Bump versions

Update README.md

README.md

@@ -2,6 +2,7 @@ General Information:
 --------------------
 
 This is a setup for a Tor based shared hosting server. It is provided as is and before putting it into production you should make changes according to your needs. This is a work in progress and you should carefully check the commit history for changes before updating.
+For a production server, at least 1TB of SSD disk space, 32GB RAM and 8 CPU cores is recommended. For a small testing/personal server, 4GB RAM and 1 CPU core is enough.
 
 Translation:
 --------------------------
@@ -14,13 +15,13 @@ Once you are done, you can open a pull request, or [email me](mailto:daniel@danw
 Installation Instructions:
 --------------------------
 
-The configuration was tested with a standard Debian bookworm and Ubuntu 22.04 LTS installation. It's recommended you install Debian bookworm (or newer) on your server, but with a little tweaking you may also get this working on other distributions and/or versions. If you want to build it on a raspberry pi, please do not use the raspbian images as several things will break. Download an image for your pi model from [https://raspi.debian.net/daily-images/](https://raspi.debian.net/daily-images/) instead.
+The configuration was tested with a standard Debian bookworm and Ubuntu 24.04 LTS installation. It's recommended you install Debian bookworm (or newer) on your server, but with a little tweaking you may also get this working on other distributions and/or versions. If you want to build it on a raspberry pi, please do not use the raspbian images as several things will break. Download an image for your pi model from [https://raspi.debian.net/daily-images/](https://raspi.debian.net/daily-images/) instead.
 
 Because I regularly get asked to make a video tutorial on how to set this up, I decided to create a tutorial which you can [watch on YouTube](https://www.youtube.com/watch?v=f2-SOlnIYmg). It is basically just copy-pasting commands, but maybe it helps someone.
 
 Uninstall packages that may interfere with this setup:
 ```
-DEBIAN_FRONTEND=noninteractive apt-get purge -y apache2* dnsmasq* eatmydata exim4* imagemagick-6-common mysql-client* mysql-server* nginx* libnginx-mod* php7* resolvconf && systemctl disable systemd-resolved.service && systemctl stop systemd-resolved.service
+DEBIAN_FRONTEND=noninteractive apt purge -y apache2* dnsmasq* eatmydata exim4* imagemagick-6-common mysql-client* mysql-server* nginx* libnginx-mod* php7* resolvconf && systemctl disable systemd-resolved.service && systemctl stop systemd-resolved.service
 ```
 
 If you have problems resolving hostnames after this step, temporarily switch to a public nameserver like 1.1.1.1 (from CloudFlare) or 8.8.8.8 (from Google)
@@ -29,10 +30,20 @@ If you have problems resolving hostnames after this step, temporarily switch to
 rm /etc/resolv.conf && echo "nameserver 1.1.1.1" > /etc/resolv.conf
 ```
 
+Add additional repositories:
+```
+apt update && apt install git apt-transport-tor curl
+curl -sSL https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc > /etc/apt/trusted.gpg.d/torproject.gpg
+curl -sSL https://packages.sury.org/nginx/apt.gpg > /etc/apt/trusted.gpg.d/sury.gpg
+echo "deb tor://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org/ `lsb_release -cs` main" >> /etc/apt/sources.list
+echo "deb https://packages.sury.org/nginx/ `lsb_release -cs` main" >> /etc/apt/sources.list
+apt update && apt upgrade
+```
+
 Install git and clone this repository
 
 ```
-apt-get update && apt-get install git && git clone https://github.com/DanWin/hosting && cd hosting
+apt update && apt install git && git clone https://github.com/DanWin/hosting && cd hosting
 ```
 
 Install custom optimized binaries
@@ -40,21 +51,12 @@ Install custom optimized binaries
 ./install_binaries.sh
 ```
 
-To get the latest mariadb version, you should follow these instructions to add the official repository for your distribution: (https://downloads.mariadb.org/mariadb/repositories/)
-
-Add torproject to our repositories:
-```
-curl --socks5-hostname 127.0.0.1:9050 -sSL http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc > /etc/apt/trusted.gpg.d/torproject.gpg
-echo "deb tor://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org/ `lsb_release -cs` main" >> /etc/apt/sources.list
-apt-get update && apt-get upgrade
-```
-
 Note that debian also has an onion service package archive, so you may want to edit /etc/apt/sources.list to load from there instead:
 ```
 deb tor://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian `lsb_release -cs` main
 ```
 
-Copy (and modify according to your needs) the site files in `var/www` to `/var/www`, `usr/local` to `/usr/local`  and the configuration files in `etc` to `/etc` after installation has finished. Then restart some services:
+Copy (and modify according to your needs) the site files in `var/www` to `/var/www` and the configuration files in `etc` to `/etc` after installation has finished. Then restart some services:
 ```
 systemctl daemon-reload && systemctl restart bind9.service && systemctl restart tor@default.service
 ```

clean_nginx_sockets.sh

@@ -1,3 +1,3 @@
 #!/bin/sh
 # Run this script whenever nginx doesn't start up due to stale sockets
-rm -f /home/*/var/run/mysqld/mysqld.sock /home/*/var/run/mail.sock /run/nginx.sock /run/nginx/* /var/www/var/run/mysqld/mysqld.sock /var/www/var/run/mail.sock /var/spool/postfix/var/run/mysqld/mysqld.sock
+rm -f /home/*/run/mysqld/mysqld.sock /home/*/run/mail.sock /run/nginx.sock /run/nginx/* /var/www/run/mysqld/mysqld.sock /var/www/run/mail.sock /var/spool/postfix/var/run/mysqld/mysqld.sock

etc/jailkit/jk_init.ini

@@ -0,0 +1,175 @@
+[uidbasics]
+# this section probably needs adjustment on 64bit systems
+# or non-Linux systems
+comment = common files for all jails that need user/group information
+paths = /lib/libnsl.so.*, /lib64/libnsl.so.*, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/i386-linux-gnu/libnsl.so.*, /lib/i386-linux-gnu/libnss*.so.2, /lib/x86_64-linux-gnu/libnsl.so.*, /lib/x86_64-linux-gnu/libnss*.so.2, /lib/arm-linux-gnueabihf/libnss*.so.2, /lib/arm-linux-gnueabihf/libnsl*.so.*, /etc/nsswitch.conf, /etc/ld.so.conf
+# Solaris needs 
+# paths = /etc/default/nss, /lib/libnsl.so.1, /usr/lib/nss_*.so.1, /etc/nsswitch.conf
+
+[netbasics]
+comment = common files for all jails that need any internet connectivity
+paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /lib/libnss_mdns*.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services
+# on Solaris devices /dev/udp and /dev/tcp might be needed too, not sure
+
+[logbasics]
+comment = timezone information and log sockets
+paths = /etc/localtime
+need_logsocket = 1
+# Solaris does not need logsocket
+# but needs 
+# devices = /dev/log, /dev/conslog
+
+[jk_lsh]
+comment = Jailkit limited shell
+paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini
+users = root
+groups = root
+includesections = uidbasics, logbasics
+
+[limitedshell]
+comment = alias for jk_lsh
+includesections = jk_lsh
+
+[cvs]
+comment = Concurrent Versions System
+paths = cvs
+devices = /dev/null
+
+[git]
+comment = Fast Version Control System
+paths = /usr/bin/git*, /usr/lib/git-core, /usr/share/git-core, /usr/bin/basename, /bin/uname, /usr/bin/pager
+includesections = editors, perl
+
+[scp]
+comment = ssh secure copy
+paths = scp
+includesections = netbasics, uidbasics
+devices = /dev/urandom, /dev/null
+
+[sftp]
+comment = ssh secure ftp
+paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server, /usr/lib/openssh/sftp-server
+includesections = netbasics, uidbasics
+devices = /dev/urandom, /dev/null
+# on solaris 
+#paths = /usr/lib/ssh/sftp-server
+
+[ssh]
+comment = ssh secure shell
+paths = ssh
+includesections = netbasics, uidbasics
+devices = /dev/urandom, /dev/tty, /dev/null
+
+[rsync]
+paths = rsync
+includesections = netbasics, uidbasics
+
+[procmail]
+comment = procmail mail delivery
+paths = procmail, /bin/sh
+devices = /dev/null
+
+[basicshell]
+comment = bash based shell with several basic utilities
+paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep, false, fgrep, grep, gunzip, gzip, ln, ls, mkdir, mktemp, more, mv, pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8
+users = root
+groups = root
+includesections = uidbasics
+
+[interactiveshell]
+comment = for ssh access to a full shell
+includesections = uidbasics, basicshell, terminfo, editors, extendedshell
+
+[midnightcommander]
+comment = Midnight Commander
+paths = mc, mcedit, mcview, /usr/share/mc
+includesections = basicshell, terminfo
+
+[extendedshell]
+comment = bash shell including things like awk, bzip, tail, less
+paths = awk, bzip2, bunzip2, ldd, less, clear, cut, du, find, head, less, md5sum, nice, sort, tac, tail, tr, sort, wc, watch, whoami
+includesections = basicshell, midnightcommander, editors
+
+[terminfo]
+comment = terminfo databases, required for example for ncurses or vim 
+paths = /etc/terminfo, /usr/share/terminfo, /lib/terminfo
+
+[editors]
+comment = vim, joe and nano
+includesections = terminfo
+paths = joe, nano, vi, vim, /etc/vimrc, /etc/joe, /usr/share/vim
+
+[netutils]
+comment = several internet utilities like wget, ftp, rsync, scp, ssh
+paths = wget, lynx, ftp, host, rsync, smbclient
+includesections = netbasics, ssh, sftp, scp
+
+[apacheutils]
+comment = htpasswd utility
+paths = htpasswd
+
+[extshellplusnet]
+comment = alias for extendedshell + netutils + apacheutils
+includesections = extendedshell, netutils, apacheutils
+
+[openvpn]
+comment = jail for the openvpn daemon
+paths = /usr/sbin/openvpn
+users = root,nobody
+groups = root,nogroup
+#includesections = netbasics
+devices = /dev/urandom, /dev/random, /dev/net/tun
+includesections = netbasics, uidbasics
+need_logsocket = 1
+
+[apache]
+comment = the apache webserver, very basic setup, probably too limited for you
+paths = /usr/sbin/apache
+users = root, www-data
+groups = root, www-data
+includesections = netbasics, uidbasics
+
+[perl]
+comment = the perl interpreter and libraries
+paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5
+
+[xauth]
+comment = getting X authentication to work
+paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf
+
+[xclients]
+comment = minimal files for X clients
+paths = /usr/X11R6/lib/X11/rgb.txt
+includesections = xauth
+
+[vncserver]
+comment = the VNC server program
+paths = Xvnc, Xrealvnc, /usr/X11R6/lib/X11/fonts/
+includesections = xclients
+
+[ping]
+comment = Ping program
+paths_w_setuid = /bin/ping
+
+#[xterm]
+#comment = xterm
+#paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo
+#devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
+
+[php]
+comment = the php interpreter and libraries
+paths = /usr/bin/php*, composer, /usr/bin/phar*, env, /usr/lib/php, /usr/share/php, /usr/share/php*, /usr/share/zoneinfo, /usr/share/ca-certificates, /etc/ssl/certs, /usr/lib/ssl/certs, /etc/localtime
+includesections = netbasics
+
+[locales]
+comment = all translations
+paths = /usr/lib/locale, /usr/share/i18n, /etc/default/locale, /etc/locale.alias
+
+[custom_hosting]
+comment = custom giftGRÜN configuration
+includesections = php, git, netutils, interactiveshell, locales
+devices = /dev/zero, /dev/random
+paths = base32, base64, basenc, brotli, cksum, comm, csplit, curl, dirname, dir, expand, expr, factor, fmt, fold, gpg, id, install, join, link, mysql, mysqldump, mysqlcheck, nl, nohup, numfmt, od, openssl, paste, pr, printenv, printf, ptx, readlink, realpath, seq, sha1sum, sha224sum, sha256sum, sha384sum, sha512sum, shred, shuf, split, stat, stdbuf, sum, test, tee, timeout, tput, truncate, tsort, unexpand, uniq, unlink, unxz, unzip, vdir, which, xargs, xz, zip, zopfli, nologin, /etc/bash_completion, /etc/bash_completion.d, /usr/share/bash-completion, /etc/profile.d, /etc/ld.so.conf.d, /etc/hostname
+emptydirs = /run/mysqld, /tmp
+users = root, www-data
+groups = root, www-data

etc/mysql/mariadb.conf.d/manual_settings.cnf

@@ -11,7 +11,6 @@ innodb_buffer_pool_size = 1G
 innodb_log_buffer_size = 16M
 innodb_log_file_size = 128M
 innodb_flush_log_at_trx_commit = 2
-#innodb-defragment = 1
 skip_name_resolve = 1
 query_cache_size = 128M
 query_cache_limit = 4M

etc/nginx/nginx.conf

@@ -2,6 +2,7 @@ daemon on;
 user www-data;
 worker_processes 1;
 pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
 pcre_jit on;
 worker_rlimit_nofile 100000;
 worker_shutdown_timeout 30m;

etc/rc.local

@@ -23,7 +23,7 @@ ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 #allow tor traffic
-for tor in bind debian-tor _tor-a _tor-b _tor-c _tor-d _tor-e _tor-f _tor-g _tor-h _tor-i _tor-j _tor-k _tor-l _tor-m _tor-n _tor-o _tor-p _tor-q _tor-r _tor-s; do(
+for tor in bind debian-tor _tor-a; do(
 iptables -t nat -A OUTPUT -m owner --uid-owner $tor -j RETURN
 ip6tables -t nat -A OUTPUT -m owner --uid-owner $tor -j RETURN
 iptables -A OUTPUT -m owner --uid-owner $tor -j ACCEPT

etc/systemd/system/nginx.service

@@ -24,7 +24,7 @@ LockPersonality=true
 SystemCallArchitectures=native
 ReadWritePaths=-/var/log/nginx/
 ReadWritePaths=-/var/lib/nginx/
-ReadWritePaths=-/var/www/var/run/
+ReadWritePaths=-/var/www/run/
 ReadWritePaths=-/var/spool/postfix/
 ReadWritePaths=-/run/
 InaccessiblePaths=-/root/

etc/systemd/system/rspamd.service

@@ -1,17 +0,0 @@
-[Unit]
-Description=rapid spam filtering system
-After=nss-lookup.target network-online.target
-Documentation=https://rspamd.com/doc/
-
-[Service]
-LimitNOFILE=1048576
-NonBlocking=true
-ExecStart=/usr/local/bin/rspamd -c /usr/local/etc/rspamd/rspamd.conf -f
-ExecReload=/bin/kill -HUP $MAINPID
-User=_rspamd
-RuntimeDirectory=rspamd
-RuntimeDirectoryMode=0755
-Restart=always
-
-[Install]
-WantedBy=multi-user.target

var/www/common.php

@@ -6,7 +6,7 @@ const DBPASS='MY_PASSWORD'; // Database password
 const DBNAME='hosting'; // Database
 const PERSISTENT=true; // Use persistent database conection true/false
 const DBVERSION=21; //database layout version
-const CAPTCHA=1; // Captcha difficulty (0=off, 1=simple, 2=moderate, 3=extreme)
+const CAPTCHA=1; // Captcha difficulty (0=off, 1=simple, 2=moderate, 3=hard, 4=extreme)
 const ADDRESS='dhosting4xxoydyaivckq7tsmtgi4wfs3flpeyitekkmqwu4v4r46syd.onion'; // our own address
 const CANONICAL_URL='https://hosting.danwin1210.me'; // our preferred domain for search engines
 const SERVERS=[ //servers and ports we are running on
@@ -25,7 +25,7 @@ const INDEX_MD5S=[ //MD5 sums of index.hosting.html files that should be conside
 const REQUIRE_APPROVAL=false; //require admin approval of new sites? true/false
 const ENABLE_SHELL_ACCESS=true; //allows users to login via ssh, when disabled only sftp is allowed - run setup.php to migrate existing accounts
 const ADMIN_PASSWORD='MY_PASSWORD'; //password for admin interface
-const SERVICE_INSTANCES=['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's']; //one character per instance - run multiple tor+php-fpm instances for load balancing, remove all but one instance if you expect less than 200 accounts. If tor starts using 100% cpu and failing circuits every few hours after a restart, add more instances. In my experience this happens around 250 hidden services per instance - run setup.php after change
+const SERVICE_INSTANCES=['a']; //one character per instance - run multiple tor+php-fpm instances for load balancing, remove all but one instance if you expect less than 200 accounts. If tor starts using 100% cpu and failing circuits every few hours after a restart, add more instances. In my experience this happens around 250 hidden services per instance - run setup.php after change
 const DISABLED_PHP_VERSIONS=[]; //php versions still installed on the system but no longer offered for new accounts
 const PHP_VERSIONS=[7 => '8.1', 8 => '8.2']; //currently active php versions
 const DEFAULT_PHP_VERSION='8.2'; //default php version
@@ -95,6 +95,8 @@ const CLEARNET_ADDRESS = 'hosting.danwin1210.me'; //Domain under which the servi
 const CLEARNET_SUBDOMAINS = 'danwin1210.me'; //domain of which all subdomains are mapped to this server
 const DEFAULT_LANG = 'en'; //default language
 const LANGUAGES = [ //available languages
+	'cs' => ['name' => 'Czech', 'locale' => 'cs_CZ', 'dir' => 'ltr'],
+	'de' => ['name' => 'Deutsch', 'locale' => 'de_DE', 'dir' => 'ltr'],
 	'en' => ['name' => 'English', 'locale' => 'en_GB', 'dir' => 'ltr'],
 ];
 
@@ -215,6 +217,45 @@ function send_captcha(): void
 			imagesetpixel($im, mt_rand(0, 55), mt_rand(0, 24), $dots);
 		}
 		echo '<img width="55" height="24" src="data:image/gif;base64,';
+	}elseif(CAPTCHA === 3){
+		$im = imagecreatetruecolor(55, 24);
+		$bg = imagecolorallocatealpha($im, 0, 0, 0, 127);
+		$fg = imagecolorallocate($im, 255, 255, 255);
+		$cc = imagecolorallocate($im, 200, 200, 200);
+		$cb = imagecolorallocatealpha($im, 0, 0, 0, 127);
+		imagefill($im, 0, 0, $bg);
+		$line = imagecolorallocate($im, 255, 255, 255);
+		$deg = (mt_rand(0,1)*2-1)*mt_rand(10, 20);
+
+		$background = imagecreatetruecolor(120, 80);
+		imagefill($background, 0, 0, $cb);
+
+		for ($i=0; $i<20; ++$i) {
+			$char=imagecreatetruecolor(12, 16);
+			imagestring($char, 5, 2, 2, $captchachars[mt_rand(0, $length)], $cc);
+			$char = imagerotate($char, (mt_rand(0,1)*2-1)*mt_rand(10, 20), $cb);
+			$char = imagescale($char, 24, 32);
+			imagefilter($char, IMG_FILTER_SMOOTH, 0.6);
+			imagecopy($background, $char, rand(0, 100), rand(0, 60), 0, 0, 24, 32);
+		}
+
+		imagestring($im, 5, 5, 5, $code, $fg);
+		$im = imagescale($im, 110, 48);
+		imagefilter($im, IMG_FILTER_SMOOTH, 0.5);
+		imagefilter($im, IMG_FILTER_GAUSSIAN_BLUR);
+		$im = imagerotate($im, $deg, $bg);
+		$im = imagecrop($im, array('x'=>0, 'y'=>0, 'width'=>120, 'height'=>80));
+		imagecopy($background, $im, 0, 0, 0, 0, 110, 80);
+		imagedestroy($im);
+		$im = $background;
+
+		for($i=0;$i<1000;++$i){
+			$c = mt_rand(100,230);
+			$dots=imagecolorallocate($im, $c, $c, $c);
+			imagesetpixel($im, mt_rand(0, 120), mt_rand(0, 80), $dots);
+		}
+		imagedestroy($char);
+		echo '<img width="120" height="80" src="data:image/png;base64,';
 	}else{
 		$im = imagecreatetruecolor(150, 200);
 		$bg = imagecolorallocate($im, 0, 0, 0);
@@ -559,12 +600,12 @@ function rewrite_nginx_config(): void
 			continue;
 		}
 		$nginx_mysql.="server {
-	listen unix:/home/$tmp[system_account]/var/run/mysqld/mysqld.sock;
+	listen unix:/home/$tmp[system_account]/run/mysqld/mysqld.sock;
 	proxy_pass unix:/var/run/mysqld/mysqld.sock;
 }
 ";
 		$nginx_mail.="server {
-	listen unix:/home/$tmp[system_account]/var/run/mail.sock;
+	listen unix:/home/$tmp[system_account]/run/mail.sock;
 	root /var/www/mail;
 	location / {
 		include snippets/fastcgi-php.conf;

var/www/setup.php

@@ -364,7 +364,7 @@ if(!file_exists("/etc/nginx/streams-enabled/")){
 	mkdir("/etc/nginx/streams-enabled/", 0755, true);
 }
 file_put_contents('/etc/nginx/streams-enabled/default', "server {
-	listen unix:/var/www/var/run/mysqld/mysqld.sock;
+	listen unix:/var/www/run/mysqld/mysqld.sock;
 	proxy_pass unix:/var/run/mysqld/mysqld.sock;
 }");
 exec('systemctl enable nginx');

var/www/setup_chroot.sh

@@ -1,334 +1,33 @@
 #!/bin/bash
+set -e
 
 export PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"
 
 test "$1" != "" || { echo "Need path to chroot directory"; exit 1; }
 
-ALL_LIB_DIRECTORIES=()
-ALL_LIB_FILES=()
-
-### functions
-function CHROOT_BINARY() {
-    BINARY="$(which $1)"
-    if [ "$BINARY" == "" ]; then
-        return;
-    fi
-    if [ "$(echo $BINARY | grep -E '.*:.*')" != "" ]; then
-        BINARY="$(echo $BINARY | cut -d':' -f2)"
-    fi
-    LIB_FILES="$(ldd $BINARY 2>&1 | grep -v 'not a dynamic executable' | awk '{ print $3 }' | grep -E '^/(.*)' || echo)"
-    LDD_FILES="$(ldd $BINARY 2>&1 | grep -v 'not a dynamic executable' | grep 'ld-linux' | awk '{ print $1; }' || echo)"
-    if [ "$LIB_FILES" != "" ]; then
-        for LIB_FILE in $LIB_FILES; do
-            ADD_LIB $LIB_FILE
-        done
-    fi
-    if [ "$LDD_FILES" != "" ]; then
-        for LDD_FILE in $LDD_FILES; do
-            ADD_LIB $LDD_FILE
-        done
-    fi
-    BINARY_DIRECTORY="$(dirname $BINARY)"
-    mkdir -pm 0555 $CHROOT_DIRECTORY$BINARY_DIRECTORY
-    cp $BINARY $CHROOT_DIRECTORY$BINARY
-    chmod 0555 $CHROOT_DIRECTORY$BINARY
-}
-
-function ADD_LIB() {
-    LIB_DIRECTORY="$(dirname $1)"
-    if [[ ! "${ALL_LIB_DIRECTORIES[@]}" =~ "$LIB_DIRECTORY" ]]; then
-        ALL_LIB_DIRECTORIES=(${ALL_LIB_DIRECTORIES[@]} "$LIB_DIRECTORY")
-    fi
-    if [[ ! "${ALL_LIB_FILES[@]}" =~ "$1" ]]; then
-        ALL_LIB_FILES=(${ALL_LIB_FILES[@]} "$1")
-    fi
-}
-
-function CHROOT_LIBRARIES() {
-    for DIRECTORY in ${ALL_LIB_DIRECTORIES[@]}; do
-        mkdir -pm 0555 $CHROOT_DIRECTORY$DIRECTORY
-    done
-    for FILE in ${ALL_LIB_FILES[@]}; do
-        cp $FILE $CHROOT_DIRECTORY$FILE
-        chmod 0555 $CHROOT_DIRECTORY$FILE
-    done
-}
-
 ### variables
 CHROOT_DIRECTORY=$1
-CHROOT_DIRECTORY_STRUCTURE=(
-    '/etc'
-    '/etc/default'
-    '/dev'
-    '/tmp'
-    '/usr'
-    '/usr/share'
-    '/usr/share/bash-completion'
-    '/usr/share/bash-completion/completions'
-    '/usr/bin'
-    '/usr/lib'
-    '/usr/lib/openssh'
-    '/usr/sbin'
-    '/var'
-    '/var/run'
-    '/var/run/mysqld'
-)
-CHROOT_DIRECTORY_TO_CLEAN=(
-    '/bin'
-    '/lib'
-    '/usr/bin'
-    '/usr/lib'
-    '/usr/sbin'
-)
-BINARIES_GENERAL=(
-    '['
-    'awk'
-    'base32'
-    'base64'
-    'basename'
-    'basenc'
-    'bash'
-    'brotli'
-    'bzip2'
-    'cat'
-    'chmod'
-    'cksum'
-    'clear'
-    'comm'
-    'composer'
-    'cp'
-    'csplit'
-    'curl'
-    'cut'
-    'date'
-    'dd'
-    'dirname'
-    'dir'
-    'du'
-    'echo'
-    'egrep'
-    'env'
-    'expand'
-    'expr'
-    'factor'
-    'false'
-    'fgrep'
-    'find'
-    'fmt'
-    'fold'
-    'git'
-    'git-receive-pack'
-    'git-shell'
-    'git-upload-archive'
-    'git-upload-pack'
-    'gpg'
-    'grep'
-    'gunzip'
-    'gzip'
-    'head'
-    'id'
-    'install'
-    'join'
-    'less'
-    'link'
-    'ln'
-    'ls'
-    'md5sum'
-    'mkdir'
-    'mktemp'
-    'mv'
-    'mysql'
-    'mysqldump'
-    'mysqlcheck'
-    'nano'
-    'nl'
-    'nohup'
-    'numfmt'
-    'od'
-    'openssl'
-    'paste'
-    'php8.1'
-    'php8.2'
-    'pr'
-    'printenv'
-    'printf'
-    'ptx'
-    'pwd'
-    'readlink'
-    'realpath'
-    'rm'
-    'rmdir'
-    'rsync'
-    'scp'
-    'sed'
-    'seq'
-    'sftp'
-    'sh'
-    'sha1sum'
-    'sha224sum'
-    'sha256sum'
-    'sha384sum'
-    'sha512sum'
-    'shred'
-    'shuf'
-    'sleep'
-    'sort'
-    'split'
-    'ssh'
-    'stat'
-    'stdbuf'
-    'sum'
-    'tac'
-    'tail'
-    'tar'
-    'test'
-    'tee'
-    'timeout'
-    'touch'
-    'tput'
-    'tr'
-    'true'
-    'truncate'
-    'tsort'
-    'uname'
-    'unexpand'
-    'uniq'
-    'unlink'
-    'unxz'
-    'unzip'
-    'vdir'
-    'vi'
-    'vim'
-    'wc'
-    'wget'
-    'which'
-    'xargs'
-    'xz'
-    'zip'
-    'zopfli'
-    'nologin'
-)
-FILES_GENERAL=(
-    '/etc/hosts'
-    '/etc/hostname'
-    '/etc/resolv.conf'
-    '/etc/nsswitch.conf'
-    '/etc/services'
-    '/etc/protocols'
-    '/etc/locale.alias'
-    '/etc/default/locale'
-    '/etc/localtime'
-    '/etc/profile'
-    '/etc/bash_completion'
-    '/etc/bash.bashrc'
-    '/usr/share/bash-completion/bash_completion'
-    '/usr/share/bash-completion/completions/alias'
-    '/usr/share/bash-completion/completions/bind'
-    '/usr/share/bash-completion/completions/bzip2'
-    '/usr/share/bash-completion/completions/compgen'
-    '/usr/share/bash-completion/completions/complete'
-    '/usr/share/bash-completion/completions/curl'
-    '/usr/share/bash-completion/completions/declare'
-    '/usr/share/bash-completion/completions/export'
-    '/usr/share/bash-completion/completions/find'
-    '/usr/share/bash-completion/completions/function'
-    '/usr/share/bash-completion/completions/git'
-    '/usr/share/bash-completion/completions/gzip'
-    '/usr/share/bash-completion/completions/id'
-    '/usr/share/bash-completion/completions/kill'
-    '/usr/share/bash-completion/completions/mysql'
-    '/usr/share/bash-completion/completions/openssl'
-    '/usr/share/bash-completion/completions/pwd'
-    '/usr/share/bash-completion/completions/rsync'
-    '/usr/share/bash-completion/completions/scp'
-    '/usr/share/bash-completion/completions/sh'
-    '/usr/share/bash-completion/completions/sftp'
-    '/usr/share/bash-completion/completions/tar'
-    '/usr/share/bash-completion/completions/typeset'
-    '/usr/share/bash-completion/completions/wget'
-    '/etc/ld.so.conf'
-)
-DIRECTORIES_GENERAL=(
-    '/usr/lib/git-core'
-    '/usr/share/git-core'
-    '/usr/lib/locale'
-    '/usr/share/i18n'
-    '/etc/ssl'
-    '/usr/lib/ssl'
-    '/usr/share/ca-certificates'
-    '/etc/bash_completion.d'
-    '/usr/share/zoneinfo'
-    '/lib/terminfo'
-    '/usr/share/terminfo'
-    '/usr/lib/php'
-    '/etc/profile.d'
-    '/etc/ld.so.conf.d'
-)
 ### test variables/parameters
 test "$CHROOT_DIRECTORY" != ""
 
 if [ "$2" != "" ]; then
-    CHROOT_BINARY $2
+    jk_cp -j "$CHROOT_DIRECTORY" -k "$2"
-    CHROOT_LIBRARIES
-    ldconfig -r $CHROOT_DIRECTORY
     echo "copied extra binary $2";
     exit 0;
 fi
 
 ### init chroot directory
-mkdir -p $CHROOT_DIRECTORY
+if [[ -d "$CHROOT_DIRECTORY/bin" ]]; then
-chown root:www-data $CHROOT_DIRECTORY
+    chown root:root "$CHROOT_DIRECTORY"
-chmod 550 $CHROOT_DIRECTORY
+    chmod 555 "$CHROOT_DIRECTORY"
-for DIRECTORY in ${CHROOT_DIRECTORY_TO_CLEAN[@]}; do
+    jk_update -j "$CHROOT_DIRECTORY" -k /bin /lib /usr
-    rm -rf $CHROOT_DIRECTORY$DIRECTORY
+else
-done
+    mkdir -p "$CHROOT_DIRECTORY"
-ln -s usr/bin $CHROOT_DIRECTORY/bin
+    chown root:root "$CHROOT_DIRECTORY"
-ln -s usr/lib $CHROOT_DIRECTORY/lib
+    chmod 555 "$CHROOT_DIRECTORY"
-for DIRECTORY in ${CHROOT_DIRECTORY_STRUCTURE[@]}; do
+    jk_init -j "$CHROOT_DIRECTORY" -k custom_hosting
-    mkdir -pm 0555 $CHROOT_DIRECTORY$DIRECTORY
+    chmod 777 "$CHROOT_DIRECTORY/tmp"
-done
+    echo "export HOME=/" > "$CHROOT_DIRECTORY/etc/profile.d/hosting.sh"
-chmod 777 $CHROOT_DIRECTORY/tmp
+    echo "export HISTFILE=/.bash_history" >> "$CHROOT_DIRECTORY/etc/profile.d/hosting.sh"
-# users and groups
+    echo 'export PATH="$PATH:/.composer/vendor/bin"' >> "$CHROOT_DIRECTORY/etc/profile.d/hosting.sh"
-echo "root:x:0:0:root:/root:/bin/bash" > $CHROOT_DIRECTORY/etc/passwd
+fi
-echo "www-data:x:33:33::/var/www:/bin/bash" >> $CHROOT_DIRECTORY/etc/passwd
-echo "root:x:0:" > $CHROOT_DIRECTORY/etc/group
-echo "www-data:x:33:www-data" >> $CHROOT_DIRECTORY/etc/group
-
-# /dev devices
-test -e $CHROOT_DIRECTORY/dev/null      || mknod -m 666 $CHROOT_DIRECTORY/dev/null c 1 3
-test -e $CHROOT_DIRECTORY/dev/zero      || mknod -m 666 $CHROOT_DIRECTORY/dev/zero c 1 5
-test -e $CHROOT_DIRECTORY/dev/tty       || mknod -m 666 $CHROOT_DIRECTORY/dev/tty c 5 0
-test -e $CHROOT_DIRECTORY/dev/random    || mknod -m 644 $CHROOT_DIRECTORY/dev/random c 1 8
-test -e $CHROOT_DIRECTORY/dev/urandom	|| mknod -m 644 $CHROOT_DIRECTORY/dev/urandom c 1 9
-# copy general directories
-for DIRECTORY in ${DIRECTORIES_GENERAL[@]}; do
-    rm -rf $CHROOT_DIRECTORY$DIRECTORY
-    cp -Rp $DIRECTORY $CHROOT_DIRECTORY$DIRECTORY
-done
-echo "export HOME=/" > $CHROOT_DIRECTORY/etc/profile.d/hosting.sh
-echo "export HISTFILE=/.bash_history" >> $CHROOT_DIRECTORY/etc/profile.d/hosting.sh
-echo 'export PATH="$PATH:/.composer/vendor/bin"' >> $CHROOT_DIRECTORY/etc/profile.d/hosting.sh
-# copy general files
-for FILE in ${FILES_GENERAL[@]}; do
-    cp $FILE $CHROOT_DIRECTORY$FILE
-done
-### copy shared libraries and binaries
-# general
-for BINARY in ${BINARIES_GENERAL[@]}; do
-    CHROOT_BINARY $BINARY
-done
-# git
-for BINARY in `find /usr/lib/git-core -type f`; do
-    CHROOT_BINARY $BINARY
-done
-# networking
-for LIB in /lib/*/libnss_*; do
-    ADD_LIB $LIB
-done
-# php
-for LIB in /usr/lib/php/*/*.so; do
-    ADD_LIB $LIB
-done
-CHROOT_LIBRARIES
-ldconfig -r $CHROOT_DIRECTORY
-ln -f $CHROOT_DIRECTORY/usr/bin/php8.2 $CHROOT_DIRECTORY/usr/bin/php