#!/bin/bash prog="$(basename "$0")" usage() { cat >&2 <<-EOF usage: $prog [-h] [-U USERNAME] [-P PASSWORD] [-H HOSTNAME] [-D DOMAIN] [-Z POOL] [-S SHARE] [-A ADDONS] [-F] installs nasbeery onto your raspberry pi os -U USERNAME Username for SSH, Cockpit and SMB Login (default: pi) -P PASSWORD Password for SSH, Cockpit and SMB Login (min. 8 chars, default: password prompt) -H HOSTNAME Hostname of this nasbeery (default: nasbeery) -D DOMAIN Domain name of this nasbeery (default: bashclub.lan) -S SHARE Name of the SMB share to create (default: share) -A ADDONS Comma separated list of addons to install (ispconfig, docker) -F Enforce formatting disks - WARNING: Destroys all existing data --------------------------------------------------------------------------- (C) 2022 nasbeery installer by bashclub (https://github.com/bashclub) --------------------------------------------------------------------------- EOF exit $1 } USERNAME=nasbeery HOSTNAME=nasbeery DOMAIN=bashclub.lan FORMAT=0 ADDONS= ZPOOL=tank SHARE=share BASE_REPO=https://github.com/bashclub/nasbeery while getopts "hU:P:H:D:FIZ:S:" opt; do case $opt in h) usage 0 ;; U) USERNAME=$OPTARG ;; P) PASSWORD=$OPTARG PASSWORD_REPEAT=$OPTARG ;; H) HOSTNAME=$OPTARG ;; D) DOMAIN=$OPTARG ;; F) FORMAT=1 ;; A) ADDONS=$OPTARG ;; S) SHARE=$OPTARG ;; *) usage 1 ;; esac done shift $((OPTIND-1)) if [[ $(ls nasbeery.conf) ]]; then source nasbeery.conf else cat << EOF > nasbeery.conf USERNAME=$USERNAME HOSTNAME=$HOSTNAME DOMAIN=$DOMAIN FORMAT=$FORMAT ADDONS=$ADDONS SHARE=$SHARE EOF fi # Change password for Samba and Terminal while [[ "$PASSWORD" != "$PASSWORD_REPEAT" || ${#PASSWORD} -lt 8 ]]; do PASSWORD=$(whiptail --backtitle "NASBEERY SETUP" --title "Set password!" --passwordbox "${PASSWORD_invalid_message}Please set a password for Terminal, Samba and Backupwireless\n(At least 8 characters!):" 10 75 3>&1 1>&2 2>&3) PASSWORD_REPEAT=$(whiptail --backtitle "NASBEERY SETUP" --title "Set password!" --passwordbox "Please repeat the Password:" 10 70 3>&1 1>&2 2>&3) PASSWORD_invalid_message="ERROR: Password is too short, or not matching! \n\n" done # check current zfs state if [[ $(lsmod | grep -E ^zfs) ]] && [[ $FORMAT -eq 0 ]]; then # module is loaded whiptail --title "Possible data loss!" \ --backtitle "NASBEERY SETUP" \ --yes-button "PRESERVE DATA" \ --no-button "FORMAT DISKS!" \ --yesno "Would you like to preserve you existing ZFS data from a previous installation?" 10 75 FORMAT=$? fi echo "Add debian bullseye backports repo" echo "deb http://ftp.de.debian.org/debian/ bullseye-backports main contrib non-free" | tee -i /etc/apt/sources.list.d/bulleye-backports.list # pin cockpit to buster backports echo "Configure apt to install cockpit from backports repo" cat << EOF | tee -i /etc/apt/preferences.d/99-cockpit Package: cockpit cockpit-* Pin: release a=bullseye-backports Pin-Priority: 900 EOF # update system and install packages echo "Updating package lists" apt -qq update echo "Installing dist-upgrade" DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" dist-upgrade echo "Detecting Architecture" if [[ $(dpkg --get-selections | grep -m1 "raspberrypi-kernel") ]]; then headers="raspberrypi-kernel-headers" elif [[ $(dpkg --get-selections | grep -E -m1 "linux-image-current-rockchip64") ]]; then headers="linux-headers-current-rockchip64" elif [[ $(dpkg --get-selections | grep -E -m1 "linux-image-current-meson64") ]]; then headers="linux-headers-current-meson64" elif [[ $(dpkg --get-selections | grep -E -m1 "linux-image-edge-meson64") ]]; then headers="linux-headers-edge-meson64" elif [[ $(dpkg --get-selections | grep -m1 "linux-image-amd64") ]]; then headers="linux-headers-amd64" fi echo "Intalling required packages" DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install $headers ntpdate git apt-transport-https gnupg2 software-properties-common vim htop net-tools dnsutils # add extra apt keys echo "Add wsdd apt repo key" wget -O - https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key | gpg --dearmor | tee -i /etc/apt/trusted.gpg.d/wsdd.gpg # add extra apt repos echo "Add wsdd apt repo url" echo "deb [signed-by=/etc/apt/trusted.gpg.d/wsdd.gpg] https://pkg.ltec.ch/public/ $(lsb_release -cs) main" | tee -i /etc/apt/sources.list.d/wsdd.list echo "add 45drives repo key" wget -O - https://repo.45drives.com/key/gpg.asc | gpg --dearmor | tee -i /etc/apt/trusted.gpg.d/45drives.gpg echo "Add 45drives apt repo url" echo "deb [signed-by=/etc/apt/trusted.gpg.d/45drives.gpg arch=amd64] https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list echo "Updating package lists" apt -qq update echo "Installing zfs" DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install --no-install-recommends zfs-dkms zfsutils-linux zfs-auto-snapshot echo "Installing samba" DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install -t bullseye-backports acl samba-dsdb-modules samba-vfs-modules samba winbind wsdd echo "Installing cockpit" DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator cockpit-zfs-manager cockpit-benchmark echo "Activate zfs module" modprobe zfs echo "Update time via ntp" ntpdate-debian -b > /dev/null rootfs=$(grep " / " /proc/mounts | cut -d'/' -f3) zdisks=$(echo $(lsblk -nd -I 8,259 -o name | grep -v $rootfs) | cut -d' ' -f1-2) case $FORMAT in 0) echo "Your ZFS Data will be preserved";; 1) echo "Existing data on the drives will be deleted..." zpool destroy $ZPOOL zpool create -f -o autoexpand=on -o ashift=12 $ZPOOL mirror $zdisks echo "Regenerate ssh host keys" rm -f /etc/ssh/ssh_host_* ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" ;; 255) echo "[ESC] key pressed >> EXIT" && exit;; esac echo "Hadening ssh service" echo "Enable the RSA and ED25519 keys" sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config echo "Remove small Diffie-Hellman moduli" awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe mv -f /etc/ssh/moduli.safe /etc/ssh/moduli echo "Restrict supported key exchange, cipher, and MAC algorithms" echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" | tee -i /etc/ssh/sshd_config.d/ssh-audit_hardening.conf if [ ! $(zfs list $ZPOOL/$SHARE) ] ; then echo "Creating $ZPOOL/$SHARE" zfs create -o compression=lz4 $ZPOOL/$SHARE fi echo "Settings permissions on $ZPOOL/$SHARE" chmod -R 770 /$ZPOOL chown -R $USERNAME:root /$ZPOOL echo "Seting hostname and fqdn" echo "$HOSTNAME" | tee -i /etc/hostname cat << EOF | tee -i /etc/hosts # Host addresses 127.0.0.1 localhost 127.0.1.1 $HOSTNAME.$DOMAIN $HOSTNAME ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters EOF echo "Configuring user" useradd $USERNAME echo "$USERNAME:$PASSWORD" | chpasswd smbpasswd -x $USERNAME (echo $PASSWORD; echo $PASSWORD) | smbpasswd -a $USERNAME usermod -aG $USERNAME echo "Writing cockpit configuration" cat << EOF | tee -i /etc/cockpit/zfs/config.json { "#1": "COCKPIT ZFS MANAGER", "#2": "WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION", "cockpit": { "manage": true }, "disks": { "base2": false }, "loglevel": "2", "samba": { "manage": true, "windowscompatibility": true }, "updates": { "check": true }, "zfs": { "filesystem": { "cloneorigin": false, "quotarestrict": true, "readonlylockdown": false, "snapshotactions": true }, "snapshot": { "filesystemlist": true }, "status": { "errorcolors": true, "trimunsupported": false }, "storagepool": { "activetab": 1, "boot": true, "bootlockdown": true, "count": true, "refreshall": false, "root": true } } } EOF if [ -f /etc/cockpit/zfs/shares.conf ]; then echo "Creating cockpit zfs shares conf" mkdir -p /etc/cockpit/zfs/ cat << EOF | tee -i /etc/cockpit/zfs/shares.conf # COCKPIT ZFS MANAGER # WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION EOF fi echo "Configure zfs-auto-snapshot: change retention from 24 to 48h and 12 to 3 months" sed -i 's/24/48/g' /etc/cron.hourly/zfs-auto-snapshot sed -i 's/12/3/g' /etc/cron.monthly/zfs-auto-snapshot echo "Configure RAID led" echo -e 'PATH="/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"\n*/1 * * * * root echo 14 > /sys/class/gpio/export 2> /dev/null;echo out > /sys/class/gpio/gpio14/direction ; zpool import -fa -d /dev/ > /dev/null; zpool list| grep -q ONLINE; echo \$? > /sys/class/gpio/gpio14/value' | tee -i /etc/cron.d/raidled echo "Write samba server configuration" cat << EOF | tee -i /etc/samba/smb.conf [global] include = registry EOF cat << EOF | tee -i /etc/samba/import.template [global] workgroup = WORKGROUP log file = /var/log/samba/log.%m max log size = 1000 logging = file panic action = /usr/share/samba/panic-action %d server role = standalone server obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user vfs objects = shadow_copy2 shadow: snapdir = .zfs/snapshot shadow: sort = desc shadow: format = -%Y-%m-%d-%H%M shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\} shadow: delimiter = -20 [$SHARE] comment = Main Share path = /$ZPOOL/$SHARE read only = No create mask = 0660 directory mask = 0770 EOF net conf import /etc/samba/import.template #### PLUGIN INSTALLATION #### for addon in $ADDONS; do wget -O ./$addon $base_repo/raw/main/plugins/$addon bash ./$addon -Z $ZPOOL done echo "Restart samba services" systemctl enable smbd nmbd wsdd echo "############################################" echo "nasbeery installation finished! rebooting..." echo "############################################" reboot