nasbeery/nasbeery2

281 lines
10 KiB
Plaintext
Raw Normal View History

2022-02-18 01:26:50 +01:00
#!/bin/bash
prog="$(basename "$0")"
usage() {
cat >&2 <<-EOF
2022-02-25 22:35:55 +01:00
usage: $prog [-h] [-U USERNAME] [-P PASSWORD] [-H HOSTNAME] [-D DOMAIN] [-Z POOL] [-S SHARE] [-A ADDONS] [-F]
2022-02-18 01:26:50 +01:00
installs nasbeery onto your raspberry pi os
2022-02-18 14:42:09 +01:00
-U USERNAME Username for SSH, Cockpit and SMB Login (default: pi)
2022-02-18 01:26:50 +01:00
-P PASSWORD Password for SSH, Cockpit and SMB Login (min. 8 chars, default: password prompt)
-H HOSTNAME Hostname of this nasbeery (default: nasbeery)
-D DOMAIN Domain name of this nasbeery (default: bashclub.lan)
-Z POOL Name of the zpool to create (default: tank)
-S SHARE Name of the SMB share to create (default: share)
2022-02-25 22:35:55 +01:00
-A ADDONS Comma separated list of addons to install (ispconfig, docker)
2022-02-18 01:26:50 +01:00
-F Enforce formatting disks - WARNING: Destroys all existing data
---------------------------------------------------------------------------
(C) 2022 nasbeery installer by bashclub (https://github.com/bashclub)
---------------------------------------------------------------------------
EOF
exit $1
}
USERNAME=pi
2022-02-18 01:26:50 +01:00
HOSTNAME=nasbeery
DOMAIN=bashclub.lan
FORMAT=0
2022-02-25 22:35:55 +01:00
ADDONS=
2022-02-18 01:26:50 +01:00
ZPOOL=tank
SHARE=share
while getopts "hU:P:H:D:FIZ:S:" opt; do
case $opt in
h) usage 0 ;;
U) USERNAME=$OPTARG ;;
P) PASSWORD=$OPTARG PASSWORD_REPEAT=$OPTARG ;;
H) HOSTNAME=$OPTARG ;;
D) DOMAIN=$OPTARG ;;
F) FORMAT=1 ;;
2022-02-25 22:35:55 +01:00
A) ADDONS=$OPTARG ;;
2022-02-18 01:26:50 +01:00
Z) ZPOOL=$OPTARG ;;
S) SHARE=$OPTARG ;;
*) usage 1 ;;
esac
done
shift $((OPTIND-1))
2022-02-25 22:49:08 +01:00
if [[ $(ls nasbeery.conf) ]]; then
source nasbeery.conf
PASSWORD_REPEAT=$PASSWORD
else
cat << EOF > nasbeery.conf
2022-02-25 22:35:55 +01:00
USERNAME=$USERNAME
PASSWORD='$PASSWORD'
HOSTNAME=$HOSTNAME
DOMAIN=$DOMAIN
FORMAT=$FORMAT
ADDONS=$ADDONS
ZPOOL=$ZPOOL
SHARE=$SHARE
EOF
fi
2022-02-18 01:26:50 +01:00
# Change password for Samba and Terminal
while [[ "$PASSWORD" != "$PASSWORD_REPEAT" || ${#PASSWORD} -lt 8 ]]; do
PASSWORD=$(whiptail --backtitle "NASBEERY SETUP" --title "Set password!" --passwordbox "${PASSWORD_invalid_message}Please set a password for Terminal, Samba and Backupwireless\n(At least 8 characters!):" 10 75 3>&1 1>&2 2>&3)
PASSWORD_REPEAT=$(whiptail --backtitle "NASBEERY SETUP" --title "Set password!" --passwordbox "Please repeat the Password:" 10 70 3>&1 1>&2 2>&3)
PASSWORD_invalid_message="ERROR: Password is too short, or not matching! \n\n"
done
# check current zfs state
if [[ $(lsmod | grep -E ^zfs) ]] && [[ $FORMAT -eq 0 ]]; then
# module is loaded
whiptail --title "Possible data loss!" \
--backtitle "NASBEERY SETUP" \
--yes-button "PRESERVE DATA" \
--no-button "FORMAT DISKS!" \
--yesno "Would you like to preserve you existing ZFS data from a previous installation?" 10 75
FORMAT=$?
fi
# add extra apt keys
2022-02-25 22:35:55 +01:00
echo "Add wsdd apt repo key"
sudo apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key > /dev/null 2&>1
2022-02-18 01:26:50 +01:00
# add extra apt repos
2022-02-25 22:35:55 +01:00
echo "Add wsdd apt repo url"
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" | sudo tee -i /etc/apt/sources.list.d/wsdd.list
echo "Add debian bullseye backports repo"
echo "deb http://ftp.de.debian.org/debian/ bullseye-backports main contrib non-free" | sudo tee -i /etc/apt/sources.list.d/bulleye-backports.list
2022-02-18 01:26:50 +01:00
# pin cockpit to buster backports
2022-02-25 22:35:55 +01:00
echo "Configure apt to install cockpit from backports repo"
cat << EOF | sudo tee -i /etc/apt/preferences.d/99-cockpit
2022-02-18 01:26:50 +01:00
Package: cockpit cockpit-*
Pin: release a=bullseye-backports
Pin-Priority: 900
EOF
# update system and install packages
2022-02-25 22:35:55 +01:00
echo "Updating package lists"
sudo apt -qq update
echo "Installing dist-upgrade"
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical sudo apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" dist-upgrade > /dev/null 2&>1
echo "Detecting Architecture"
if [[ $(dpkg --get-selections | grep -m1 "raspberrypi-kernel") ]]; then
headers="raspberrypi-kernel-headers"
elif [[ $(dpkg --get-selections | grep -m1 "linux-image-amd64") ]]; then
headers="linux-headers-amd64"
fi
echo "Intalling required packages"
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical sudo apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install $headers acl samba-dsdb-modules samba-vfs-modules samba wsdd ntpdate git apt-transport-https gnupg2 software-properties-common vim htop zfs-dkms zfsutils-linux zfs-auto-snapshot wsdd net-tools dnsutils > /dev/null 2&>1
echo "Installing cockpit"
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical sudo apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install --no-install-recommends cockpit > /dev/null 2&>1
2022-02-18 01:26:50 +01:00
2022-02-25 22:35:55 +01:00
echo "Activate zfs module"
sudo modprobe zfs
2022-02-18 01:26:50 +01:00
2022-02-25 22:35:55 +01:00
echo "Update time via ntp"
sudo ntpdate-debian -b > /dev/null
2022-02-18 01:26:50 +01:00
case $FORMAT in
0) echo "Your ZFS Data will be preserved";;
1) echo "Existing data on the drives will be deleted..."
2022-02-25 22:35:55 +01:00
sudo zpool destroy $ZPOOL
sudo zpool create -f -o autoexpand=on -o ashift=12 $ZPOOL mirror sda sdb
echo "Regenerate ssh host keys"
sudo rm -f /etc/ssh/ssh_host_*
sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
;;
2022-02-18 01:26:50 +01:00
255) echo "[ESC] key pressed >> EXIT" && exit;;
esac
2022-02-25 22:35:55 +01:00
echo "Hadening ssh service"
echo "Enable the RSA and ED25519 keys"
sudo sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
echo "Remove small Diffie-Hellman moduli"
awk '$5 >= 3071' /etc/ssh/moduli | sudo tee -i /etc/ssh/moduli.safe
sudo mv -f /etc/ssh/moduli.safe /etc/ssh/moduli
echo "Restrict supported key exchange, cipher, and MAC algorithms"
echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" | sudo tee -i /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
if [[ $(zfs list $ZPOOL/$SHARE > /dev/null 2&>1) -gt 0 ]] ; then
echo "Creating $ZPOOL/$SHARE"
sudo zfs create -o compression=lz4 $ZPOOL/$SHARE
fi
echo "Settings permissions on $ZPOOL/$SHARE"
sudo chmod -R 770 /$ZPOOL
sudo chown -R $USERNAME:root /$ZPOOL
2022-02-18 01:26:50 +01:00
2022-02-25 22:35:55 +01:00
echo "Seting hostname and fqdn"
echo "$HOSTNAME" | sudo tee -i /etc/hostname
cat << EOF | sudo tee -i /etc/hosts
2022-02-18 01:26:50 +01:00
# Host addresses
127.0.0.1 localhost
127.0.1.1 $HOSTNAME.$DOMAIN $HOSTNAME
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
EOF
2022-02-25 22:35:55 +01:00
echo "Configuring user"
sudo useradd $USERNAME
echo "$USERNAME:$PASSWORD" | sudo chpasswd
sudo smbpasswd -x $USERNAME
(echo $PASSWORD; echo $PASSWORD) | sudo smbpasswd -a $USERNAME
echo "Install or update cockpit zfs manager"
if [[ $(ls /usr/src/cockpit-zfs-manager) ]] ; then
cd /usr/src/cockpit-zfs-manager
sudo git config pull.rebase true
sudo git pull
else
sudo git clone https://github.com/45drives/cockpit-zfs-manager.git /usr/src/cockpit-zfs-manager
fi
sudo cp -r /usr/src/cockpit-zfs-manager/zfs /usr/share/cockpit
sudo mkdir -p /etc/cockpit/zfs/shares
sudo mkdir -p /etc/cockpit/zfs/snapshots
echo "Writing cockpit configuration"
cat << EOF | sudo tee -i /etc/cockpit/zfs/config.json
{
"#1": "COCKPIT ZFS MANAGER",
"#2": "WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION",
"cockpit": {
"manage": true
},
"disks": {
"base2": false
},
"loglevel": "2",
"samba": {
"manage": true,
"windowscompatibility": true
},
"updates": {
"check": true
},
"zfs": {
"filesystem": {
"cloneorigin": false,
"quotarestrict": true,
"readonlylockdown": false,
"snapshotactions": true
},
"snapshot": {
"filesystemlist": true
},
"status": {
"errorcolors": true,
"trimunsupported": false
},
"storagepool": {
"activetab": 1,
"boot": true,
"bootlockdown": true,
"count": true,
"refreshall": false,
"root": true
}
}
}
EOF
2022-02-25 22:35:55 +01:00
if [[ $(ls /etc/cockpit/zfs/shares.conf) ]]; then
echo "Creating cockpit zfs shares conf"
cat << EOF | sudo tee -i /etc/cockpit/zfs/shares.conf
# COCKPIT ZFS MANAGER
# WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION
EOF
2022-02-25 22:35:55 +01:00
fi
2022-02-18 01:26:50 +01:00
2022-02-25 22:35:55 +01:00
echo "Configure zfs-auto-snapshot: change retention from 24 to 48h and 12 to 3 months"
sudo sed -i 's/24/48/g' /etc/cron.hourly/zfs-auto-snapshot
sudo sed -i 's/12/3/g' /etc/cron.monthly/zfs-auto-snapshot
2022-02-18 01:26:50 +01:00
2022-02-25 22:35:55 +01:00
echo "Configure RAID led"
echo -e 'PATH="/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"\n*/1 * * * * root echo 14 > /sys/class/gpio/export 2> /dev/null;echo out > /sys/class/gpio/gpio14/direction ; zpool import -fa -d /dev/ > /dev/null; zpool list| grep -q ONLINE; echo \$? > /sys/class/gpio/gpio14/value' | sudo tee -i /etc/cron.d/raidled
2022-02-18 01:26:50 +01:00
2022-02-25 22:35:55 +01:00
echo "Write samba server configuration"
cat << EOF | sudo tee -i /etc/samba/smb.conf
2022-02-18 01:26:50 +01:00
[global]
workgroup = WORKGROUP
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
vfs objects = shadow_copy2
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = -%Y-%m-%d-%H%M
2022-02-18 15:09:02 +01:00
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}
shadow: delimiter = -20
2022-02-18 01:26:50 +01:00
[$SHARE]
comment = Main Share
path = /$ZPOOL/$SHARE
read only = No
create mask = 0660
directory mask = 0770
EOF
2022-02-25 22:35:55 +01:00
echo "Restart samba services"
sudo systemctl enable smbd nmbd wsdd
2022-02-18 01:26:50 +01:00
2022-02-25 22:35:55 +01:00
echo "############################################"
2022-02-18 14:43:56 +01:00
echo "nasbeery installation finished! rebooting..."
2022-02-25 22:35:55 +01:00
echo "############################################"
sudo reboot