Migrate samba to 45drives cockpit integration #1
@ -76,24 +76,24 @@ fi
|
||||
|
||||
# add extra apt keys
|
||||
echo "Add wsdd apt repo key"
|
||||
sudo apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
|
||||
wget -O - https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key | tee -i /etc/apt/trusted.gpg.d/wsdd.gpg
|
||||
|
||||
# add extra apt repos
|
||||
echo "Add wsdd apt repo url"
|
||||
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" | sudo tee -i /etc/apt/sources.list.d/wsdd.list
|
||||
echo "deb [signed-by=/etc/apt/trusted.gpg.d/wsdd.gpg] https://pkg.ltec.ch/public/ $(lsb_release -cs) main" | tee -i /etc/apt/sources.list.d/wsdd.list
|
||||
|
||||
echo "add 45drives repo key"
|
||||
apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
|
||||
wget -O - https://repo.45drives.com/key/gpg.asc | tee -i /etc/apt/trusted.gpg.d/45drives.gpg
|
||||
|
||||
echo "Add 45drives apt repo url"
|
||||
echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
|
||||
echo "deb [signed-by=/etc/apt/trusted.gpg.d/45drives.gpg,arch=amd64] https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
|
||||
|
||||
echo "Add debian bullseye backports repo"
|
||||
echo "deb http://ftp.de.debian.org/debian/ bullseye-backports main contrib non-free" | sudo tee -i /etc/apt/sources.list.d/bulleye-backports.list
|
||||
echo "deb http://ftp.de.debian.org/debian/ bullseye-backports main contrib non-free" | tee -i /etc/apt/sources.list.d/bulleye-backports.list
|
||||
|
||||
# pin cockpit to buster backports
|
||||
echo "Configure apt to install cockpit from backports repo"
|
||||
cat << EOF | sudo tee -i /etc/apt/preferences.d/99-cockpit
|
||||
cat << EOF | tee -i /etc/apt/preferences.d/99-cockpit
|
||||
Package: cockpit cockpit-*
|
||||
Pin: release a=bullseye-backports
|
||||
Pin-Priority: 900
|
||||
@ -101,9 +101,9 @@ EOF
|
||||
|
||||
# update system and install packages
|
||||
echo "Updating package lists"
|
||||
sudo apt -qq update
|
||||
apt -qq update
|
||||
echo "Installing dist-upgrade"
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical sudo apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" dist-upgrade
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" dist-upgrade
|
||||
echo "Detecting Architecture"
|
||||
if [[ $(dpkg --get-selections | grep -m1 "raspberrypi-kernel") ]]; then
|
||||
headers="raspberrypi-kernel-headers"
|
||||
@ -117,50 +117,50 @@ elif [[ $(dpkg --get-selections | grep -m1 "linux-image-amd64") ]]; then
|
||||
headers="linux-headers-amd64"
|
||||
fi
|
||||
echo "Intalling required packages"
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical sudo apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install $headers wsdd ntpdate git apt-transport-https gnupg2 software-properties-common vim htop net-tools dnsutils
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical sudo apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install -t bullseye-backports acl samba-dsdb-modules samba-vfs-modules samba zfs-dkms zfsutils-linux zfs-auto-snapshot wsdd
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install $headers wsdd ntpdate git apt-transport-https gnupg2 software-properties-common vim htop net-tools dnsutils
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install -t bullseye-backports acl samba-dsdb-modules samba-vfs-modules samba zfs-dkms zfsutils-linux zfs-auto-snapshot wsdd
|
||||
echo "Installing cockpit"
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical sudo apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator cockpit-zfs-manager cockpit-benchmark
|
||||
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator cockpit-zfs-manager cockpit-benchmark
|
||||
|
||||
echo "Activate zfs module"
|
||||
sudo modprobe zfs
|
||||
modprobe zfs
|
||||
|
||||
echo "Update time via ntp"
|
||||
sudo ntpdate-debian -b > /dev/null
|
||||
ntpdate-debian -b > /dev/null
|
||||
|
||||
case $FORMAT in
|
||||
0) echo "Your ZFS Data will be preserved";;
|
||||
1) echo "Existing data on the drives will be deleted..."
|
||||
sudo zpool destroy $ZPOOL
|
||||
sudo zpool create -f -o autoexpand=on -o ashift=12 $ZPOOL mirror sda sdb
|
||||
zpool destroy $ZPOOL
|
||||
zpool create -f -o autoexpand=on -o ashift=12 $ZPOOL mirror sda sdb
|
||||
echo "Regenerate ssh host keys"
|
||||
sudo rm -f /etc/ssh/ssh_host_*
|
||||
sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
|
||||
sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
|
||||
rm -f /etc/ssh/ssh_host_*
|
||||
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
|
||||
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
|
||||
;;
|
||||
255) echo "[ESC] key pressed >> EXIT" && exit;;
|
||||
esac
|
||||
|
||||
echo "Hadening ssh service"
|
||||
echo "Enable the RSA and ED25519 keys"
|
||||
sudo sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
|
||||
sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
|
||||
echo "Remove small Diffie-Hellman moduli"
|
||||
awk '$5 >= 3071' /etc/ssh/moduli | sudo tee -i /etc/ssh/moduli.safe
|
||||
sudo mv -f /etc/ssh/moduli.safe /etc/ssh/moduli
|
||||
awk '$5 >= 3071' /etc/ssh/moduli | tee -i /etc/ssh/moduli.safe
|
||||
mv -f /etc/ssh/moduli.safe /etc/ssh/moduli
|
||||
echo "Restrict supported key exchange, cipher, and MAC algorithms"
|
||||
echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" | sudo tee -i /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
|
||||
echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" | tee -i /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
|
||||
|
||||
if [ ! $(zfs list $ZPOOL/$SHARE) ] ; then
|
||||
echo "Creating $ZPOOL/$SHARE"
|
||||
sudo zfs create -o compression=lz4 $ZPOOL/$SHARE
|
||||
zfs create -o compression=lz4 $ZPOOL/$SHARE
|
||||
fi
|
||||
echo "Settings permissions on $ZPOOL/$SHARE"
|
||||
sudo chmod -R 770 /$ZPOOL
|
||||
sudo chown -R $USERNAME:root /$ZPOOL
|
||||
chmod -R 770 /$ZPOOL
|
||||
chown -R $USERNAME:root /$ZPOOL
|
||||
|
||||
echo "Seting hostname and fqdn"
|
||||
echo "$HOSTNAME" | sudo tee -i /etc/hostname
|
||||
cat << EOF | sudo tee -i /etc/hosts
|
||||
echo "$HOSTNAME" | tee -i /etc/hostname
|
||||
cat << EOF | tee -i /etc/hosts
|
||||
# Host addresses
|
||||
127.0.0.1 localhost
|
||||
127.0.1.1 $HOSTNAME.$DOMAIN $HOSTNAME
|
||||
@ -170,14 +170,14 @@ ff02::2 ip6-allrouters
|
||||
EOF
|
||||
|
||||
echo "Configuring user"
|
||||
sudo useradd $USERNAME
|
||||
echo "$USERNAME:$PASSWORD" | sudo chpasswd
|
||||
sudo smbpasswd -x $USERNAME
|
||||
(echo $PASSWORD; echo $PASSWORD) | sudo smbpasswd -a $USERNAME
|
||||
usermod -aG sudo $USERNAME
|
||||
useradd $USERNAME
|
||||
echo "$USERNAME:$PASSWORD" | chpasswd
|
||||
smbpasswd -x $USERNAME
|
||||
(echo $PASSWORD; echo $PASSWORD) | smbpasswd -a $USERNAME
|
||||
usermod -aG $USERNAME
|
||||
|
||||
echo "Writing cockpit configuration"
|
||||
cat << EOF | sudo tee -i /etc/cockpit/zfs/config.json
|
||||
cat << EOF | tee -i /etc/cockpit/zfs/config.json
|
||||
{
|
||||
"#1": "COCKPIT ZFS MANAGER",
|
||||
"#2": "WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION",
|
||||
@ -223,26 +223,26 @@ EOF
|
||||
|
||||
if [[ $(ls /etc/cockpit/zfs/shares.conf) ]]; then
|
||||
echo "Creating cockpit zfs shares conf"
|
||||
cat << EOF | sudo tee -i /etc/cockpit/zfs/shares.conf
|
||||
cat << EOF | tee -i /etc/cockpit/zfs/shares.conf
|
||||
# COCKPIT ZFS MANAGER
|
||||
# WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION
|
||||
EOF
|
||||
fi
|
||||
|
||||
echo "Configure zfs-auto-snapshot: change retention from 24 to 48h and 12 to 3 months"
|
||||
sudo sed -i 's/24/48/g' /etc/cron.hourly/zfs-auto-snapshot
|
||||
sudo sed -i 's/12/3/g' /etc/cron.monthly/zfs-auto-snapshot
|
||||
sed -i 's/24/48/g' /etc/cron.hourly/zfs-auto-snapshot
|
||||
sed -i 's/12/3/g' /etc/cron.monthly/zfs-auto-snapshot
|
||||
|
||||
echo "Configure RAID led"
|
||||
echo -e 'PATH="/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"\n*/1 * * * * root echo 14 > /sys/class/gpio/export 2> /dev/null;echo out > /sys/class/gpio/gpio14/direction ; zpool import -fa -d /dev/ > /dev/null; zpool list| grep -q ONLINE; echo \$? > /sys/class/gpio/gpio14/value' | sudo tee -i /etc/cron.d/raidled
|
||||
echo -e 'PATH="/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"\n*/1 * * * * root echo 14 > /sys/class/gpio/export 2> /dev/null;echo out > /sys/class/gpio/gpio14/direction ; zpool import -fa -d /dev/ > /dev/null; zpool list| grep -q ONLINE; echo \$? > /sys/class/gpio/gpio14/value' | tee -i /etc/cron.d/raidled
|
||||
|
||||
echo "Write samba server configuration"
|
||||
cat << EOF | sudo tee -i /etc/samba/smb.conf
|
||||
cat << EOF | tee -i /etc/samba/smb.conf
|
||||
[global]
|
||||
include = registry
|
||||
EOF
|
||||
|
||||
cat << EOF | sudo tee -i /etc/samba/import.templates
|
||||
cat << EOF | tee -i /etc/samba/import.templates
|
||||
[global]
|
||||
workgroup = WORKGROUP
|
||||
log file = /var/log/samba/log.%m
|
||||
@ -282,9 +282,9 @@ for addon in $ADDONS; do
|
||||
done
|
||||
|
||||
echo "Restart samba services"
|
||||
sudo systemctl enable smbd nmbd wsdd
|
||||
systemctl enable smbd nmbd wsdd
|
||||
|
||||
echo "############################################"
|
||||
echo "nasbeery installation finished! rebooting..."
|
||||
echo "############################################"
|
||||
sudo reboot
|
||||
reboot
|
||||
|
||||
Loading…
Reference in New Issue
Block a user