_fax_queue=true
+
+days_keep_voicemail=90
+days_keep_call_recordings=90
+days_keep_cdrs=90
+days_keep_fax=90
+days_keep_switch_logs=7
+days_keep_php_sessions=8
+days_keep_database_transactions=30
+days_keep_email_queue=30
+days_keep_fax_queue=30
+
+#set the date
+now=$(date +%Y-%m-%d)
+
+#make sure the directory exists
+if [ -e /var/backups/fusionpbx/postgresql ]; then
+	echo "postgres backup directory exists"
+else
+	mkdir -p /var/backups/fusionpbx/postgresql
+fi
+
+#show message to the console
+echo "Maintenance Started"
+
+if [ .$purge_switch_logs = .true ]; then
+	#delete freeswitch logs older 7 days
+	if [ .$switch_package = .true ]; then
+		find /var/log/freeswitch/freeswitch.log.* -mtime +$days_keep_switch_logs -exec rm {} \;
+	else
+		find /usr/local/freeswitch/log/freeswitch.log.* -mtime +$days_keep_switch_logs -exec rm {} \;
+	fi
+else
+	echo "not purging Freeswitch logs"
+fi
+
+if [ .$purge_fax = .true ]; then
+	#delete fax older than 90 days
+	if [ .$switch_package = .true ]; then
+		echo ".";
+		find /var/lib/freeswitch/storage/fax/*  -name '*.tif' -mtime +$days_keep_fax -exec rm {} \;
+		find /var/lib/freeswitch/storage/fax/*  -name '*.pdf' -mtime +$days_keep_fax -exec rm {} \;
+	else
+		echo ".";
+		find /usr/local/freeswitch/storage/fax/*  -name '*.tif' -mtime +$days_keep_fax -exec rm {} \;
+		find /usr/local/freeswitch/storage/fax/*  -name '*.pdf' -mtime +$days_keep_fax -exec rm {} \;
+	fi
+	#delete from the database
+	psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_fax_files WHERE fax_date < NOW() - INTERVAL '$days_keep_fax days'"
+	psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_fax_logs WHERE fax_date < NOW() - INTERVAL '$days_keep_fax days'"
+else
+	echo "not purging Faxes"
+fi
+
+if [ .$purge_call_recordings = .true ]; then
+	#delete call recordings older than 90 days
+	if [ .$switch_package = .true ]; then
+		find /var/lib/freeswitch/recordings/*/archive/*  -name '*.wav' -mtime +$days_keep_call_recordings -exec rm {} \;
+		find /var/lib/freeswitch/recordings/*/archive/*  -name '*.mp3' -mtime +$days_keep_call_recordings -exec rm {} \;
+	else
+		find /usr/local/freeswitch/recordings/*/archive/*  -name '*.wav' -mtime +$days_keep_call_recordings -exec rm {} \;
+		find /usr/local/freeswitch/recordings/*/archive/*  -name '*.mp3' -mtime +$days_keep_call_recordings -exec rm {} \;
+	fi
+	psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_call_recordings WHERE call_recording_date < NOW() - INTERVAL '90 days'"
+else
+	echo "not purging Recordings."
+fi
+
+if [ .$purge_voicemail = .true ]; then
+	#delete voicemail older than 90 days
+	if [ .$switch_package = .true ]; then
+		echo ".";
+		find /var/lib/freeswitch/storage/voicemail/default/*  -name 'msg_*.wav' -mtime +$days_keep_voicemail -exec rm {} \;
+		find /var/lib/freeswitch/storage/voicemail/default/*  -name 'msg_*.mp3' -mtime +$days_keep_voicemail -exec rm {} \;
+	else
+		echo ".";
+		find /usr/local/freeswitch/storage/voicemail/*  -name 'msg_*.wav' -mtime +$days_keep_voicemail -exec rm {} \;
+		find /usr/local/freeswitch/storage/voicemail/*  -name 'msg_*.mp3' -mtime +$days_keep_voicemail -exec rm {} \;
+	fi
+	psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_voicemail_messages WHERE to_timestamp(created_epoch) < NOW() - INTERVAL '$days_keep_voicemail days'"
+else
+	echo "not purging voicemails."
+fi
+
+if [ .$purge_cdrs = .true ]; then
+	#delete call detail records older 90 days
+	psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_xml_cdr WHERE start_stamp < NOW() - INTERVAL '$days_keep_cdrs days'"
+else
+        echo "not purging CDRs."
+fi
+
+#delete php sessions
+if [ .$purge_php_sessions = .true ]; then
+	find /var/lib/php/sessions/*  -name 'sess_*' -mtime +$days_keep_php_sessions -exec rm {} \;
+else
+        echo "not purging PHP Sessions."
+fi
+
+#delete database_transactions older 90 days
+if [ .$purge_database_transactions = .true ]; then
+	psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_database_transactions where transaction_date < NOW() - INTERVAL '$days_keep_database_transactions days'"
+else
+        echo "not purging database_transactions."
+fi
+
+#delete email_queue older 30 days
+if [ .$purge_email_queue = .true ]; then
+	psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_email_queue where email_status = 'sent' and email_date < NOW() - INTERVAL '$days_keep_email_queue days'"
+else
+        echo "not purging email_queue."
+fi
+
+#delete fax_queue older 30 days
+if [ .$purge_fax_queue = .true ]; then
+	psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_fax_queue where fax_status = 'sent' and fax_date < NOW() - INTERVAL '$days_keep_fax_queue days'"
+else
+        echo "not purging fax_queue."
+fi
+
+#completed message
+echo "Maintenance Completed";

Install_Scripts/debian/resources/colors.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+verbose () {
+	echo "${green}$1${normal}"
+}
+error () {
+	echo "${red}$1${normal}"
+	}
+warning () {
+	echo "${yellow}$1${normal}"
+}
+
+# check for color support
+if test -t 1; then
+
+    # see if it supports colors...
+    ncolors=$(tput colors)
+
+    if test -n "$ncolors" && test $ncolors -ge 8; then
+        normal="$(tput sgr0)"
+        red="$(tput setaf 1)"
+        green="$(tput setaf 2)"
+        yellow="$(tput setaf 3)"
+    fi
+fi

Install_Scripts/debian/resources/config.sh

@@ -0,0 +1,29 @@
+
+# FusionPBX Settings
+domain_name=ip_address                      # hostname, ip_address or a custom value
+system_username=admin                       # default username admin
+system_password=random                      # random or a custom value
+system_branch=master                        # master, stable
+
+# FreeSWITCH Settings
+switch_branch=stable                        # master, stable
+switch_source=true                          # true (source compile) or false (binary package)
+switch_package=false                        # true (binary package) or false (source compile)
+switch_version=1.10.7                       # which source code to download, only for source
+switch_tls=true                             # true or false
+switch_token=                               # Get the auth token from https://signalwire.com
+                                            # Signup or Login -> Profile -> Personal Auth Token
+# Sofia-Sip Settings
+sofia_version=1.13.8                        # release-version for sofia-sip to use
+
+# Database Settings
+database_password=random                    # random or a custom value (safe characters A-Z, a-z, 0-9)
+database_repo=official                      # PostgreSQL official, system, 2ndquadrant
+database_version=latest                     # requires repo official
+database_host=127.0.0.1                     # hostname or IP address
+database_port=5432                          # port number
+database_backup=false                       # true or false
+
+# General Settings
+php_version=7.4                             # PHP version 7.1, 7.3, 7.4
+letsencrypt_folder=true                     # true or false

Install_Scripts/debian/resources/environment.sh

@@ -0,0 +1,103 @@
+#!/bin/sh
+
+#make sure lsb release is installed
+apt-get install lsb-release
+
+#operating system details
+os_name=$(lsb_release -is)
+os_codename=$(lsb_release -cs)
+os_mode='unknown'
+
+#cpu details
+cpu_name=$(uname -m)
+cpu_architecture='unknown'
+cpu_mode='unknown'
+
+#set the environment path
+export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+#check what the CPU and OS are
+if [ .$cpu_name = .'armv6l' ]; then
+	# RaspberryPi Zero
+	os_mode='32'
+	cpu_mode='32'
+	cpu_architecture='arm'
+elif [ .$cpu_name = .'armv7l' ]; then
+	# RaspberryPi 3 is actually armv8l but current Raspbian reports the cpu as armv7l and no Raspbian 64Bit has been released at this time
+	os_mode='32'
+	cpu_mode='32'
+	cpu_architecture='arm'
+elif [ .$cpu_name = .'armv8l' ]; then
+	# No test case for armv8l
+	os_mode='unknown'
+	cpu_mode='64'
+	cpu_architecture='arm'
+elif [ .$cpu_name = .'aarch64' ]; then
+	os_mode='64'
+	cpu_mode='64'
+	cpu_architecture='arm'
+elif [ .$cpu_name = .'i386' ]; then
+	os_mode='32'
+	if [ .$(grep -o -w 'lm' /proc/cpuinfo | head -n 1) = .'lm' ]; then
+		cpu_mode='64'
+	else
+		cpu_mode='32'
+	fi
+	cpu_architecture='x86'
+elif [ .$cpu_name = .'i686' ]; then
+	os_mode='32'
+	if [ .$(grep -o -w 'lm' /proc/cpuinfo | head -n 1) = .'lm' ]; then
+		cpu_mode='64'
+	else
+		cpu_mode='32'
+	fi
+	cpu_architecture='x86'
+elif [ .$cpu_name = .'x86_64' ]; then
+	os_mode='64'
+	if [ .$(grep -o -w 'lm' /proc/cpuinfo | head -n 1) = .'lm' ]; then
+		cpu_mode='64'
+	else
+		cpu_mode='32'
+	fi
+	cpu_architecture='x86'
+else
+	error "You are using an unsupported cpu '$cpu_name'"
+	exit 3
+fi
+
+if [ .$cpu_architecture = .'arm' ]; then
+	if [ .$os_mode = .'32' ]; then
+		verbose "Correct CPU and Operating System detected, using the ARM repo"
+	elif [ .$os_mode = .'64' ]; then
+		error "You are using a 64bit arm OS this is unsupported"
+		switch_source=true
+		switch_package=false
+	else
+		error "Unknown OS mode $os_mode this is unsupported"
+		switch_source=true
+		switch_package=false
+	fi
+elif [ .$cpu_architecture = .'x86' ]; then
+	if [ .$os_mode = .'32' ]; then
+		error "You are using a 32bit OS this is unsupported"
+		if [ .$cpu_mode = .'64' ]; then
+			warning " Your CPU is 64bit you should consider reinstalling with a 64bit OS"
+		fi
+		switch_source=true
+		switch_package=false
+	elif [ .$os_mode = .'64' ]; then
+		verbose "Correct CPU and Operating System detected"
+	else
+		error "Unknown Operating System mode '$os_mode' is unsupported"
+		switch_source=true
+		switch_package=false
+	fi
+else
+	error "You are using an unsupported architecture '$cpu_architecture'"
+	warning "Detected environment was :-"
+	warning "os_name:'$os_name'"
+	warning "os_codename:'$os_codename'"
+	warning "os_mode:'$os_mode'"
+	warning "cpu_name:'$cpu_name'"
+	exit 3
+fi

Install_Scripts/debian/resources/fail2ban.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+
+#move to script directory so all relative paths work
+cd "$(dirname "$0")"
+
+#includes
+. ./config.sh
+. ./colors.sh
+. ./environment.sh
+
+#send a message
+verbose "Installing Fail2ban"
+
+#add the dependencies
+apt-get install -y fail2ban
+
+#move the filters
+cp fail2ban/freeswitch.conf /etc/fail2ban/filter.d/freeswitch.conf
+cp fail2ban/freeswitch-acl.conf /etc/fail2ban/filter.d/freeswitch-acl.conf
+cp fail2ban/sip-auth-failure.conf /etc/fail2ban/filter.d/sip-auth-failure.conf
+cp fail2ban/sip-auth-challenge.conf /etc/fail2ban/filter.d/sip-auth-challenge.conf
+cp fail2ban/auth-challenge-ip.conf /etc/fail2ban/filter.d/auth-challenge-ip.conf
+cp fail2ban/freeswitch-ip.conf /etc/fail2ban/filter.d/freeswitch-ip.conf
+cp fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf
+cp fail2ban/fusionpbx-mac.conf /etc/fail2ban/filter.d/fusionpbx-mac.conf
+cp fail2ban/fusionpbx-404.conf /etc/fail2ban/filter.d/fusionpbx-404.conf
+cp fail2ban/nginx-404.conf /etc/fail2ban/filter.d/nginx-404.conf
+cp fail2ban/nginx-dos.conf /etc/fail2ban/filter.d/nginx-dos.conf
+cp fail2ban/jail.local /etc/fail2ban/jail.local
+
+#update config if source is being used
+#if [ .$switch_source = .true ]; then
+#	sed 's#var/log/freeswitch#usr/local/freeswitch/log#g' -i /etc/fail2ban/jail.local
+#fi
+
+#restart fail2ban
+/usr/sbin/service fail2ban restart

Install_Scripts/debian/resources/fail2ban/auth-challenge-ip.conf

@@ -0,0 +1,21 @@
+# Fail2Ban configuration file
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#[WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [+972592277524@xxx.xxx.xxx.xxx] from ip 209.160.120.12 
+failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \((INVITE|REGISTER)\) on sofia profile \'.*\' for \[.*@\d+.\d+.\d+.\d+\] from ip <HOST>
+
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

Install_Scripts/debian/resources/fail2ban/freeswitch-acl.conf

@@ -0,0 +1,20 @@
+# Fail2Ban configuration file
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#2021-02-03 16:27:57.292697 [WARNING] sofia_reg.c:2353 IP 62.210.78.91 Rejected by register acl "domains"
+failregex = \[WARNING\] sofia_reg.c:\d+ IP <HOST> Rejected by register acl
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

Install_Scripts/debian/resources/fail2ban/freeswitch-ip.conf

@@ -0,0 +1,20 @@
+# Fail2Ban configuration file
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#2014-12-01 00:47:54.331821 [WARNING] sofia_reg.c:2752 Can't find user [1000@xxx.xxx.xxx.xxx] from 62.210.151.162
+failregex = \[WARNING\] sofia_reg.c:\d+ Can't find user \[.*@\d+.\d+.\d+.\d+\] from <HOST>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

Install_Scripts/debian/resources/fail2ban/freeswitch.conf

@@ -0,0 +1,18 @@
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip <HOST>
+            \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'.*\' for \[.*\] from ip <HOST>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
+

Install_Scripts/debian/resources/fail2ban/fusionpbx-404.conf

@@ -0,0 +1,27 @@
+# Fail2Ban configuration file
+# inbound route - 404 not found
+
+
+[Definition]
+
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed
+#[hostname] variable doesn't seem to work in every case. Do this instead:
+failregex = 404 not found <HOST>
+
+
+#EXECUTE sofia/external/8888888888888@example.fusionpbx.com log([inbound routes] 404 not found 82.68.115.62)
+
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

Install_Scripts/debian/resources/fail2ban/fusionpbx-mac.conf

@@ -0,0 +1,20 @@
+# Fail2Ban configuration file
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#Oct  9 02:56:16 m1 fusionpbx-provision[28628]: [10.0.0.1] invalid mac address 000000000000
+failregex = \[<HOST>\] invalid mac address 
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

Install_Scripts/debian/resources/fail2ban/fusionpbx.conf

@@ -0,0 +1,25 @@
+# Fail2Ban configuration file
+#
+# Author: soapee01
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed
+#[hostname] variable doesn't seem to work in every case. Do this instead:
+failregex = .* FusionPBX: \[<HOST>\] authentication failed for
+          = .* FusionPBX: \[<HOST>\] provision attempt bad password for
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
+

Install_Scripts/debian/resources/fail2ban/jail.local

@@ -0,0 +1,143 @@
+[ssh]
+enabled  = true
+port     = 22
+protocol = ssh
+filter   = sshd
+logpath  = /var/log/auth.log
+action   = iptables-allports[name=sshd, protocol=all]
+maxretry = 6
+findtime = 60
+bantime  = 86400
+
+[freeswitch]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = freeswitch
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=freeswitch, protocol=all]
+maxretry = 10
+findtime = 60
+bantime  = 3600
+#          sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
+
+[freeswitch-acl]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = freeswitch-acl
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=freeswitch-acl, protocol=all]
+maxretry = 900
+findtime = 60
+bantime  = 86400
+
+[freeswitch-ip]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = freeswitch-ip
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=freeswitch-ip, protocol=all]
+maxretry = 1
+findtime = 60
+bantime  = 86400
+
+[auth-challenge-ip]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = auth-challenge-ip
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=auth-challenge-ip, protocol=all]
+maxretry = 1
+findtime = 60
+bantime  = 86400
+
+[sip-auth-challenge]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = sip-auth-challenge
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=sip-auth-challenge, protocol=all]
+maxretry = 100
+findtime = 60
+bantime  = 7200
+
+[sip-auth-failure]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = sip-auth-failure
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=sip-auth-failure, protocol=all]
+maxretry = 6
+findtime = 60
+bantime  = 7200
+
+[fusionpbx-404]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = fusionpbx-404
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=fusionpbx-404, protocol=all]
+maxretry = 6
+findtime = 60
+bantime  = 86400
+
+[fusionpbx]
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = fusionpbx
+logpath  = /var/log/auth.log
+action   = iptables-allports[name=fusionpbx, protocol=all]
+#          sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed
+maxretry = 20
+findtime = 60
+bantime  = 3600
+
+[fusionpbx-mac]
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = fusionpbx-mac
+logpath  = /var/log/syslog
+action   = iptables-allports[name=fusionpbx-mac, protocol=all]
+#          sendmail-whois[name=fusionpbx-mac, dest=root, sender=fail2ban@example.org] #no smtp server installed
+maxretry = 10
+findtime = 60
+bantime  = 86400
+
+[nginx-404]
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = nginx-404
+logpath  = /var/log/nginx/access*.log
+action   = iptables-allports[name=nginx-404, protocol=all]
+bantime  = 3600
+findtime = 60
+maxretry = 300
+
+[nginx-dos]
+# Based on apache-badbots but a simple IP check (any IP requesting more than
+# 300 pages in 60 seconds, or 5p/s average, is suspicious)
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = nginx-dos
+logpath  = /var/log/nginx/access*.log
+action   = iptables-allports[name=nginx-dos, protocol=all]
+findtime = 60
+bantime  = 86400
+maxretry = 800

Install_Scripts/debian/resources/fail2ban/nginx-404.conf

@@ -0,0 +1,5 @@
+# Fail2Ban configuration file
+#
+[Definition]
+failregex = <HOST> - - \[.*\] "(GET|POST).*HTTP[^ ]* 404
+ignoreregex =

Install_Scripts/debian/resources/fail2ban/nginx-dos.conf

@@ -0,0 +1,14 @@
+# Fail2Ban configuration file
+ 
+[Definition]
+# Option: failregex
+# Notes.: Regexp to catch a generic call from an IP address.
+# Values: TEXT
+#
+failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$
+ 
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =

Install_Scripts/debian/resources/fail2ban/sip-auth-challenge.conf

@@ -0,0 +1,21 @@
+# Fail2Ban configuration file
+#
+# Author: soapee01
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip <HOST>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

Install_Scripts/debian/resources/fail2ban/sip-auth-failure.conf

@@ -0,0 +1,21 @@
+# Fail2Ban configuration file
+#
+# Author: soapee01
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip <HOST>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

Install_Scripts/debian/resources/finish.sh

@@ -0,0 +1,145 @@
+#!/bin/sh
+
+#move to script directory so all relative paths work
+cd "$(dirname "$0")"
+
+#includes
+. ./config.sh
+. ./colors.sh
+
+#database details
+database_username=fusionpbx
+if [ .$database_password = .'random' ]; then
+	database_password=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64 | sed 's/[=\+//]//g')
+fi
+
+#allow the script to use the new password
+export PGPASSWORD=$database_password
+
+#update the database password
+#sudo -u postgres psql --host=$database_host --port=$database_port --username=$database_username -c "ALTER USER fusionpbx WITH PASSWORD '$database_password';"
+#sudo -u postgres psql --host=$database_host --port=$database_port --username=$database_username -c "ALTER USER freeswitch WITH PASSWORD '$database_password';"
+sudo -u postgres psql -c "ALTER USER fusionpbx WITH PASSWORD '$database_password';"
+sudo -u postgres psql -c "ALTER USER freeswitch WITH PASSWORD '$database_password';"
+
+#install the database backup
+cp backup/fusionpbx-backup /etc/cron.daily
+cp backup/fusionpbx-maintenance /etc/cron.daily
+chmod 755 /etc/cron.daily/fusionpbx-backup
+chmod 755 /etc/cron.daily/fusionpbx-maintenance
+sed -i "s/zzz/$database_password/g" /etc/cron.daily/fusionpbx-backup
+sed -i "s/zzz/$database_password/g" /etc/cron.daily/fusionpbx-maintenance
+
+#add the config.php
+mkdir -p /etc/fusionpbx
+chown -R www-data:www-data /etc/fusionpbx
+cp fusionpbx/config.php /etc/fusionpbx
+sed -i /etc/fusionpbx/config.php -e s:"{database_host}:$database_host:"
+sed -i /etc/fusionpbx/config.php -e s:'{database_username}:fusionpbx:'
+sed -i /etc/fusionpbx/config.php -e s:"{database_password}:$database_password:"
+
+#add the database schema
+cd /var/www/fusionpbx && php /var/www/fusionpbx/core/upgrade/upgrade_schema.php > /dev/null 2>&1
+
+#get the server hostname
+if [ .$domain_name = .'hostname' ]; then
+	domain_name=$(hostname -f)
+fi
+
+#get the ip address
+if [ .$domain_name = .'ip_address' ]; then
+	domain_name=$(hostname -I | cut -d ' ' -f1)
+fi
+
+#get the domain_uuid
+domain_uuid=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php);
+
+#add the domain name
+psql --host=$database_host --port=$database_port --username=$database_username -c "insert into v_domains (domain_uuid, domain_name, domain_enabled) values('$domain_uuid', '$domain_name', 'true');"
+
+#app defaults
+cd /var/www/fusionpbx && php /var/www/fusionpbx/core/upgrade/upgrade_domains.php
+
+#add the user
+user_uuid=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php);
+user_salt=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php);
+user_name=$system_username
+if [ .$system_password = .'random' ]; then
+	user_password=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64 | sed 's/[=\+//]//g')
+else
+	user_password=$system_password
+fi
+password_hash=$(php -r "echo md5('$user_salt$user_password');");
+psql --host=$database_host --port=$database_port --username=$database_username -t -c "insert into v_users (user_uuid, domain_uuid, username, password, salt, user_enabled) values('$user_uuid', '$domain_uuid', '$user_name', '$password_hash', '$user_salt', 'true');"
+
+#get the superadmin group_uuid
+#echo "psql --host=$database_host --port=$database_port --username=$database_username -qtAX -c \"select group_uuid from v_groups where group_name = 'superadmin';\""
+group_uuid=$(psql --host=$database_host --port=$database_port --username=$database_username -qtAX -c "select group_uuid from v_groups where group_name = 'superadmin';");
+
+#add the user to the group
+user_group_uuid=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php);
+group_name=superadmin
+#echo "insert into v_user_groups (user_group_uuid, domain_uuid, group_name, group_uuid, user_uuid) values('$user_group_uuid', '$domain_uuid', '$group_name', '$group_uuid', '$user_uuid');"
+psql --host=$database_host --port=$database_port --username=$database_username -c "insert into v_user_groups (user_group_uuid, domain_uuid, group_name, group_uuid, user_uuid) values('$user_group_uuid', '$domain_uuid', '$group_name', '$group_uuid', '$user_uuid');"
+
+#update xml_cdr url, user and password
+xml_cdr_username=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64 | sed 's/[=\+//]//g')
+xml_cdr_password=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64 | sed 's/[=\+//]//g')
+sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_http_protocol}:http:"
+sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{domain_name}:$database_host:"
+sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_project_path}::"
+sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_user}:$xml_cdr_username:"
+sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_pass}:$xml_cdr_password:"
+
+#app defaults
+cd /var/www/fusionpbx && php /var/www/fusionpbx/core/upgrade/upgrade.php
+
+#restart freeswitch
+/bin/systemctl daemon-reload
+/bin/systemctl restart freeswitch
+
+#install the email_queue service
+cp /var/www/fusionpbx/app/email_queue/resources/service/debian.service /etc/systemd/system/email_queue.service
+systemctl enable email_queue
+systemctl start email_queue
+systemctl daemon-reload
+
+#install the event_guard service
+cp /var/www/fusionpbx/app/event_guard/resources/service/debian.service /etc/systemd/system/event_guard.service
+/bin/systemctl enable event_guard
+/bin/systemctl start event_guard
+/bin/systemctl daemon-reload
+
+#welcome message
+echo ""
+echo ""
+verbose "Installation Notes. "
+echo ""
+echo "   Please save the this information and reboot this system to complete the install. "
+echo ""
+echo "   Use a web browser to login."
+echo "      domain name: https://$domain_name"
+echo "      username: $user_name"
+echo "      password: $user_password"
+echo ""
+echo "   The domain name in the browser is used by default as part of the authentication."
+echo "   If you need to login to a different domain then use username@domain."
+echo "      username: $user_name@$domain_name";
+echo ""
+echo "   Official FusionPBX Training"
+echo "      Fastest way to learn FusionPBX. For more information https://www.fusionpbx.com."
+echo "      Available online and in person. Includes documentation and recording."
+echo ""
+echo "      Location:               Online"
+echo "      Admin Training:          TBA"
+echo "      Advanced Training:       TBA"
+echo "      Continuing Education:   https://www.fusionpbx.com/training"
+echo "      Timezone:               https://www.timeanddate.com/weather/usa/idaho"
+echo ""
+echo "   Additional information."
+echo "      https://fusionpbx.com/members.php"
+echo "      https://fusionpbx.com/training.php"
+echo "      https://fusionpbx.com/support.php"
+echo "      https://www.fusionpbx.com"
+echo "      http://docs.fusionpbx.com"
+echo ""

Install_Scripts/debian/resources/fusionpbx.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+#move to script directory so all relative paths work
+cd "$(dirname "$0")"
+
+#includes
+. ./config.sh
+. ./colors.sh
+
+#send a message
+verbose "Installing FusionPBX"
+
+#install dependencies
+apt-get install -y vim git dbus haveged ssl-cert qrencode
+apt-get install -y ghostscript libtiff5-dev libtiff-tools at
+
+#get the branch
+if [ .$system_branch = .'master' ]; then
+	verbose "Using master"
+	branch=""
+else
+	system_major=$(git ls-remote --heads https://github.com/fusionpbx/fusionpbx.git | cut -d/ -f 3 | grep -P '^\d+\.\d+' | sort | tail -n 1 | cut -d. -f1)
+	system_minor=$(git ls-remote --tags https://github.com/fusionpbx/fusionpbx.git $system_major.* | cut -d/ -f3 |  grep -P '^\d+\.\d+' | sort | tail -n 1 | cut -d. -f2)
+	system_version=$system_major.$system_minor
+	verbose "Using version $system_version"
+	branch="-b $system_version"
+fi
+
+#add the cache directory
+mkdir -p /var/cache/fusionpbx
+chown -R www-data:www-data /var/cache/fusionpbx
+
+#get the source code
+git clone $branch https://github.com/fusionpbx/fusionpbx.git /var/www/fusionpbx
+chown -R www-data:www-data /var/www/fusionpbx

Install_Scripts/debian/resources/fusionpbx/config.php

@@ -0,0 +1,47 @@
+<?php
+/*
+	FusionPBX
+	Version: MPL 1.1
+
+	The contents of this file are subject to the Mozilla Public License Version
+	1.1 (the "License"); you may not use this file except in compliance with
+	the License. You may obtain a copy of the License at
+	http://www.mozilla.org/MPL/
+
+	Software distributed under the License is distributed on an "AS IS" basis,
+	WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+	for the specific language governing rights and limitations under the
+	License.
+
+	The Original Code is FusionPBX
+
+	The Initial Developer of the Original Code is
+	Mark J Crane <markjcrane@fusionpbx.com>
+	Portions created by the Initial Developer are Copyright (C) 2008-2016
+	the Initial Developer. All Rights Reserved.
+
+	Contributor(s):
+	Mark J Crane <markjcrane@fusionpbx.com>
+*/
+
+//set the database type
+	$db_type = 'pgsql'; //sqlite, mysql, pgsql, others with a manually created PDO connection
+
+//sqlite: the db_name and db_path are automatically assigned however the values can be overidden by setting the values here.
+	//$db_name = 'fusionpbx.db'; //host name/ip address + '.db' is the default database filename
+	//$db_path = '/var/www/fusionpbx/secure'; //the path is determined by a php variable
+
+//pgsql: database connection information
+	$db_host = '{database_host}';
+	$db_port = '5432';
+	$db_name = 'fusionpbx';
+	$db_username = '{database_username}';
+	$db_password = '{database_password}';
+
+//show errors
+	ini_set('display_errors', '1');
+	//error_reporting (E_ALL); // Report everything
+	//error_reporting (E_ALL ^ E_NOTICE); // hide notices
+	error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING ); //hide notices and warnings
+
+?>

Install_Scripts/debian/resources/ioncube.sh

@@ -0,0 +1,126 @@
+#!/bin/sh
+
+#move to script directory so all relative paths work
+cd "$(dirname "$0")"
+
+#includes
+. ./config.sh
+. ./colors.sh
+. ./environment.sh
+
+#show cpu details
+echo "cpu architecture: $cpu_architecture"
+echo "cpu name: $cpu_name"
+
+#make sure unzip is install
+apt-get install -y unzip
+
+#remove the ioncube directory if it exists
+if [ -d "ioncube" ]; then
+        rm -Rf ioncube;
+fi
+
+#get the ioncube load and unzip it
+if [ .$cpu_architecture = .'x86' ]; then
+	#get the ioncube 64 bit loader
+	wget --no-check-certificate https://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.zip
+
+	#uncompress the file
+	unzip ioncube_loaders_lin_x86-64.zip
+
+	#remove the zip file
+	rm ioncube_loaders_lin_x86-64.zip
+elif [ .$cpu_architecture = ."arm" ]; then
+	if [ .$cpu_name = .'armv7l' ]; then
+		#get the ioncube 64 bit loader
+		wget --no-check-certificate https://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_armv7l.zip
+
+		#uncompress the file
+		unzip ioncube_loaders_lin_armv7l.zip
+
+		#remove the zip file
+		rm ioncube_loaders_lin_armv7l.zip
+	fi
+fi
+
+#set the version of php
+if [ ."$os_codename" = ."bullseye" ]; then
+	php_version=7.4
+fi
+if [ ."$os_codename" = ."buster" ]; then
+	php_version=7.3
+fi
+if [ ."$os_codename" = ."stretch" ]; then
+	php_version=7.1
+fi
+if [ ."$os_codename" = ."jessie" ]; then
+	php_version=7.1
+fi
+
+#copy the loader to the correct directory
+if [ ."$php_version" = ."5.6" ]; then
+        #copy the php extension .so into the php lib directory
+        cp ioncube/ioncube_loader_lin_5.6.so /usr/lib/php5/20131226
+
+        #add the 00-ioncube.ini file
+		echo "zend_extension = /usr/lib/php5/20131226/ioncube_loader_lin_5.6.so" > /etc/php5/fpm/conf.d/00-ioncube.ini
+		echo "zend_extension = /usr/lib/php5/20131226/ioncube_loader_lin_5.6.so" > /etc/php5/cli/conf.d/00-ioncube.ini
+
+        #restart the service
+        service php5-fpm restart
+fi
+if [ ."$php_version" = ."7.0" ]; then
+        #copy the php extension .so into the php lib directory
+        cp ioncube/ioncube_loader_lin_7.0.so /usr/lib/php/20151012
+
+        #add the 00-ioncube.ini file
+		echo "zend_extension = /usr/lib/php/20151012/ioncube_loader_lin_7.0.so" > /etc/php/7.0/fpm/conf.d/00-ioncube.ini
+		echo "zend_extension = /usr/lib/php/20151012/ioncube_loader_lin_7.0.so" > /etc/php/7.0/cli/conf.d/00-ioncube.ini
+
+        #restart the service
+        service php7.0-fpm restart
+fi
+if [ ."$php_version" = ."7.1" ]; then
+        #copy the php extension .so into the php lib directory
+        cp ioncube/ioncube_loader_lin_7.1.so /usr/lib/php/20160303
+
+        #add the 00-ioncube.ini file
+		echo "zend_extension = /usr/lib/php/20160303/ioncube_loader_lin_7.1.so" > /etc/php/7.1/fpm/conf.d/00-ioncube.ini
+		echo "zend_extension = /usr/lib/php/20160303/ioncube_loader_lin_7.1.so" > /etc/php/7.1/cli/conf.d/00-ioncube.ini
+
+        #restart the service
+        service php7.1-fpm restart
+fi
+if [ ."$php_version" = ."7.2" ]; then
+        #copy the php extension .so into the php lib directory
+        cp ioncube/ioncube_loader_lin_7.2.so /usr/lib/php/20170718
+
+        #add the 00-ioncube.ini file
+		echo "zend_extension = /usr/lib/php/20170718/ioncube_loader_lin_7.2.so" > /etc/php/7.2/fpm/conf.d/00-ioncube.ini
+		echo "zend_extension = /usr/lib/php/20170718/ioncube_loader_lin_7.2.so" > /etc/php/7.2/cli/conf.d/00-ioncube.ini
+
+        #restart the service
+        service php7.2-fpm restart
+fi
+if [ ."$php_version" = ."7.3" ]; then
+        #copy the php extension .so into the php lib directory
+        cp ioncube/ioncube_loader_lin_7.3.so /usr/lib/php/20180731
+
+        #add the 00-ioncube.ini file
+		echo "zend_extension = /usr/lib/php/20180731/ioncube_loader_lin_7.3.so" > /etc/php/7.3/fpm/conf.d/00-ioncube.ini
+		echo "zend_extension = /usr/lib/php/20180731/ioncube_loader_lin_7.3.so" > /etc/php/7.3/cli/conf.d/00-ioncube.ini
+
+        #restart the service
+        service php7.3-fpm restart
+fi
+if [ ."$php_version" = ."7.4" ]; then
+        #copy the php extension .so into the php lib directory
+        cp ioncube/ioncube_loader_lin_7.4.so /usr/lib/php/20190902
+
+        #add the 00-ioncube.ini file
+		echo "zend_extension = /usr/lib/php/20190902/ioncube_loader_lin_7.4.so" > /etc/php/7.4/fpm/conf.d/00-ioncube.ini
+		echo "zend_extension = /usr/lib/php/20190902/ioncube_loader_lin_7.4.so" > /etc/php/7.4/cli/conf.d/00-ioncube.ini
+
+        #restart the service
+        service php7.4-fpm restart
+fi

Install_Scripts/debian/resources/iptables.sh

@@ -0,0 +1,68 @@
+#!/bin/sh
+
+#move to script directory so all relative paths work
+cd "$(dirname "$0")"
+
+
+#add the includes
+. ./config.sh
+. ./colors.sh
+. ./environment.sh
+
+#send a message
+verbose "Configuring IPTables"
+
+#defaults to nftables by default this enables iptables
+if [ ."$os_codename" = ."buster" ]; then
+	update-alternatives --set iptables /usr/sbin/iptables-legacy
+	update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+fi
+if [ ."$os_codename" = ."bullseye" ]; then
+	apt-get install -y iptables
+	update-alternatives --set iptables /usr/sbin/iptables-legacy
+	update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+fi
+
+#remove ufw
+ufw reset
+ufw disable
+apt-get remove -y ufw
+#apt-get purge ufw
+
+#run iptables commands
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
+iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
+iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
+iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
+iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
+iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
+iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
+iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
+iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "system " --algo bm --icase
+iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "system " --algo bm --icase
+iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "exec." --algo bm --icase
+iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "exec." --algo bm --icase
+iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
+iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
+iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+iptables -A INPUT -p tcp --dport 443 -j ACCEPT
+iptables -A INPUT -p tcp --dport 7443 -j ACCEPT
+iptables -A INPUT -p tcp --dport 5060:5091 -j ACCEPT
+iptables -A INPUT -p udp --dport 5060:5091 -j ACCEPT
+iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+iptables -A INPUT -p udp --dport 1194 -j ACCEPT
+iptables -t mangle -A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 46
+iptables -t mangle -A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 26
+iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 26
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT ACCEPT
+
+#answer the questions for iptables persistent
+echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
+echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
+apt-get install -y iptables-persistent

Install_Scripts/debian/resources/letsencrypt.sh

@@ -0,0 +1,130 @@
+#!/bin/sh
+
+# FusionPBX - Install
+# Mark J Crane <markjcrane@fusionpbx.com>
+# Copyright (C) 2018
+# All Rights Reserved.
+      
+#move to script directory so all relative paths work
+cd "$(dirname "$0")"
+
+#includes
+. ./config.sh
+
+#Add dependencies
+apt-get install -y curl
+
+#remove dehyrdated letsencrypt script
+rm /usr/local/sbin/dehydrated
+rm -R /usr/src/dehydrated
+#rm -R /etc/dehydrated/
+#rm -R /usr/src/dns-01-manual
+#rm -R /var/www/dehydrated
+
+#request the domain name, email address and wild card domain
+read -p 'Domain Name: ' domain_name
+read -p 'Email Address: ' email_address
+
+#get and install dehydrated
+cd /usr/src && git clone https://github.com/lukas2511/dehydrated.git
+cd /usr/src/dehydrated
+cp dehydrated /usr/local/sbin
+mkdir -p /var/www/dehydrated
+mkdir -p /etc/dehydrated/certs
+
+#wildcard detection
+wildcard_domain=$(echo $domain_name | cut -c1-1)
+if [ "$wildcard_domain" = "*" ]; then
+	wildcard_domain="true"
+else
+	wildcard_domain="false"
+fi
+
+#remove the wildcard and period
+if [ .$wildcard_domain = ."true" ]; then
+      domain_name=$(echo "$domain_name" | cut -c3-255)
+fi
+
+#manual dns hook
+if [ .$wildcard_domain = ."true" ]; then
+    cd /usr/src
+    git clone https://github.com/gheja/dns-01-manual.git
+    cd /usr/src/dns-01-manual/
+    cp hook.sh /etc/dehydrated/hook.sh
+    chmod 755 /etc/dehydrated/hook.sh
+fi
+
+#copy config and hook.sh into /etc/dehydrated
+cd /usr/src/dehydrated
+cp docs/examples/config /etc/dehydrated
+#cp docs/examples/hook.sh /etc/dehydrated
+
+#update the dehydrated config
+#sed "s#CONTACT_EMAIL=#CONTACT_EMAIL=$email_address" -i /etc/dehydrated/config
+sed -i 's/#CONTACT_EMAIL=/CONTACT_EMAIL="'"$email_address"'"/g' /etc/dehydrated/config
+sed -i 's/#WELLKNOWN=/WELLKNOWN=/g' /etc/dehydrated/config
+
+#accept the terms
+./dehydrated --register --accept-terms --config /etc/dehydrated/config
+
+#set the domain alias
+domain_alias=$(echo "$domain_name" | head -n1 | cut -d " " -f1)
+
+#create an alias when using wildcard dns
+if [ .$wildcard_domain = ."true" ]; then
+	echo "*.$domain_name > $domain_name" > /etc/dehydrated/domains.txt
+fi
+
+#add the domain name to domains.txt
+if [ .$wildcard_domain = ."false" ]; then
+	echo "$domain_name" > /etc/dehydrated/domains.txt
+fi
+
+#request the certificates
+if [ .$wildcard_domain = ."true" ]; then
+	./dehydrated --cron --domain *.$domain_name --preferred-chain "ISRG Root X1" --algo rsa --alias $domain_alias --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge dns-01 --hook /etc/dehydrated/hook.sh
+fi
+if [ .$wildcard_domain = ."false" ]; then
+	./dehydrated --cron --alias $domain_alias --preferred-chain "ISRG Root X1" --algo rsa --config /etc/dehydrated/config --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge http-01
+fi
+
+#make sure the nginx ssl directory exists
+mkdir -p /etc/nginx/ssl
+
+#update nginx config
+sed "s@ssl_certificate[ \t]*/etc/ssl/certs/nginx.crt;@ssl_certificate /etc/dehydrated/certs/$domain_alias/fullchain.pem;@g" -i /etc/nginx/sites-available/fusionpbx
+sed "s@ssl_certificate_key[ \t]*/etc/ssl/private/nginx.key;@ssl_certificate_key /etc/dehydrated/certs/$domain_alias/privkey.pem;@g" -i /etc/nginx/sites-available/fusionpbx
+
+#read the config
+/usr/sbin/nginx -t && /usr/sbin/nginx -s reload
+
+#setup freeswitch tls
+if [ .$switch_tls = ."true" ]; then
+
+	#make sure the freeswitch directory exists
+	mkdir -p /etc/freeswitch/tls
+
+	#make sure the freeswitch certificate directory is empty
+	rm /etc/freeswitch/tls/*
+
+	#combine the certs into all.pem
+	cat /etc/dehydrated/certs/$domain_alias/fullchain.pem > /etc/freeswitch/tls/all.pem
+	cat /etc/dehydrated/certs/$domain_alias/privkey.pem >> /etc/freeswitch/tls/all.pem
+	#cat /etc/dehydrated/certs/$domain_alias/chain.pem >> /etc/freeswitch/tls/all.pem
+
+	#copy the certificates
+	cp /etc/dehydrated/certs/$domain_alias/cert.pem /etc/freeswitch/tls
+	cp /etc/dehydrated/certs/$domain_alias/chain.pem /etc/freeswitch/tls
+	cp /etc/dehydrated/certs/$domain_alias/fullchain.pem /etc/freeswitch/tls
+	cp /etc/dehydrated/certs/$domain_alias/privkey.pem /etc/freeswitch/tls
+
+	#add symbolic links
+	ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/agent.pem
+	ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/tls.pem
+	ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/wss.pem
+	ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/dtls-srtp.pem
+
+	#set the permissions
+	chown -R www-data:www-data /etc/freeswitch/tls
+
+fi  

Install_Scripts/debian/resources/letsencrypt/domain_name.conf

@@ -0,0 +1,22 @@
+# the domain we want to get the cert for;
+# technically it's possible to have multiple of this lines, but it only worked
+# with one domain for me, another one only got one cert, so I would recommend
+# separate config files per domain.
+domains = {domain_name}
+
+# increase key size
+rsa-key-size = 2048 # Or 4096
+
+# the current closed beta (as of 2015-Nov-07) is using this server
+server = https://acme-v01.api.letsencrypt.org/directory
+
+# this address will receive renewal reminders
+email = {email_address}
+
+# turn off the ncurses UI, we want this to be run as a cronjob
+text = True
+
+# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
+# and then letting LE fetch it
+authenticator = webroot
+webroot-path = /var/www/letsencrypt/

Install_Scripts/debian/resources/monit.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+#move to script directory so all relative paths work
+cd "$(dirname "$0")"
+
+#includes
+. ./config.sh
+
+#install monit
+apt-get install -y monit
+
+#make the monit shell script executable
+chmod 755 monit/shell.sh
+
+#copy the freeswitch monit config
+cp monit/freeswitch /etc/monit/conf.d
+
+#restart monit
+service monit restart

Install_Scripts/debian/resources/monit/freeswitch

@@ -0,0 +1,3 @@
+check process freeswitch with pidfile /run/freeswitch/freeswitch.pid
+start program = "/usr/src/fusionpbx-install.sh/debian/resources/monit/./shell.sh"
+stop program  = "/usr/bin/freeswitch -stop"

Install_Scripts/debian/resources/monit/shell.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+mkdir -p /var/run/freeswitch
+chown -R www-data:www-data /var/run/freeswitch
+/usr/bin/freeswitch -nc -u www-data -g www-data -nonat

Install_Scripts/debian/resources/nftables.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+#move to script directory so all relative paths work
+cd "$(dirname "$0")"
+
+#add the includes
+. ./config.sh
+. ./colors.sh
+. ./environment.sh
+
+#send a message
+verbose "Configuring nftables"
+
+#run iptables commands
+nft add rule ip filter INPUT iifname "lo" counter accept
+nft add rule ip filter INPUT ct state related,established  counter accept
+nft add rule ip filter INPUT tcp dport 22 counter accept
+nft add rule ip filter INPUT tcp dport 80 counter accept
+nft add rule ip filter INPUT tcp dport 443 counter accept
+nft add rule ip filter INPUT tcp dport 7443 counter accept
+nft add rule ip filter INPUT tcp dport 5060-5091 counter accept
+nft add rule ip filter INPUT udp dport 5060-5091 counter accept
+nft add rule ip filter INPUT udp dport 16384-32768 counter accept
+nft add rule ip filter INPUT icmp type echo-request counter accept
+nft add rule ip filter INPUT udp dport 1194 counter accept
+nft add rule ip mangle OUTPUT udp sport 16384-32768 counter ip dscp set 0x2e
+nft add rule ip mangle OUTPUT tcp sport 5060-5091 counter ip dscp set 0x1a
+nft add rule ip mangle OUTPUT udp sport 5060-5091 counter ip dscp set 0x1a
+
+

Install_Scripts/debian/resources/nginx.sh

@@ -0,0 +1,84 @@
+#!/bin/sh
+
+#move to script directory so all relative paths work
+cd "$(dirname "$0")"
+
+#includes
+. ./config.sh
+. ./colors.sh
+. ./environment.sh
+
+#send a message
+verbose "Installing the web server"
+
+#change the version of php for arm
+if [ ."$cpu_architecture" = ."arm" ]; then
+	#Pi2 and Pi3 Raspbian
+	#Odroid
+	if [ ."$os_codename" = ."stretch" ]; then
+	      php_version=7.2
+	else
+	      php_version=5.6
+	fi
+fi
+
+#set the version of php
+if [ ."$os_codename" = ."bullseye" ]; then
+	php_version=7.4
+fi
+if [ ."$os_codename" = ."buster" ]; then
+	php_version=7.3
+fi
+if [ ."$os_codename" = ."stretch" ]; then
+	php_version=7.1
+fi
+if [ ."$os_codename" = ."jessie" ]; then
+	php_version=7.1
+fi
+
+#enable fusionpbx nginx config
+cp nginx/fusionpbx /etc/nginx/sites-available/fusionpbx
+
+#prepare socket name
+if [ ."$php_version" = ."5.6" ]; then
+        sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php5-fpm.sock;#g'
+fi
+if [ ."$php_version" = ."7.0" ]; then
+        sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.0-fpm.sock;#g'
+fi
+if [ ."$php_version" = ."7.1" ]; then
+        sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.1-fpm.sock;#g'
+fi
+if [ ."$php_version" = ."7.2" ]; then
+        sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.2-fpm.sock;#g'
+fi
+if [ ."$php_version" = ."7.3" ]; then
+        sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.3-fpm.sock;#g'
+fi
+if [ ."$php_version" = ."7.4" ]; then
+        sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.4-fpm.sock;#g'
+fi
+ln -s /etc/nginx/sites-available/fusionpbx /etc/nginx/sites-enabled/fusionpbx
+
+#self signed certificate
+ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/nginx.key
+ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/nginx.crt
+
+#remove the default site
+rm /etc/nginx/sites-enabled/default
+
+#update config if LetsEncrypt folder is unwanted
+# if [ .$letsencrypt_folder = .false ]; then
+#         sed -i '151,155d' /etc/nginx/sites-available/fusionpbx
+# fi
+
+#add the letsencrypt directory
+if [ .$letsencrypt_folder = .true ]; then
+        mkdir -p /var/www/letsencrypt/
+fi
+
+#flush systemd cache
+systemctl daemon-reload
+
+#restart nginx
+service nginx restart

Install_Scripts/debian/resources/nginx/fusionpbx

@@ -0,0 +1,305 @@
+
+server {
+	listen 127.0.0.1:80;
+	server_name 127.0.0.1;
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	client_max_body_size 80M;
+	client_body_buffer_size 128k;
+
+	location / {
+		root /var/www/fusionpbx;
+		index index.php;
+	}
+
+	location ~ \.php$ {
+		fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
+		#fastcgi_pass 127.0.0.1:9000;
+		fastcgi_index index.php;
+		include fastcgi_params;
+		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
+	}
+
+	# Allow the upgrade routines to run longer than normal
+	location = /core/upgrade/index.php {
+		fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
+		#fastcgi_pass 127.0.0.1:9000;
+		fastcgi_index index.php;
+		include fastcgi_params;
+		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
+		fastcgi_read_timeout 15m;
+	}
+
+	# Disable viewing .htaccess & .htpassword & .db & .git
+	location ~ .htaccess {
+		deny all;
+	}
+	location ~ .htpassword {
+		deny all;
+	}
+	location ~^.+.(db)$ {
+		deny all;
+	}
+	location ~ /\.git {
+		deny all;
+	}
+	location ~ /\.lua {
+		deny all;
+	}
+	location ~ /\. {
+		deny all;
+	}
+}
+
+server {
+	listen 80;
+	server_name fusionpbx;
+
+	#redirect letsencrypt to dehydrated
+	location ^~ /.well-known/acme-challenge {
+		default_type "text/plain";
+		auth_basic "off";
+		alias /var/www/dehydrated;
+	}
+
+	#rewrite rule - send to https with an exception for provisioning
+	if ($uri !~* ^.*(provision|xml_cdr|firmware).*$) {
+		rewrite ^(.*) https://$host$1 permanent;
+		break;
+	}
+
+	#REST api
+	if ($uri ~* ^.*/api/.*$) {
+		rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
+		break;
+	}
+
+	#algo
+	rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;
+
+	#mitel
+	rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
+	rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;
+
+	#grandstream
+	rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
+	rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
+	#grandstream-wave softphone by ext because Android doesn't pass MAC.
+	rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;
+
+	#aastra
+	rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
+	#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;
+
+	#yealink
+	#rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
+	rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;
+
+	#polycom
+	rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
+	#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
+	rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";
+
+	#cisco
+	rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
+	rewrite "^.*/provision/directory\.xml$" /app/provision/?file=directory.xml;
+
+	#Escene
+	rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$"       "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
+	rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$"    "/app/provision/?ext=$1&file={%24mac}_phonebo