2023-10-01 15:51:20 +02:00
#!/bin/bash
#
# This script configures basic settings and install standard tools on your Proxmox VE Server with ZFS storage
#
# Features:
2023-10-02 00:18:34 +02:00
# + Configure ZFS ARC Cache
# + Configure vm.swappiness
# + Install and configure zfs-auto-snapshot
# + Switch pve-enterprise/pve-no-subscription/pvetest repo
# + Disable "No subscription message" in webinterface in no-subscription mode
# + Add pve-enterprise subscription key
# + Update system to the latest version
# + Install common tools
# + Install Proxmox SDN Extensions
# + Configure automatic backup of /etc Folder
# + Configure locales
# + SSH server hardening
# + Install checkzfs
# + Install bashclub-zsync
2023-10-02 00:51:46 +02:00
# + Create zfspool storage for swap disks if not exists
# + Adjust default volblocksize for Proxmox zfspool storages
2023-10-07 13:52:20 +02:00
# + Configure proxmox mail delivery with postfix
2023-10-12 16:39:26 +02:00
# + Daily check (and download) for new stable virtio-win iso and prune old (unused) versions
2023-10-01 15:51:20 +02:00
#
#
# Author: (C) 2023 Thorsten Spille <thorsten@bashclub.org>
set -uo pipefail
#### INITIAL VARIABLES ####
PROG=$(basename "$0")
# Required tools for usage in postinstall
REQUIRED_TOOLS="curl ifupdown2 git gron libsasl2-modules lsb-release libpve-network-perl postfix ssl-cert zfs-auto-snapshot"
# Optional tools to install
OPTIONAL_TOOLS="dnsutils ethtool htop iftop jq lshw lsscsi mc net-tools nvme-cli rpl screen smartmontools sudo sysstat tmux unzip vim"
# Settings for Backup of /etc folder
PVE_CONF_BACKUP_TARGET=rpool/pveconf
PVE_CONF_BACKUP_CRON_TIMER="3,18,33,48 * * * *"
# Round factor to set L1ARC cache (Megabytes)
ROUND_FACTOR=512
# get total size of all zpools
ZPOOL_SIZE_SUM_BYTES=0
for line in $(zpool list -o size -Hp); do ZPOOL_SIZE_SUM_BYTES=$(($ZPOOL_SIZE_SUM_BYTES+$line)); done
# get information about available ram
MEM_TOTAL_BYTES=$(($(awk '/MemTotal/ {print $2}' /proc/meminfo) * 1024))
# get values if defaults are set
ARC_MAX_DEFAULT_BYTES=$(($MEM_TOTAL_BYTES / 2))
ARC_MIN_DEFAULT_BYTES=$(($MEM_TOTAL_BYTES / 32))
# get current settings
ARC_MIN_CUR_BYTES=$(cat /sys/module/zfs/parameters/zfs_arc_min)
ARC_MAX_CUR_BYTES=$(cat /sys/module/zfs/parameters/zfs_arc_max)
# get vm.swappiness
SWAPPINESS=$(cat /proc/sys/vm/swappiness)
# zfs-auto-snapshot default values
declare -A auto_snap_keep=( ["frequent"]="12" ["hourly"]="96" ["daily"]="14" ["weekly"]="6" ["monthly"]="3" )
2023-10-07 13:52:20 +02:00
setblocksize=0
volblocksize=16k
2023-10-01 21:52:33 +02:00
# gather proxmox subscription info
serverid=$(pvesubscription get | grep serverid | cut -d' ' -f2)
sub_status=$(pvesubscription get | grep status | cut -d' ' -f2)
2023-10-04 07:26:42 +02:00
# get notification address
recipientaddress=$(pvesh get access/users/root@pam --output-format yaml| grep email | cut -d' ' -f2)
2023-10-01 15:51:20 +02:00
#### FUNCTIONS ####
2023-10-04 06:25:39 +02:00
log(){
echo "$(date) $1"
}
2023-10-01 15:51:20 +02:00
roundup(){
echo $(((($1 + $ROUND_FACTOR) / $ROUND_FACTOR) * $ROUND_FACTOR))
}
roundoff(){
echo $((($1 / $ROUND_FACTOR) * $ROUND_FACTOR))
}
isnumber(){
re='^[0-9]+$'
if ! [[ $1 =~ $re ]] ; then
return 1
else
return 0
fi
}
inputbox_int(){
cancel=0
while true; do
if ! out=$(whiptail --title "$1" --backtitle "$PROG" --inputbox "$2" $3 76 $4 3>&1 1>&2 2>&3) ; then
cancel=1 ; break
fi
if isnumber $out; then
break
fi
done
echo $out
return $cancel
}
cancel_dialog() {
whiptail --title "CANCEL POSTINSTALL" --backtitle $PROG --msgbox "Postinstall was cancelled by user interaction" 8 76 3>&1 1>&2 2>&3
exit 127
}
arc_suggestion(){
2023-10-04 06:34:52 +02:00
if [ $ARC_MIN_DEFAULT_BYTES -lt 33554432 ]; then ARC_MIN_DEFAULT_MB="32" ; else ARC_MIN_DEFAULT_MB="$(($ARC_MIN_DEFAULT_BYTES / 1024 / 1024))" ; fi
2023-10-04 06:45:19 +02:00
2023-10-01 15:51:20 +02:00
ZFS_ARC_MAX_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024)))
2023-10-04 06:33:50 +02:00
ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024)))
if [ $ZFS_ARC_MIN_MEGABYTES -eq 0 ]; then
ZFS_ARC_MIN_MEGABYTES=$(($ZFS_ARC_MAX_MEGABYTES / 2))
if [ $ARC_MIN_DEFAULT_MB -gt $ZFS_ARC_MAX_MEGABYTES ]; then
ZFS_ARC_MIN_MEGABYTES=$ARC_MIN_DEFAULT_MB
fi
fi
2023-10-01 15:51:20 +02:00
if [ $ARC_MIN_CUR_BYTES -gt 0 ]; then ARC_MIN_CURRENT_MB="$(($ARC_MIN_CUR_BYTES / 1024 / 1024))" ; else ARC_MIN_CURRENT_MB="0" ; fi
if [ $ARC_MAX_CUR_BYTES -gt 0 ]; then ARC_MAX_CURRENT_MB="$(($ARC_MAX_CUR_BYTES / 1024 / 1024))" ; else ARC_MAX_CURRENT_MB="0" ; fi
if ! whiptail --title "CONFIGURE ZFS L1ARC SIZE" \
--backtitle $PROG \
--yes-button "Accept" \
--no-button "Edit" \
--yesno " Summary: \n \
System Memory: $(($MEM_TOTAL_BYTES / 1024 / 1024)) MB\n \
Zpool size (sum): $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024)) MB\n \
\n \
Note: zfs_arc_min must always be lower than zfs_arc_max! \n\n \
The L1ARC cache suggestion is calculated by size of all zpools \n\n \
Suggested values: \n \
zfs_arc_min: $(($ZFS_ARC_MIN_MEGABYTES)) MB (default: $ARC_MIN_DEFAULT_MB MB, current: $ARC_MIN_CURRENT_MB MB)\n \
zfs_arc_max: $(($ZFS_ARC_MAX_MEGABYTES)) MB (default: $(($ARC_MAX_DEFAULT_BYTES / 1024 / 1024)) MB, current: $ARC_MAX_CURRENT_MB MB)\n" 17 76; then
arc_set_manual
fi
}
arc_set_manual() {
2023-10-03 13:38:05 +02:00
if [ $ARC_MIN_CURRENT_MB -gt 0 ]; then MIN_VALUE=$ARC_MIN_CURRENT_MB; else MIN_VALUE=$ZFS_ARC_MIN_MEGABYTES; fi
if [ $ARC_MAX_CURRENT_MB -gt 0 ]; then MAX_VALUE=$ARC_MAX_CURRENT_MB; else MAX_VALUE=$ZFS_ARC_MAX_MEGABYTES; fi
2023-10-01 21:52:33 +02:00
if ! ZFS_ARC_MIN_MEGABYTES=$(inputbox_int 'CONFIGURE ZFS L1ARC MIN SIZE' 'Please enter zfs_arc_min in MB' 7 $MIN_VALUE) ; then cancel_dialog ; fi
if ! ZFS_ARC_MAX_MEGABYTES=$(inputbox_int 'CONFIGURE ZFS L1ARC MAX SIZE' 'Please enter zfs_arc_max in MB' 7 $MAX_VALUE) ; then cancel_dialog ; fi
2023-10-01 15:51:20 +02:00
}
vm_swappiness () {
if ! SWAPPINESS=$(inputbox_int "CONFIGURE SWAPPINESS" "Please enter percentage of free RAM to start swapping" 8 $SWAPPINESS) ; then cancel_dialog ; fi
}
auto_snapshot(){
if dpkg -l zfs-auto-snapshot > /dev/null 2>&1 ; then
for interval in "${!auto_snap_keep[@]}"; do
if [[ "$interval" == "frequent" ]]; then
auto_snap_keep[$interval]=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2)
else
auto_snap_keep[$interval]=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2)
fi
done
fi
for interval in "${!auto_snap_keep[@]}"; do
if ! auto_snap_keep[$interval]=$(inputbox_int "CONFIGURE ZFS-AUTO-SNAPSHOT" "Please set number of $interval snapshots to keep" 7 ${auto_snap_keep[$interval]}) ; then cancel_dialog ; fi
done
}
2023-10-01 21:52:33 +02:00
select_subscription(){
suppress_warning=0
if [[ $sub_status == "notfound" ]] || [[ $sub_status == "invalid" ]]; then
2023-10-01 16:46:33 +02:00
if [[ $repo_selection == "pve-enterprise" ]]; then
if whiptail --title "NO PROXMOX SUBSCRIPTION FOUND" \
--backtitle $PROG \
--yes-button "ADD" \
--no-button "SKIP" \
2023-10-01 21:52:33 +02:00
--yesno "Server ID: $serverid\n\nDo you want to add a subscription key?" 9 76 ; then
input_subscription
2023-10-01 16:46:33 +02:00
fi
else
if whiptail --title "NO PROXMOX SUBSCRIPTION FOUND" \
--backtitle $PROG \
--yes-button "SUPPRESS WARNING" \
--no-button "SKIP" \
2023-10-01 21:52:33 +02:00
--yesno "Do you want to suppress the no subscription warning in WebGUI?" 9 76 ; then
suppress_warning=1
2023-10-01 16:46:33 +02:00
fi
fi
fi
}
2023-10-01 21:52:33 +02:00
ask_locales(){
2023-10-02 19:40:38 +02:00
if ! locales=$(whiptail --title "SET LOCALES" --backtitle "$PROG" --inputbox "Please enter a space separated list of locales to generate." 9 76 "$(echo $(grep -vE '#|^$' /etc/locale.gen | cut -d ' ' -f1))" 3>&1 1>&2 2>&3); then cancel_dialog ; fi
2023-10-01 21:52:33 +02:00
}
2023-10-01 23:06:48 +02:00
ask_ssh_hardening(){
ssh_hardening=0
if whiptail --title "HARDEN SSH SERVER" \
--backtitle "$PROG" \
--yes-button "HARDEN SSH SERVER" \
--no-button "SKIP" \
--yesno "Do you want to apply the SSH hardening profile?\nHost-Keys will be changed and root-Login with password will be disabled." 9 76 ; then
ssh_hardening=1
fi
}
2023-10-01 21:52:33 +02:00
input_subscription(){
key=""
cancel=0
while [[ $key == "" ]]; do
if ! key=$(whiptail --title "ADD PROXMOX SUBSCRIPTION KEY" --backtitle "$PROG" \
--inputbox "Server ID: $serverid\n\nAdd your subscription key" 9 76 3>&1 1>&2 2>&3) ; then
cancel=1 ; break
fi
done
if [ $cancel -eq 0 ]; then
set_subscription $key
fi
return $cancel
}
2023-10-01 16:46:33 +02:00
2023-10-01 21:52:33 +02:00
set_subscription(){
2023-10-04 06:25:39 +02:00
log "Setting subscription key $1"
2023-10-01 21:52:33 +02:00
if ! pvesubscription set $1; then
input_subscription
elif [[ $(pvesubscription get | grep status | cut -d' ' -f2) == "invalid" ]]; then
input_subscription
fi
2023-10-01 16:46:33 +02:00
}
suppress_no_subscription_warning(){
2023-10-01 21:52:33 +02:00
if [ $suppress_warning -gt 0 ]; then
# remove old no-sub-hack
if [ -f /opt/bashclub/no-sub-hack.sh ] ; then rm -r /opt/bashclub ; fi
if [ -f /etc/apt/apt.conf.d/80bashclubapthook ] ; then rm /etc/apt/apt.conf.d/80bashclubapthook ; fi
2023-10-03 15:38:37 +02:00
wget -q --no-cache -O /usr/local/bin/suppress_no_subscription_warning https://github.com/bashclub/no-sub-hack/raw/main/no-sub-hack.sh
2023-10-01 21:52:33 +02:00
chmod +x /usr/local/bin/suppress_no_subscription_warning
/usr/local/bin/suppress_no_subscription_warning
cat << EOF > /etc/apt/apt.conf.d/80-suppress_no_subscription_warning
DPkg::Post-Invoke {"/usr/local/bin/suppress_no_subscription_warning";};
EOF
fi
2023-10-01 16:46:33 +02:00
}
select_pve_repos(){
2023-10-01 15:51:20 +02:00
pveenterprise=OFF
pvenosubscription=OFF
pvetest=OFF
if [ -f /etc/apt/sources.list.d/pve-enterprise.list ]; then
2023-10-01 21:52:33 +02:00
if grep -v '#' /etc/apt/sources.list.d/pve-enterprise.list | grep "pve-enterprise" > /dev/null ; then
2023-10-01 15:51:20 +02:00
pveenterprise=ON
else
if [ -f /etc/apt/sources.list ]; then
2023-10-01 21:52:33 +02:00
if grep -v '#' /etc/apt/sources.list | grep "pve-no-subscription" > /dev/null ; then
2023-10-01 15:51:20 +02:00
pvenosubscription=ON
2023-10-01 21:52:33 +02:00
elif grep -v '#' /etc/apt/sources.list | grep "pvetest" > /dev/null ; then
2023-10-01 15:51:20 +02:00
pvetest=ON
else
pveenterprise=ON
fi
2023-10-01 16:46:33 +02:00
fi
2023-10-01 15:51:20 +02:00
fi
fi
2023-10-01 16:46:33 +02:00
repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \
2023-10-01 15:51:20 +02:00
--radiolist "Choose Proxmox VE repository" 20 76 4 \
"pve-enterprise" "Proxmox VE Enterprise repository" "$pveenterprise" \
"pve-no-subscription" "Proxmox VE No Subscription repository" "$pvenosubscription" \
2023-10-01 16:46:33 +02:00
"pvetest" "Proxmox VE Testing repository" "$pvetest" 3>&1 1>&2 2>&3)
2023-10-01 21:52:33 +02:00
}
set_locales(){
2023-10-04 06:25:39 +02:00
log "Setting locales"
2023-10-01 21:52:33 +02:00
for locale in $locales; do
line=$(grep $locale /etc/locale.gen)
if echo $line | grep "#" ; then
2023-10-03 14:01:58 +02:00
sed -i "s/$line/$(echo $line | cut -d' ' -f2-)/" /etc/locale.gen
2023-10-01 21:52:33 +02:00
fi
done
2023-10-04 06:55:09 +02:00
locale-gen > /dev/null 2>&1
2023-10-01 21:52:33 +02:00
}
set_pve_repo(){
2023-10-04 06:25:39 +02:00
log "Setting Proxmox package repositories to $repo_selection"
2023-10-01 22:16:03 +02:00
nosub=$(grep pve-no-subscription /etc/apt/sources.list)
enterprise=$(grep pve-enterprise /etc/apt/sources.list.d/pve-enterprise.list)
test=$(grep pvetest /etc/apt/sources.list)
if [[ $repo_selection == "pve-enterprise" ]]; then
2023-10-03 15:05:53 +02:00
echo "deb https://enterprise.proxmox.com/debian/pve $VERSION_CODENAME pve-enterprise" > /etc/apt/sources.list.d/pve-enterprise.list
if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then
2023-10-03 14:01:58 +02:00
sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list
fi
2023-10-03 15:05:53 +02:00
if [[ $test != "" ]] && [[ $test != *"#"* ]]; then
2023-10-03 14:01:58 +02:00
sed -i "s|$test|# $test|g" /etc/apt/sources.list
fi
2023-10-01 22:16:03 +02:00
elif [[ $repo_selection == "pve-no-subscription" ]]; then
2023-10-03 15:05:53 +02:00
if [[ $nosub == "" ]]; then
echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pve-no-subscription\n" >> /etc/apt/sources.list
elif [[ $nosub == *"#"* ]]; then
sed -i "s|$nosub|$(echo $nosub | cut -d' ' -f2-)|" /etc/apt/sources.list
fi
if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then
sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list
2023-10-03 14:01:58 +02:00
fi
2023-10-03 15:05:53 +02:00
if [[ $test != "" ]] && [[ $test != *"#"* ]]; then
2023-10-03 14:01:58 +02:00
sed -i "s|$test|# $test|g" /etc/apt/sources.list
fi
2023-10-01 22:16:03 +02:00
elif [[ $repo_selection == "pvetest" ]]; then
2023-10-03 15:05:53 +02:00
if [[ $test == "" ]]; then
echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pvetest\n" >> /etc/apt/sources.list
elif [[ $test == *"#"* ]]; then
sed -i "s|$test|$(echo $test | cut -d' ' -f2-)|" /etc/apt/sources.list
fi
if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then
2023-10-03 14:01:58 +02:00
sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list
fi
2023-10-03 15:05:53 +02:00
if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then
2023-10-03 14:01:58 +02:00
sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list
fi
2023-10-01 22:16:03 +02:00
fi
2023-10-01 21:52:33 +02:00
}
update_system(){
2023-10-04 06:25:39 +02:00
log "Downloading latest package lists"
2023-10-01 21:52:33 +02:00
apt update > /dev/null 2>&1
2023-10-04 06:25:39 +02:00
log "Upgrading system to latest version - Depending on your version this could take a while..."
2023-10-01 21:52:33 +02:00
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade > /dev/null 2>&1
}
install_tools(){
2023-10-04 06:25:39 +02:00
log "Installing toolset - Depending on your version this could take a while..."
2023-10-01 21:52:33 +02:00
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install $REQUIRED_TOOLS $OPTIONAL_TOOLS > /dev/null 2>&1
}
enable_sdn(){
2023-10-04 06:25:39 +02:00
log "Enabling SDN features"
2023-10-01 21:52:33 +02:00
q=$(cat /etc/network/interfaces | grep "source /etc/network/interfaces.d/*")
if [ $? -gt 0 ]; then
echo "source /etc/network/interfaces.d/*" >> /etc/network/interfaces
fi
}
set_arc_cache(){
2023-10-04 06:25:39 +02:00
log "Adjusting ZFS level 1 arc (Min: $ZFS_ARC_MIN_MEGABYTES, Max: $ZFS_ARC_MAX_MEGABYTES)"
2023-10-01 21:52:33 +02:00
ZFS_ARC_MIN_BYTES=$((ZFS_ARC_MIN_MEGABYTES * 1024 *1024))
ZFS_ARC_MAX_BYTES=$((ZFS_ARC_MAX_MEGABYTES * 1024 *1024))
echo $ZFS_ARC_MIN_BYTES > /sys/module/zfs/parameters/zfs_arc_min
echo $ZFS_ARC_MAX_BYTES > /sys/module/zfs/parameters/zfs_arc_max
cat << EOF > /etc/modprobe.d/zfs.conf
options zfs zfs_arc_max=$ZFS_ARC_MAX_BYTES
options zfs zfs_arc_min=$ZFS_ARC_MIN_BYTES
EOF
}
set_auto_snapshot(){
# configure zfs-auto-snapshot
for interval in "${!auto_snap_keep[@]}"; do
2023-10-04 06:25:39 +02:00
log "Setting zfs-auto-snapshot retention: $interval = ${auto_snap_keep[$interval]}"
2023-10-01 21:52:33 +02:00
if [[ "$interval" == "frequent" ]]; then
CURRENT=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2)
if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then
rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.d/zfs-auto-snapshot > /dev/null 2>&1
fi
else
CURRENT=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2)
if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then
rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.$interval/zfs-auto-snapshot > /dev/null 2>&1
fi
fi
done
}
set_swappiness(){
2023-10-04 06:25:39 +02:00
log "Setting swappiness to $SWAPPINESS %"
2023-10-01 21:52:33 +02:00
echo "vm.swappiness=$SWAPPINESS" > /etc/sysctl.d/swappiness.conf
2023-10-04 06:25:39 +02:00
sysctl -w vm.swappiness=$SWAPPINESS > /dev/null
2023-10-01 21:52:33 +02:00
}
pve_conf_backup(){
2023-10-04 06:25:39 +02:00
log "Configuring pve-conf-backup"
2023-10-01 21:52:33 +02:00
zfs list $PVE_CONF_BACKUP_TARGET > /dev/null 2>&1
if [ $? -ne 0 ]; then
zfs create $PVE_CONF_BACKUP_TARGET
fi
if [[ "$(df -h -t zfs | grep /$ | cut -d ' ' -f1)" == "rpool/ROOT/pve-1" ]] ; then
echo "$PVE_CONF_BACKUP_CRON_TIMER root rsync -va --delete /etc /$PVE_CONF_BACKUP_TARGET > /$PVE_CONF_BACKUP_TARGET/pve-conf-backup.log" > /etc/cron.d/pve-conf-backup
fi
}
harden_ssh(){
2023-10-02 17:08:16 +02:00
if [ $ssh_hardening -gt 0 ]; then
2023-10-04 06:25:39 +02:00
log "Hardening ssh server"
2023-10-02 17:08:16 +02:00
rm /etc/ssh/ssh_host_*
2023-10-04 06:50:44 +02:00
log "Creating new SSH host keys"
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" > /dev/null 2>&1
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" > /dev/null 2>&1
log "Creating new SSH moduli"
2023-10-02 17:08:16 +02:00
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli
2023-10-04 06:50:44 +02:00
log "Writing hardened SSH config"
2023-10-02 17:08:16 +02:00
if [[ $VERSION_CODENAME == "bookworm" ]]; then
echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
elif [[ $VERSION_CODENAME == "bullseye" ]]; then
sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
echo -e echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
fi
systemctl restart ssh.service
2023-10-01 23:15:14 +02:00
fi
2023-10-01 21:52:33 +02:00
}
2023-10-02 18:11:32 +02:00
ask_mail_config(){
mailconfig=0
smtpauth=0
2023-10-02 19:40:38 +02:00
senderaddress=""
displayname=""
2023-10-04 07:17:21 +02:00
if [ -f /etc/postfix/sender_canonical_maps ]; then
senderaddress=$(grep "@" -m1 /etc/postfix/sender_canonical_maps | cut -d '<' -f2 | cut -d '>' -f1)
displayname=$(grep "@" -m1 /etc/postfix/sender_canonical_maps | cut -d' ' -f5)
fi
2023-10-02 20:14:35 +02:00
smtphost=$(grep relayhost /etc/postfix/main.cf | cut -d : -f1 | cut -d ' ' -f3 | cut -d ']' -f1 | cut -d '[' -f2)
2023-10-04 07:21:31 +02:00
smtpport=$(grep relayhost /etc/postfix/main.cf | cut -d':' -f2)
if [[ $smtpport == "" ]] || [[ $smtpport == "relayhost" ]]; then
smtpport=25
fi
2023-10-02 19:40:38 +02:00
username=""
2023-10-04 07:17:21 +02:00
password=""
if [ -f /etc/postfix/sasl_passwd ]; then
username=$(cat /etc/postfix/sasl_passwd | cut -d ' ' -f2- | cut -d':' -f1)
password=$(cat /etc/postfix/sasl_passwd | cut -d ' ' -f2- | cut -d':' -f2-)
else
username=$senderaddress
fi
2023-10-02 18:11:32 +02:00
if whiptail --title "MAIL DELIVERY" \
--backtitle "$PROG" \
--yes-button "MAIL CONFIG" \
--no-button "SKIP" \
--yesno "Do you want to configure postfix with a smarthost?" 9 76 ; then
mailconfig=1
2023-10-02 20:14:35 +02:00
if ! displayname=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender display name." 9 76 $(hostname -f) 3>&1 1>&2 2>&3); then cancel_dialog; fi
2023-10-04 07:26:42 +02:00
if ! recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 $recipientaddress 3>&1 1>&2 2>&3); then cancel_dialog; fi
2023-10-02 20:14:35 +02:00
if ! smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 $smtphost 3>&1 1>&2 2>&3); then cancel_dialog; fi
2023-10-04 07:21:31 +02:00
smtpport=$(inputbox_int 'MAIL DELIVERY' 'Please enter the port of your smarthost' 7 $smtpport)
if ! senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 $senderaddress 3>&1 1>&2 2>&3); then cancel_dialog; fi
2023-10-02 18:11:32 +02:00
if whiptail --title "MAIL DELIVERY" \
--backtitle "$PROG" \
--yes-button "CONFIGURE AUTH" \
--no-button "SKIP" \
--yesno "Do you want to configure authentication against your smarthost?" 9 76 ; then
smtpauth=1
2023-10-04 07:17:21 +02:00
if ! username=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the username for authentication." 9 76 $username 3>&1 1>&2 2>&3); then cancel_dialog; fi
if ! password=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --passwordbox "Please enter the passsword for authentication." 9 76 $password 3>&1 1>&2 2>&3); then cancel_dialog; fi
2023-10-02 18:11:32 +02:00
fi
fi
}
2023-10-01 21:52:33 +02:00
set_mail_delivery(){
2023-10-02 18:11:32 +02:00
if [ $mailconfig -gt 0 ]; then
2023-10-04 06:25:39 +02:00
log "Configuring mail delivery"
2023-10-02 18:11:32 +02:00
cat << EOF > /etc/postfix/main.cf
2023-10-02 17:08:16 +02:00
myhostname=$(hostname -f)
smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = \$myhostname, localhost.\$mydomain, localhost
mynetworks = 127.0.0.0/8
inet_interfaces = loopback-only
recipient_delimiter = +
compatibility_level = 2
#### sasl extension
relayhost = [$smtphost]:$smtpport
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
smtp_header_checks = regexp:/etc/postfix/header_check
EOF
2023-10-02 18:11:32 +02:00
cat << EOF > /etc/postfix/header_check
2023-10-02 17:08:16 +02:00
/From:.*/ REPLACE From: $displayname <$senderaddress>
EOF
2023-10-02 18:11:32 +02:00
cat << EOF > /etc/postfix/sender_canonical_maps
2023-10-02 17:08:16 +02:00
/.+/ $displayname <$senderaddress>
EOF
2023-10-02 18:11:32 +02:00
if [ $smtpauth -gt 0 ]; then
cat << EOF > /etc/postfix/sasl_passwd
2023-10-02 17:08:16 +02:00
[$smtphost]:$smtpport $username:$password
EOF
2023-10-04 06:45:19 +02:00
postmap /etc/postfix/sasl_passwd > /dev/null 2>&1
postmap /etc/aliases > /dev/null 2>&1
2023-10-02 18:11:32 +02:00
chown root:root /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd
chmod 0600 /etc/postfix/sasl_passwd.db
cat << EOF >> /etc/postfix/main.cf
2023-10-02 17:08:16 +02:00
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
EOF
2023-10-02 18:11:32 +02:00
fi
2023-10-02 17:08:16 +02:00
2023-10-02 18:11:32 +02:00
ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/postfix/cacert.pem
2023-10-02 17:08:16 +02:00
2023-10-02 18:11:32 +02:00
systemctl restart postfix.service
2023-10-02 17:08:16 +02:00
2023-10-02 18:11:32 +02:00
pvesh set access/users/root@pam -email $recipientaddress
fi
2023-10-01 21:52:33 +02:00
}
create_swap_pool(){
2023-10-04 06:25:39 +02:00
log "Configuring swap storage"
2023-10-03 15:50:32 +02:00
if ! pvesm status | grep swap > /dev/null; then
2023-10-02 00:51:46 +02:00
if ! zfs list rpool/swap > /dev/null 2>&1 ; then
2023-10-03 15:16:25 +02:00
zfs create -o com.sun:auto-snapshot=false rpool/swap
2023-10-02 00:51:46 +02:00
else
zfs set com.sun:auto-snapshot=false rpool/swap
fi
2023-10-07 13:52:20 +02:00
pvesm add zfspool swap --content images,rootdir --pool rpool/swap
fi
}
ask_volblocksize(){
if whiptail --title "SET DEFAULT BLOCKSIZE" \
--backtitle "$PROG" \
--yes-button "SET BLOCKSIZE" \
--no-button "SKIP" \
--yesno "Do you want to adjust the default blocksize on all zfspool storages?" 9 76 ; then
setblocksize=1
if ! volblocksize=$(whiptail --title "SET DEFAULT BLOCKSIZE" --backtitle "$PROG" --inputbox "Please enter the desired blocksize for your zfspool storages." 9 76 $volblocksize 3>&1 1>&2 2>&3); then cancel_dialog; fi
2023-10-02 00:51:46 +02:00
fi
2023-10-01 21:52:33 +02:00
}
set_default_volblocksize(){
2023-10-07 13:52:20 +02:00
if [ $setblocksize -gt 0 ]; then
log "Setting default volblocksize=16k to all zfspool storages"
for storage in $(pvesm status | grep zfspool | cut -d' ' -f1); do
pvesm set $storage --blocksize $volblocksize
done
fi
2023-10-01 21:52:33 +02:00
}
2023-10-02 00:18:34 +02:00
install_checkzfs(){
2023-10-04 06:25:39 +02:00
log "Installing checkzfs to /usr/local/bin/checkzfs"
2023-10-02 00:18:34 +02:00
wget -q --no-cache -O /usr/local/bin/checkzfs https://raw.githubusercontent.com/bashclub/check-zfs-replication/main/checkzfs.py
chmod +x /usr/local/bin/checkzfs
2023-10-04 06:25:39 +02:00
log "Installing check-snapshot-age to /usr/local/bin/check-snapshot-age"
2023-10-02 00:18:34 +02:00
wget -q --no-cache -O /usr/local/bin/check-snapshot-age https://raw.githubusercontent.com/bashclub/check-zfs-replication/main/check-snapshot-age
chmod +x /usr/local/bin/check-snapshot-age
}
install_zsync(){
2023-10-04 06:25:39 +02:00
log "Installing bashclub-zsync"
2023-10-02 00:18:34 +02:00
wget -q --no-cache -O /usr/bin/bashclub-zsync https://git.bashclub.org/bashclub/zsync/raw/branch/main/bashclub-zsync/usr/bin/bashclub-zsync
chmod +x /usr/bin/bashclub-zsync
cat << EOF > /etc/logrotate.d/bashclub-zsync
/var/log/bashclub-zsync/*.log {
weekly
rotate 12
compress
delaycompress
missingok
notifempty
create 644 root root
}
EOF
mkdir -p /var/log/bashclub-zsync-example
cat << EOF > /etc/cron.d/bashclub-zsync
#00 23 * * * root /usr/bin/bashclub-zsync -c /etc/bashclub/zsync.conf > /var/log/bashclub-zsync/zsync.log
EOF
}
2023-10-12 11:34:52 +02:00
virtiowin_updater() {
log "Installing virtio-win-updater"
cat << EOF > /usr/local/bin/virtio-win-updater
#!/bin/bash
#
# This script updates the virtio-win iso in Proxmox local storage
content=\$(wget -q -O - https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/)
server=https://fedorapeople.org
path=\$(echo -e "\$content" | grep -m1 title | cut -d "<" -f2 | cut -d " " -f3)
file=\$(echo -e "\$content" | grep -Eo "virtio-win-0.1.[0-9]+.iso" | grep -m1 virtio)
url=\$server\$path/\$file
if ! find /var/lib/vz/template/iso/\$file > /dev/null 2>&1 ; then
echo "\$(date) New version available. Downloading \$file."
wget -q -O /var/lib/vz/template/iso/\$file \$url
old_virtio=\$(find /var/lib/vz/template/iso/ -name virtio-win* | grep -v \$file)
if [ \$? -eq 0 ]; then
for line in \$old_virtio; do
if ! grep \$(echo \$line | cut -d'/' -f7) /etc/pve/qemu-server/* ; then
echo "\$(date) Deleting \$line."
rm -f \$line
else
echo "\$(date) Keeping \$line - Still in use by VMs."
fi
done
fi
else
echo "\$(date) Already on the current stable version: \$file."
fi
EOF
chmod +x /usr/local/bin/virtio-win-updater
ln -sf /usr/local/bin/virtio-win-updater /etc/cron.daily/virtio-win-updater
log "Running virtio-win-updater"
virtio-win-updater
}
2023-10-01 21:52:33 +02:00
installation_task(){
2023-10-04 06:25:39 +02:00
log "Starting Installation"
2023-10-01 21:52:33 +02:00
set_locales
set_pve_repo
update_system
install_tools
enable_sdn
set_arc_cache
set_swappiness
set_auto_snapshot
pve_conf_backup
suppress_no_subscription_warning
harden_ssh
2023-10-02 00:18:34 +02:00
install_checkzfs
install_zsync
2023-10-01 21:52:33 +02:00
set_mail_delivery
create_swap_pool
set_default_volblocksize
2023-10-12 11:34:52 +02:00
virtiowin_updater
2023-10-01 21:52:33 +02:00
2023-10-04 06:25:39 +02:00
log "Updating initramfs - This will take some time..."
2023-10-01 21:52:33 +02:00
update-initramfs -u -k all > /dev/null 2>&1
2023-10-01 15:51:20 +02:00
}
2023-10-01 22:38:19 +02:00
summary(){
2023-10-01 23:06:48 +02:00
autosnap=""
for interval in "${!auto_snap_keep[@]}"; do
autosnap="${interval}=${auto_snap_keep[$interval]} ${autosnap}"
done
if whiptail --title "POSTINSTALL SUMMARY" \
2023-10-01 22:38:19 +02:00
--backtitle $PROG \
--yes-button "INSTALL" \
--no-button "ABORT & EXIT" \
--yesno "Summary: \n\
zfs_arc_min: $ZFS_ARC_MIN_MEGABYTES MB\n\
zfs_arc_max: $ZFS_ARC_MAX_MEGABYTES MB\n\
swappiness: $SWAPPINESS %\n\
locales: $locales\n\
repository: $repo_selection \n\
subscription: $(pvesubscription get | grep status | cut -d' ' -f2)\n\
2023-10-01 23:06:48 +02:00
suppress subscription warning: $suppress_warning\n\
auto-snapshot: $autosnap\n\
ssh-hardening: $ssh_hardening\n\
2023-10-02 19:40:38 +02:00
mail delivery: $mailconfig
sender email: $senderaddress
sender display name: $displayname
notification address: $recipientaddress
smarthost: $smtphost
smarthost port: $smtpport
smarthost auth: $smtpauth
smarthost username: $username
2023-10-07 13:52:20 +02:00
set blocksize: $setblocksize
volblocksize: $volblocksize
2023-10-01 23:06:48 +02:00
" 30 76 ; then
installation_task
else
cancel_dialog
fi
2023-10-01 22:38:19 +02:00
}
2023-10-01 15:51:20 +02:00
source /etc/os-release
# Calculate and suggest values for ZFS L1ARC cache
arc_suggestion
# Set swapping behaviour
vm_swappiness
2023-10-01 21:52:33 +02:00
# Ask for additional locales
ask_locales
2023-10-01 23:06:48 +02:00
# Ask for ssh hardening
ask_ssh_hardening
2023-10-01 15:51:20 +02:00
# Configure count per interval of zfs-auto-snapshot
auto_snapshot
# Select proxmox repository
2023-10-01 16:46:33 +02:00
select_pve_repos
# subscription related actions
2023-10-01 21:52:33 +02:00
select_subscription
2023-10-02 18:11:32 +02:00
# mail delivery config
ask_mail_config
2023-10-07 13:52:20 +02:00
# set volblocksize
ask_volblocksize
2023-10-01 22:38:19 +02:00
summary
2023-10-04 06:55:09 +02:00
log "Proxmox postinstallation finished!"