291 lines
11 KiB
Bash
291 lines
11 KiB
Bash
#!/bin/bash
|
|
prog="$(basename "$0")"
|
|
|
|
usage() {
|
|
cat >&2 <<-EOF
|
|
usage: $prog [-h] [-U USERNAME] [-P PASSWORD] [-H HOSTNAME] [-D DOMAIN] [-Z POOL] [-S SHARE] [-A ADDONS] [-F]
|
|
installs nasbeery onto your raspberry pi os
|
|
-U USERNAME Username for SSH, Cockpit and SMB Login (default: pi)
|
|
-P PASSWORD Password for SSH, Cockpit and SMB Login (min. 8 chars, default: password prompt)
|
|
-H HOSTNAME Hostname of this nasbeery (default: nasbeery)
|
|
-D DOMAIN Domain name of this nasbeery (default: bashclub.lan)
|
|
-S SHARE Name of the SMB share to create (default: share)
|
|
-A ADDONS Comma separated list of addons to install (ispconfig, docker)
|
|
-F Enforce formatting disks - WARNING: Destroys all existing data
|
|
---------------------------------------------------------------------------
|
|
(C) 2022 nasbeery installer by bashclub (https://github.com/bashclub)
|
|
---------------------------------------------------------------------------
|
|
EOF
|
|
exit $1
|
|
}
|
|
|
|
USERNAME=nasbeery
|
|
HOSTNAME=nasbeery
|
|
DOMAIN=bashclub.lan
|
|
FORMAT=0
|
|
ADDONS=
|
|
ZPOOL=tank
|
|
SHARE=share
|
|
BASE_REPO=https://github.com/bashclub/nasbeery
|
|
|
|
while getopts "hU:P:H:D:FIZ:S:" opt; do
|
|
case $opt in
|
|
h) usage 0 ;;
|
|
U) USERNAME=$OPTARG ;;
|
|
P) PASSWORD=$OPTARG PASSWORD_REPEAT=$OPTARG ;;
|
|
H) HOSTNAME=$OPTARG ;;
|
|
D) DOMAIN=$OPTARG ;;
|
|
F) FORMAT=1 ;;
|
|
A) ADDONS=$OPTARG ;;
|
|
S) SHARE=$OPTARG ;;
|
|
*) usage 1 ;;
|
|
esac
|
|
done
|
|
shift $((OPTIND-1))
|
|
|
|
if [[ $(ls nasbeery.conf) ]]; then
|
|
source nasbeery.conf
|
|
else
|
|
cat << EOF > nasbeery.conf
|
|
USERNAME=$USERNAME
|
|
HOSTNAME=$HOSTNAME
|
|
DOMAIN=$DOMAIN
|
|
FORMAT=$FORMAT
|
|
ADDONS=$ADDONS
|
|
SHARE=$SHARE
|
|
EOF
|
|
fi
|
|
|
|
# Change password for Samba and Terminal
|
|
while [[ "$PASSWORD" != "$PASSWORD_REPEAT" || ${#PASSWORD} -lt 8 ]]; do
|
|
PASSWORD=$(whiptail --backtitle "NASBEERY SETUP" --title "Set password!" --passwordbox "${PASSWORD_invalid_message}Please set a password for Terminal, Samba and Backupwireless\n(At least 8 characters!):" 10 75 3>&1 1>&2 2>&3)
|
|
PASSWORD_REPEAT=$(whiptail --backtitle "NASBEERY SETUP" --title "Set password!" --passwordbox "Please repeat the Password:" 10 70 3>&1 1>&2 2>&3)
|
|
PASSWORD_invalid_message="ERROR: Password is too short, or not matching! \n\n"
|
|
done
|
|
|
|
# check current zfs state
|
|
if [[ $(lsmod | grep -E ^zfs) ]] && [[ $FORMAT -eq 0 ]]; then
|
|
# module is loaded
|
|
whiptail --title "Possible data loss!" \
|
|
--backtitle "NASBEERY SETUP" \
|
|
--yes-button "PRESERVE DATA" \
|
|
--no-button "FORMAT DISKS!" \
|
|
--yesno "Would you like to preserve you existing ZFS data from a previous installation?" 10 75
|
|
FORMAT=$?
|
|
fi
|
|
|
|
# add extra apt keys
|
|
echo "Add wsdd apt repo key"
|
|
sudo apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
|
|
|
|
# add extra apt repos
|
|
echo "Add wsdd apt repo url"
|
|
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" | sudo tee -i /etc/apt/sources.list.d/wsdd.list
|
|
|
|
echo "add 45drives repo key"
|
|
apt-key adv --fetch-keys https://repo.45drives.com/key/gpg.asc
|
|
|
|
echo "Add 45drives apt repo url"
|
|
echo "deb https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
|
|
|
|
echo "Add debian bullseye backports repo"
|
|
echo "deb http://ftp.de.debian.org/debian/ bullseye-backports main contrib non-free" | sudo tee -i /etc/apt/sources.list.d/bulleye-backports.list
|
|
|
|
# pin cockpit to buster backports
|
|
echo "Configure apt to install cockpit from backports repo"
|
|
cat << EOF | sudo tee -i /etc/apt/preferences.d/99-cockpit
|
|
Package: cockpit cockpit-*
|
|
Pin: release a=bullseye-backports
|
|
Pin-Priority: 900
|
|
EOF
|
|
|
|
# update system and install packages
|
|
echo "Updating package lists"
|
|
sudo apt -qq update
|
|
echo "Installing dist-upgrade"
|
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical sudo apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" dist-upgrade
|
|
echo "Detecting Architecture"
|
|
if [[ $(dpkg --get-selections | grep -m1 "raspberrypi-kernel") ]]; then
|
|
headers="raspberrypi-kernel-headers"
|
|
elif [[ $(dpkg --get-selections | grep -E -m1 "linux-image-current-rockchip64") ]]; then
|
|
headers="linux-headers-current-rockchip64"
|
|
elif [[ $(dpkg --get-selections | grep -E -m1 "linux-image-current-meson64") ]]; then
|
|
headers="linux-headers-current-meson64"
|
|
elif [[ $(dpkg --get-selections | grep -E -m1 "linux-image-edge-meson64") ]]; then
|
|
headers="linux-headers-edge-meson64"
|
|
elif [[ $(dpkg --get-selections | grep -m1 "linux-image-amd64") ]]; then
|
|
headers="linux-headers-amd64"
|
|
fi
|
|
echo "Intalling required packages"
|
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical sudo apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install $headers wsdd ntpdate git apt-transport-https gnupg2 software-properties-common vim htop net-tools dnsutils
|
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical sudo apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install -t bullseye-backports acl samba-dsdb-modules samba-vfs-modules samba zfs-dkms zfsutils-linux zfs-auto-snapshot wsdd
|
|
echo "Installing cockpit"
|
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical sudo apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator cockpit-zfs-manager cockpit-benchmark
|
|
|
|
echo "Activate zfs module"
|
|
sudo modprobe zfs
|
|
|
|
echo "Update time via ntp"
|
|
sudo ntpdate-debian -b > /dev/null
|
|
|
|
case $FORMAT in
|
|
0) echo "Your ZFS Data will be preserved";;
|
|
1) echo "Existing data on the drives will be deleted..."
|
|
sudo zpool destroy $ZPOOL
|
|
sudo zpool create -f -o autoexpand=on -o ashift=12 $ZPOOL mirror sda sdb
|
|
echo "Regenerate ssh host keys"
|
|
sudo rm -f /etc/ssh/ssh_host_*
|
|
sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
|
|
sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
|
|
;;
|
|
255) echo "[ESC] key pressed >> EXIT" && exit;;
|
|
esac
|
|
|
|
echo "Hadening ssh service"
|
|
echo "Enable the RSA and ED25519 keys"
|
|
sudo sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
|
|
echo "Remove small Diffie-Hellman moduli"
|
|
awk '$5 >= 3071' /etc/ssh/moduli | sudo tee -i /etc/ssh/moduli.safe
|
|
sudo mv -f /etc/ssh/moduli.safe /etc/ssh/moduli
|
|
echo "Restrict supported key exchange, cipher, and MAC algorithms"
|
|
echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" | sudo tee -i /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
|
|
|
|
if [ ! $(zfs list $ZPOOL/$SHARE) ] ; then
|
|
echo "Creating $ZPOOL/$SHARE"
|
|
sudo zfs create -o compression=lz4 $ZPOOL/$SHARE
|
|
fi
|
|
echo "Settings permissions on $ZPOOL/$SHARE"
|
|
sudo chmod -R 770 /$ZPOOL
|
|
sudo chown -R $USERNAME:root /$ZPOOL
|
|
|
|
echo "Seting hostname and fqdn"
|
|
echo "$HOSTNAME" | sudo tee -i /etc/hostname
|
|
cat << EOF | sudo tee -i /etc/hosts
|
|
# Host addresses
|
|
127.0.0.1 localhost
|
|
127.0.1.1 $HOSTNAME.$DOMAIN $HOSTNAME
|
|
::1 localhost ip6-localhost ip6-loopback
|
|
ff02::1 ip6-allnodes
|
|
ff02::2 ip6-allrouters
|
|
EOF
|
|
|
|
echo "Configuring user"
|
|
sudo useradd $USERNAME
|
|
echo "$USERNAME:$PASSWORD" | sudo chpasswd
|
|
sudo smbpasswd -x $USERNAME
|
|
(echo $PASSWORD; echo $PASSWORD) | sudo smbpasswd -a $USERNAME
|
|
usermod -aG sudo $USERNAME
|
|
|
|
echo "Writing cockpit configuration"
|
|
cat << EOF | sudo tee -i /etc/cockpit/zfs/config.json
|
|
{
|
|
"#1": "COCKPIT ZFS MANAGER",
|
|
"#2": "WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION",
|
|
"cockpit": {
|
|
"manage": true
|
|
},
|
|
"disks": {
|
|
"base2": false
|
|
},
|
|
"loglevel": "2",
|
|
"samba": {
|
|
"manage": true,
|
|
"windowscompatibility": true
|
|
},
|
|
"updates": {
|
|
"check": true
|
|
},
|
|
"zfs": {
|
|
"filesystem": {
|
|
"cloneorigin": false,
|
|
"quotarestrict": true,
|
|
"readonlylockdown": false,
|
|
"snapshotactions": true
|
|
},
|
|
"snapshot": {
|
|
"filesystemlist": true
|
|
},
|
|
"status": {
|
|
"errorcolors": true,
|
|
"trimunsupported": false
|
|
},
|
|
"storagepool": {
|
|
"activetab": 1,
|
|
"boot": true,
|
|
"bootlockdown": true,
|
|
"count": true,
|
|
"refreshall": false,
|
|
"root": true
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
|
|
if [[ $(ls /etc/cockpit/zfs/shares.conf) ]]; then
|
|
echo "Creating cockpit zfs shares conf"
|
|
cat << EOF | sudo tee -i /etc/cockpit/zfs/shares.conf
|
|
# COCKPIT ZFS MANAGER
|
|
# WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION
|
|
EOF
|
|
fi
|
|
|
|
echo "Configure zfs-auto-snapshot: change retention from 24 to 48h and 12 to 3 months"
|
|
sudo sed -i 's/24/48/g' /etc/cron.hourly/zfs-auto-snapshot
|
|
sudo sed -i 's/12/3/g' /etc/cron.monthly/zfs-auto-snapshot
|
|
|
|
echo "Configure RAID led"
|
|
echo -e 'PATH="/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"\n*/1 * * * * root echo 14 > /sys/class/gpio/export 2> /dev/null;echo out > /sys/class/gpio/gpio14/direction ; zpool import -fa -d /dev/ > /dev/null; zpool list| grep -q ONLINE; echo \$? > /sys/class/gpio/gpio14/value' | sudo tee -i /etc/cron.d/raidled
|
|
|
|
echo "Write samba server configuration"
|
|
cat << EOF | sudo tee -i /etc/samba/smb.conf
|
|
[global]
|
|
include = registry
|
|
EOF
|
|
|
|
cat << EOF | sudo tee -i /etc/samba/import.templates
|
|
[global]
|
|
workgroup = WORKGROUP
|
|
log file = /var/log/samba/log.%m
|
|
max log size = 1000
|
|
logging = file
|
|
panic action = /usr/share/samba/panic-action %d
|
|
|
|
server role = standalone server
|
|
obey pam restrictions = yes
|
|
unix password sync = yes
|
|
passwd program = /usr/bin/passwd %u
|
|
passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
|
|
pam password change = yes
|
|
map to guest = bad user
|
|
|
|
vfs objects = shadow_copy2
|
|
shadow: snapdir = .zfs/snapshot
|
|
shadow: sort = desc
|
|
shadow: format = -%Y-%m-%d-%H%M
|
|
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}
|
|
shadow: delimiter = -20
|
|
|
|
[$SHARE]
|
|
comment = Main Share
|
|
path = /$ZPOOL/$SHARE
|
|
read only = No
|
|
create mask = 0660
|
|
directory mask = 0770
|
|
EOF
|
|
|
|
net conf import /etc/samba/import.template
|
|
|
|
#### PLUGIN INSTALLATION ####
|
|
for addon in $ADDONS; do
|
|
wget -O ./$addon $base_repo/raw/main/plugins/$addon
|
|
bash ./$addon -Z $ZPOOL
|
|
done
|
|
|
|
echo "Restart samba services"
|
|
sudo systemctl enable smbd nmbd wsdd
|
|
|
|
echo "############################################"
|
|
echo "nasbeery installation finished! rebooting..."
|
|
echo "############################################"
|
|
sudo reboot
|