From 39521a9b03fe5255bdcc6ec474f30b62e76efe10 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 1 Oct 2023 15:51:20 +0200 Subject: [PATCH 01/57] First commit of new postinstaller --- pve-zfs-postinstall.sh | 189 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 189 insertions(+) create mode 100644 pve-zfs-postinstall.sh diff --git a/pve-zfs-postinstall.sh b/pve-zfs-postinstall.sh new file mode 100644 index 0000000..9fed8a2 --- /dev/null +++ b/pve-zfs-postinstall.sh @@ -0,0 +1,189 @@ +#!/bin/bash +# +# This script configures basic settings and install standard tools on your Proxmox VE Server with ZFS storage +# +# Features: +# - Configure ZFS ARC Cache +# - Configure vm.swappiness +# - Install and configure zfs-auto-snapshot +# - Switch pve-enterprise/pve-no-subscription repo +# - Disable "No subscription message" in webinterface in no-subscription mode +# - Update system to the latest version +# - Install common tools +# - Install Proxmox SDN Extensions +# - Configure automatic backup of /etc Folder +# - Configure locales +# - SSH server hardening +# - Configure proxmox mail delivery with postfix +# - Adjust default volblocksize for Proxmox zfspool storages +# - Create zfspool storage for swap disks if not exists +# +# +# Author: (C) 2023 Thorsten Spille + +set -uo pipefail + +#### INITIAL VARIABLES #### +PROG=$(basename "$0") + +# Required tools for usage in postinstall +REQUIRED_TOOLS="curl ifupdown2 git gron libsasl2-modules lsb-release libpve-network-perl postfix ssl-cert zfs-auto-snapshot" + +# Optional tools to install +OPTIONAL_TOOLS="dnsutils ethtool htop iftop jq lshw lsscsi mc net-tools nvme-cli rpl screen smartmontools sudo sysstat tmux unzip vim" + +# Settings for Backup of /etc folder +PVE_CONF_BACKUP_TARGET=rpool/pveconf +PVE_CONF_BACKUP_CRON_TIMER="3,18,33,48 * * * *" + +# Round factor to set L1ARC cache (Megabytes) +ROUND_FACTOR=512 + +# get total size of all zpools +ZPOOL_SIZE_SUM_BYTES=0 +for line in $(zpool list -o size -Hp); do ZPOOL_SIZE_SUM_BYTES=$(($ZPOOL_SIZE_SUM_BYTES+$line)); done + +# get information about available ram +MEM_TOTAL_BYTES=$(($(awk '/MemTotal/ {print $2}' /proc/meminfo) * 1024)) + +# get values if defaults are set +ARC_MAX_DEFAULT_BYTES=$(($MEM_TOTAL_BYTES / 2)) +ARC_MIN_DEFAULT_BYTES=$(($MEM_TOTAL_BYTES / 32)) + +# get current settings +ARC_MIN_CUR_BYTES=$(cat /sys/module/zfs/parameters/zfs_arc_min) +ARC_MAX_CUR_BYTES=$(cat /sys/module/zfs/parameters/zfs_arc_max) + +# get vm.swappiness +SWAPPINESS=$(cat /proc/sys/vm/swappiness) + +# zfs-auto-snapshot default values +declare -A auto_snap_keep=( ["frequent"]="12" ["hourly"]="96" ["daily"]="14" ["weekly"]="6" ["monthly"]="3" ) + +#### FUNCTIONS #### + +roundup(){ + echo $(((($1 + $ROUND_FACTOR) / $ROUND_FACTOR) * $ROUND_FACTOR)) +} + +roundoff(){ + echo $((($1 / $ROUND_FACTOR) * $ROUND_FACTOR)) +} + +isnumber(){ + re='^[0-9]+$' + if ! [[ $1 =~ $re ]] ; then + return 1 + else + return 0 + fi +} + +inputbox_int(){ + cancel=0 + while true; do + if ! out=$(whiptail --title "$1" --backtitle "$PROG" --inputbox "$2" $3 76 $4 3>&1 1>&2 2>&3) ; then + cancel=1 ; break + fi + if isnumber $out; then + break + fi + done + echo $out + return $cancel +} + +cancel_dialog() { + whiptail --title "CANCEL POSTINSTALL" --backtitle $PROG --msgbox "Postinstall was cancelled by user interaction" 8 76 3>&1 1>&2 2>&3 + exit 127 +} + +arc_suggestion(){ + + ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024))) + ZFS_ARC_MAX_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024))) + + if [ $ARC_MIN_DEFAULT_BYTES -lt 33554432 ]; then ARC_MIN_DEFAULT_MB="32" ; else ARC_MIN_DEFAULT_MB="$(($ARC_MIN_DEFAULT_BYTES / 1024 / 1024))" ; fi + if [ $ARC_MIN_CUR_BYTES -gt 0 ]; then ARC_MIN_CURRENT_MB="$(($ARC_MIN_CUR_BYTES / 1024 / 1024))" ; else ARC_MIN_CURRENT_MB="0" ; fi + if [ $ARC_MAX_CUR_BYTES -gt 0 ]; then ARC_MAX_CURRENT_MB="$(($ARC_MAX_CUR_BYTES / 1024 / 1024))" ; else ARC_MAX_CURRENT_MB="0" ; fi + + if ! whiptail --title "CONFIGURE ZFS L1ARC SIZE" \ + --backtitle $PROG \ + --yes-button "Accept" \ + --no-button "Edit" \ + --yesno " Summary: \n \ + System Memory: $(($MEM_TOTAL_BYTES / 1024 / 1024)) MB\n \ + Zpool size (sum): $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024)) MB\n \ +\n \ +Note: zfs_arc_min must always be lower than zfs_arc_max! \n\n \ +The L1ARC cache suggestion is calculated by size of all zpools \n\n \ +Suggested values: \n \ + zfs_arc_min: $(($ZFS_ARC_MIN_MEGABYTES)) MB (default: $ARC_MIN_DEFAULT_MB MB, current: $ARC_MIN_CURRENT_MB MB)\n \ + zfs_arc_max: $(($ZFS_ARC_MAX_MEGABYTES)) MB (default: $(($ARC_MAX_DEFAULT_BYTES / 1024 / 1024)) MB, current: $ARC_MAX_CURRENT_MB MB)\n" 17 76; then + arc_set_manual + fi +} + +arc_set_manual() { + if ! ZFS_ARC_MIN_MEGABYTES=$(inputbox_int 'CONFIGURE ZFS L1ARC MIN SIZE' 'Please enter zfs_arc_min in MB' 7 $ZFS_ARC_MIN_MEGABYTES) ; then cancel_dialog ; fi + if ! ZFS_ARC_MAX_MEGABYTES=$(inputbox_int 'CONFIGURE ZFS L1ARC MAX SIZE' 'Please enter zfs_arc_max in MB' 7 $ZFS_ARC_MAX_MEGABYTES) ; then cancel_dialog ; fi +} + +vm_swappiness () { + if ! SWAPPINESS=$(inputbox_int "CONFIGURE SWAPPINESS" "Please enter percentage of free RAM to start swapping" 8 $SWAPPINESS) ; then cancel_dialog ; fi +} + +auto_snapshot(){ + if dpkg -l zfs-auto-snapshot > /dev/null 2>&1 ; then + for interval in "${!auto_snap_keep[@]}"; do + if [[ "$interval" == "frequent" ]]; then + auto_snap_keep[$interval]=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2) + else + auto_snap_keep[$interval]=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2) + fi + done + fi + for interval in "${!auto_snap_keep[@]}"; do + if ! auto_snap_keep[$interval]=$(inputbox_int "CONFIGURE ZFS-AUTO-SNAPSHOT" "Please set number of $interval snapshots to keep" 7 ${auto_snap_keep[$interval]}) ; then cancel_dialog ; fi + done +} + +select_pve_repos() { + pveenterprise=OFF + pvenosubscription=OFF + pvetest=OFF + if [ -f /etc/apt/sources.list.d/pve-enterprise.list ]; then + if $(grep -v '#' /etc/apt/sources.list.d/pve-enterprise.list | grep "pve-enterprise") ; then + pveenterprise=ON + else + if [ -f /etc/apt/sources.list ]; then + if $(grep -v '#' /etc/apt/sources.list | grep "pve-no-subscription") ; then + pvenosubscription=ON + elif $(grep -v '#' /etc/apt/sources.list | grep "pvetest") ; then + pvetest=ON + else + pveenterprise=ON + fi + fi + fi + whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \ + --radiolist "Choose Proxmox VE repository" 20 76 4 \ + "pve-enterprise" "Proxmox VE Enterprise repository" "$pveenterprise" \ + "pve-no-subscription" "Proxmox VE No Subscription repository" "$pvenosubscription" \ + "pvetest" "Proxmox VE Testing repository" "$pvetest" + +} + +source /etc/os-release + +# Calculate and suggest values for ZFS L1ARC cache +arc_suggestion + +# Set swapping behaviour +vm_swappiness + +# Configure count per interval of zfs-auto-snapshot +auto_snapshot + +# Select proxmox repository +select_pve_repos \ No newline at end of file From 536f49df2a718d608d9b2fe0905d0e065ae4fda7 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 1 Oct 2023 15:54:50 +0200 Subject: [PATCH 02/57] Fix round for arc suggestion --- proxmox-zfs-postinstall.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proxmox-zfs-postinstall.sh b/proxmox-zfs-postinstall.sh index 4115c71..8ff9246 100644 --- a/proxmox-zfs-postinstall.sh +++ b/proxmox-zfs-postinstall.sh @@ -47,8 +47,8 @@ ARC_MIN_CUR_BYTES=$(cat /sys/module/zfs/parameters/zfs_arc_min) ARC_MAX_CUR_BYTES=$(cat /sys/module/zfs/parameters/zfs_arc_max) # calculate suggested l1arc sice -ZFS_ARC_MIN_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024))) -ZFS_ARC_MAX_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024))) +ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024))) +ZFS_ARC_MAX_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024))) echo -e "######## CONFIGURE ZFS L1ARC SIZE ########\n" echo "System Summary:" From 9a158249e9357120d2f0a4aaf13821975b7d01f2 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 1 Oct 2023 15:55:05 +0200 Subject: [PATCH 03/57] Remove cockpit installer --- install-cockpit-zfs-manager | 61 ------------------------------------- 1 file changed, 61 deletions(-) delete mode 100644 install-cockpit-zfs-manager diff --git a/install-cockpit-zfs-manager b/install-cockpit-zfs-manager deleted file mode 100644 index 3e32a80..0000000 --- a/install-cockpit-zfs-manager +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash -source /etc/os-release -echo "deb http://deb.debian.org/debian $VERSION_CODENAME-backports main" > /etc/apt/sources.list.d/$VERSION_CODENAME-backports.list -apt update -cat << EOF > /etc/apt/preferences.d/90_cockpit -Package: cockpit cockpit-* -Pin: release n=$VERSION_CODENAME-backports -Pin-Priority: 990 -EOF -apt install --yes --no-install-recommends cockpit -git clone https://github.com/optimans/cockpit-zfs-manager.git && cp -r cockpit-zfs-manager/zfs /usr/share/cockpit -mkdir -p /etc/cockpit/zfs -mkdir -p /etc/cockpit/zfs/shares -mkdir -p /etc/cockpit/zfs/snapshots -cat << EOF > /etc/cockpit/zfs/config.json -{ - "#1": "COCKPIT ZFS MANAGER", - "#2": "WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION", - "cockpit": { - "manage": true - }, - "disks": { - "base2": false - }, - "loglevel": "2", - "samba": { - "manage": false, - "windowscompatibility": true - }, - "updates": { - "check": true - }, - "zfs": { - "filesystem": { - "cloneorigin": false, - "quotarestrict": true, - "readonlylockdown": false, - "snapshotactions": true - }, - "snapshot": { - "filesystemlist": true - }, - "status": { - "errorcolors": true, - "trimunsupported": false - }, - "storagepool": { - "activetab": 1, - "boot": true, - "bootlockdown": true, - "count": true, - "refreshall": false, - "root": true - } - } -} -EOF -cat << EOF > /etc/cockpit/zfs/shares.conf -# COCKPIT ZFS MANAGER -# WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION -EOF From 3564f2fe325ce52298f2f592dc6a87acb9aceeb4 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 1 Oct 2023 15:55:20 +0200 Subject: [PATCH 04/57] Remove docker installer --- install-docker-portainer | 38 -------------------------------------- 1 file changed, 38 deletions(-) delete mode 100644 install-docker-portainer diff --git a/install-docker-portainer b/install-docker-portainer deleted file mode 100644 index e3c1550..0000000 --- a/install-docker-portainer +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash - -# create zfs filesystems -zfs create -o com.sun:auto-snapshot=false -o mountpoint=/var/lib/docker rpool/docker -zfs create -o com.sun:auto-snapshot=true -o mountpoint=/portainer rpool/portainer - -# add docker repository -curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg -echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null - -# update package lists and install docker engine + docker-compose -apt update -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends docker-ce docker-ce-cli containerd.io - -dc_version=$(wget -O - -q https://api.github.com/repos/docker/compose/releases/latest | grep -m1 "\"name\":" | cut -d'"' -f4) -wget -O /usr/local/bin/docker-compose https://github.com/docker/compose/releases/download/${dc_version}/docker-compose-linux-x86_64 -chmod +x /usr/local/bin/docker-compose - -# install portainer -cd /portainer -mkdir data -cat << EOF > /portainer/docker-compose.yml -version: '3.2' - -services: - - portainer: - image: portainer/portainer-ce - ports: - - "9443:9443" - - "8000:8000" - volumes: - - /portainer/data:/data - - /var/run/docker.sock:/var/run/docker.sock - restart: always -EOF -# start portainer -docker-compose up -d From d2f7d88910a5e233129da739a7fc1c17e1ee1b90 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Sun, 1 Oct 2023 16:46:33 +0200 Subject: [PATCH 05/57] Add subscription check --- pve-zfs-postinstall.sh | 45 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/pve-zfs-postinstall.sh b/pve-zfs-postinstall.sh index 9fed8a2..d2e7f64 100644 --- a/pve-zfs-postinstall.sh +++ b/pve-zfs-postinstall.sh @@ -148,7 +148,39 @@ auto_snapshot(){ done } -select_pve_repos() { +check_subscription(){ + serverid=$(pvesh get nodes/px1/subscription --output-format yaml | grep serverid | cut -d' ' -f2) + sub_status=$(pvesh get nodes/px1/subscription --output-format yaml | grep status | cut -d' ' -f2) + if [[ $sub_status == "notfound" ]]; then + if [[ $repo_selection == "pve-enterprise" ]]; then + if whiptail --title "NO PROXMOX SUBSCRIPTION FOUND" \ + --backtitle $PROG \ + --yes-button "ADD" \ + --no-button "SKIP" \ + --yesno "Server ID: $serverid\nDo you want to add a subscription key?" 17 76 ; then + add_subscription + fi + else + if whiptail --title "NO PROXMOX SUBSCRIPTION FOUND" \ + --backtitle $PROG \ + --yes-button "SUPPRESS WARNING" \ + --no-button "SKIP" \ + --yesno "Do you want to suppress the no subscription warning in WebGUI?" 17 76 ; then + suppress_no_subscription_warning + fi + fi + fi +} + +add_subscription(){ + +} + +suppress_no_subscription_warning(){ + +} + +select_pve_repos(){ pveenterprise=OFF pvenosubscription=OFF pvetest=OFF @@ -164,13 +196,15 @@ select_pve_repos() { else pveenterprise=ON fi + fi fi fi - whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \ + repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \ --radiolist "Choose Proxmox VE repository" 20 76 4 \ "pve-enterprise" "Proxmox VE Enterprise repository" "$pveenterprise" \ "pve-no-subscription" "Proxmox VE No Subscription repository" "$pvenosubscription" \ - "pvetest" "Proxmox VE Testing repository" "$pvetest" + "pvetest" "Proxmox VE Testing repository" "$pvetest" 3>&1 1>&2 2>&3) + } @@ -186,4 +220,7 @@ vm_swappiness auto_snapshot # Select proxmox repository -select_pve_repos \ No newline at end of file +select_pve_repos + +# subscription related actions +select_subscription \ No newline at end of file From f233bdbb494b3f619e0ff895c4457865d208e236 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 1 Oct 2023 21:52:33 +0200 Subject: [PATCH 06/57] Many changes --- pve-zfs-postinstall.sh => postinstall | 197 +++++++++++++++++++++++--- 1 file changed, 181 insertions(+), 16 deletions(-) rename pve-zfs-postinstall.sh => postinstall (51%) mode change 100644 => 100755 diff --git a/pve-zfs-postinstall.sh b/postinstall old mode 100644 new mode 100755 similarity index 51% rename from pve-zfs-postinstall.sh rename to postinstall index d2e7f64..87435f4 --- a/pve-zfs-postinstall.sh +++ b/postinstall @@ -8,6 +8,8 @@ # - Install and configure zfs-auto-snapshot # - Switch pve-enterprise/pve-no-subscription repo # - Disable "No subscription message" in webinterface in no-subscription mode +# - Add pve-enterprise subscription key +# - Configure ceph repo # - Update system to the latest version # - Install common tools # - Install Proxmox SDN Extensions @@ -60,6 +62,10 @@ SWAPPINESS=$(cat /proc/sys/vm/swappiness) # zfs-auto-snapshot default values declare -A auto_snap_keep=( ["frequent"]="12" ["hourly"]="96" ["daily"]="14" ["weekly"]="6" ["monthly"]="3" ) +# gather proxmox subscription info +serverid=$(pvesubscription get | grep serverid | cut -d' ' -f2) +sub_status=$(pvesubscription get | grep status | cut -d' ' -f2) + #### FUNCTIONS #### roundup(){ @@ -99,7 +105,6 @@ cancel_dialog() { } arc_suggestion(){ - ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024))) ZFS_ARC_MAX_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024))) @@ -125,8 +130,11 @@ Suggested values: \n \ } arc_set_manual() { - if ! ZFS_ARC_MIN_MEGABYTES=$(inputbox_int 'CONFIGURE ZFS L1ARC MIN SIZE' 'Please enter zfs_arc_min in MB' 7 $ZFS_ARC_MIN_MEGABYTES) ; then cancel_dialog ; fi - if ! ZFS_ARC_MAX_MEGABYTES=$(inputbox_int 'CONFIGURE ZFS L1ARC MAX SIZE' 'Please enter zfs_arc_max in MB' 7 $ZFS_ARC_MAX_MEGABYTES) ; then cancel_dialog ; fi + if [ $ARC_MIN_CURRENT_MB -gt 0 ]; then MIN_VALUE=$ARC_MIN_CURRENT_MB; else $ZFS_ARC_MIN_MEGABYTES; fi + if [ $ARC_MAX_CURRENT_MB -gt 0 ]; then MAX_VALUE=$ARC_MAX_CURRENT_MB; else $ZFS_ARC_MAX_MEGABYTES; fi + + if ! ZFS_ARC_MIN_MEGABYTES=$(inputbox_int 'CONFIGURE ZFS L1ARC MIN SIZE' 'Please enter zfs_arc_min in MB' 7 $MIN_VALUE) ; then cancel_dialog ; fi + if ! ZFS_ARC_MAX_MEGABYTES=$(inputbox_int 'CONFIGURE ZFS L1ARC MAX SIZE' 'Please enter zfs_arc_max in MB' 7 $MAX_VALUE) ; then cancel_dialog ; fi } vm_swappiness () { @@ -148,36 +156,69 @@ auto_snapshot(){ done } -check_subscription(){ - serverid=$(pvesh get nodes/px1/subscription --output-format yaml | grep serverid | cut -d' ' -f2) - sub_status=$(pvesh get nodes/px1/subscription --output-format yaml | grep status | cut -d' ' -f2) - if [[ $sub_status == "notfound" ]]; then +select_subscription(){ + suppress_warning=0 + if [[ $sub_status == "notfound" ]] || [[ $sub_status == "invalid" ]]; then if [[ $repo_selection == "pve-enterprise" ]]; then if whiptail --title "NO PROXMOX SUBSCRIPTION FOUND" \ --backtitle $PROG \ --yes-button "ADD" \ --no-button "SKIP" \ - --yesno "Server ID: $serverid\nDo you want to add a subscription key?" 17 76 ; then - add_subscription + --yesno "Server ID: $serverid\n\nDo you want to add a subscription key?" 9 76 ; then + input_subscription fi else if whiptail --title "NO PROXMOX SUBSCRIPTION FOUND" \ --backtitle $PROG \ --yes-button "SUPPRESS WARNING" \ --no-button "SKIP" \ - --yesno "Do you want to suppress the no subscription warning in WebGUI?" 17 76 ; then - suppress_no_subscription_warning + --yesno "Do you want to suppress the no subscription warning in WebGUI?" 9 76 ; then + suppress_warning=1 fi fi fi } -add_subscription(){ +ask_locales(){ + locales=$(whiptail --title "SET LOCALES" --backtitle "$PROG" --inputbox "Please enter a space separated list of locales to generate." 9 76 "$(echo $(grep -vE '#|^$' /etc/locale.gen | cut -d ' ' -f1))" 3>&1 1>&2 2>&3) +} +input_subscription(){ + key="" + cancel=0 + while [[ $key == "" ]]; do + if ! key=$(whiptail --title "ADD PROXMOX SUBSCRIPTION KEY" --backtitle "$PROG" \ + --inputbox "Server ID: $serverid\n\nAdd your subscription key" 9 76 3>&1 1>&2 2>&3) ; then + cancel=1 ; break + fi + done + if [ $cancel -eq 0 ]; then + set_subscription $key + fi + return $cancel +} + +set_subscription(){ + if ! pvesubscription set $1; then + input_subscription + elif [[ $(pvesubscription get | grep status | cut -d' ' -f2) == "invalid" ]]; then + input_subscription + fi } suppress_no_subscription_warning(){ + if [ $suppress_warning -gt 0 ]; then + # remove old no-sub-hack + if [ -f /opt/bashclub/no-sub-hack.sh ] ; then rm -r /opt/bashclub ; fi + if [ -f /etc/apt/apt.conf.d/80bashclubapthook ] ; then rm /etc/apt/apt.conf.d/80bashclubapthook ; fi + wget --no-cache -O /usr/local/bin/suppress_no_subscription_warning https://github.com/bashclub/no-sub-hack/raw/main/no-sub-hack.sh + chmod +x /usr/local/bin/suppress_no_subscription_warning + /usr/local/bin/suppress_no_subscription_warning + cat << EOF > /etc/apt/apt.conf.d/80-suppress_no_subscription_warning +DPkg::Post-Invoke {"/usr/local/bin/suppress_no_subscription_warning";}; +EOF + fi } select_pve_repos(){ @@ -185,13 +226,13 @@ select_pve_repos(){ pvenosubscription=OFF pvetest=OFF if [ -f /etc/apt/sources.list.d/pve-enterprise.list ]; then - if $(grep -v '#' /etc/apt/sources.list.d/pve-enterprise.list | grep "pve-enterprise") ; then + if grep -v '#' /etc/apt/sources.list.d/pve-enterprise.list | grep "pve-enterprise" > /dev/null ; then pveenterprise=ON else if [ -f /etc/apt/sources.list ]; then - if $(grep -v '#' /etc/apt/sources.list | grep "pve-no-subscription") ; then + if grep -v '#' /etc/apt/sources.list | grep "pve-no-subscription" > /dev/null ; then pvenosubscription=ON - elif $(grep -v '#' /etc/apt/sources.list | grep "pvetest") ; then + elif grep -v '#' /etc/apt/sources.list | grep "pvetest" > /dev/null ; then pvetest=ON else pveenterprise=ON @@ -205,6 +246,125 @@ select_pve_repos(){ "pve-no-subscription" "Proxmox VE No Subscription repository" "$pvenosubscription" \ "pvetest" "Proxmox VE Testing repository" "$pvetest" 3>&1 1>&2 2>&3) +} + +set_locales(){ + for locale in $locales; do + line=$(grep $locale /etc/locale.gen) + if echo $line | grep "#" ; then + sed -i "s/$line/$(echo $line | cut -d' ' -f2-)" /etc/locale.gen + fi + done + locale-gen +} + +set_pve_repo(){ + echo "" +} + +update_system(){ + echo "Getting latest package lists" + apt update > /dev/null 2>&1 + echo "Upgrading system to latest version - Depending on your version this could take a while..." + DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade > /dev/null 2>&1 +} + +install_tools(){ + echo "Installing toolset - Depending on your version this could take a while..." + DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install $REQUIRED_TOOLS $OPTIONAL_TOOLS > /dev/null 2>&1 +} + +enable_sdn(){ + # include interfaces.d to enable SDN features + q=$(cat /etc/network/interfaces | grep "source /etc/network/interfaces.d/*") + if [ $? -gt 0 ]; then + echo "source /etc/network/interfaces.d/*" >> /etc/network/interfaces + fi +} + +set_arc_cache(){ + ZFS_ARC_MIN_BYTES=$((ZFS_ARC_MIN_MEGABYTES * 1024 *1024)) + ZFS_ARC_MAX_BYTES=$((ZFS_ARC_MAX_MEGABYTES * 1024 *1024)) + echo "Adjusting ZFS level 1 arc" + echo $ZFS_ARC_MIN_BYTES > /sys/module/zfs/parameters/zfs_arc_min + echo $ZFS_ARC_MAX_BYTES > /sys/module/zfs/parameters/zfs_arc_max + cat << EOF > /etc/modprobe.d/zfs.conf +options zfs zfs_arc_max=$ZFS_ARC_MAX_BYTES +options zfs zfs_arc_min=$ZFS_ARC_MIN_BYTES +EOF +} + +set_auto_snapshot(){ + # configure zfs-auto-snapshot + for interval in "${!auto_snap_keep[@]}"; do + echo "Setting zfs-auto-snapshot retention: $interval = ${auto_snap_keep[$interval]}" + if [[ "$interval" == "frequent" ]]; then + CURRENT=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2) + if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then + rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.d/zfs-auto-snapshot > /dev/null 2>&1 + fi + else + CURRENT=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2) + if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then + rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.$interval/zfs-auto-snapshot > /dev/null 2>&1 + fi + fi + done +} + +set_swappiness(){ + echo "Configuring swappiness" + echo "vm.swappiness=$SWAPPINESS" > /etc/sysctl.d/swappiness.conf + sysctl -w vm.swappiness=$SWAPPINESS +} + +pve_conf_backup(){ + echo "Configuring pve-conf-backup" + # create backup jobs of /etc + zfs list $PVE_CONF_BACKUP_TARGET > /dev/null 2>&1 + if [ $? -ne 0 ]; then + zfs create $PVE_CONF_BACKUP_TARGET + fi + + if [[ "$(df -h -t zfs | grep /$ | cut -d ' ' -f1)" == "rpool/ROOT/pve-1" ]] ; then + echo "$PVE_CONF_BACKUP_CRON_TIMER root rsync -va --delete /etc /$PVE_CONF_BACKUP_TARGET > /$PVE_CONF_BACKUP_TARGET/pve-conf-backup.log" > /etc/cron.d/pve-conf-backup + fi +} + +harden_ssh(){ + echo "" +} + +set_mail_delivery(){ + echo "" +} + +create_swap_pool(){ + echo "" +} + +set_default_volblocksize(){ + echo "" +} + +installation_task(){ + set_locales + set_pve_repo + update_system + install_tools + enable_sdn + set_arc_cache + set_swappiness + set_auto_snapshot + pve_conf_backup + suppress_no_subscription_warning + harden_ssh + set_mail_delivery + create_swap_pool + set_default_volblocksize + + echo "Updating initramfs - This will take some time..." + update-initramfs -u -k all > /dev/null 2>&1 } @@ -216,6 +376,9 @@ arc_suggestion # Set swapping behaviour vm_swappiness +# Ask for additional locales +ask_locales + # Configure count per interval of zfs-auto-snapshot auto_snapshot @@ -223,4 +386,6 @@ auto_snapshot select_pve_repos # subscription related actions -select_subscription \ No newline at end of file +select_subscription + +echo "Proxmox postinstallation finished!" From fcd553012bc7eedc78b03fb96beb2c9acc393cf0 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 1 Oct 2023 22:16:03 +0200 Subject: [PATCH 07/57] Add repo config --- postinstall | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/postinstall b/postinstall index 87435f4..667b1b4 100755 --- a/postinstall +++ b/postinstall @@ -259,7 +259,22 @@ set_locales(){ } set_pve_repo(){ - echo "" + nosub=$(grep pve-no-subscription /etc/apt/sources.list) + enterprise=$(grep pve-enterprise /etc/apt/sources.list.d/pve-enterprise.list) + test=$(grep pvetest /etc/apt/sources.list) + if [[ $repo_selection == "pve-enterprise" ]]; then + pvesh set nodes/px1/apt/repositories --handle enterprise + sed -i "s/$nosub/# $nosub/g" /etc/apt/sources.list + sed -i "s/$test/# $test/g" /etc/apt/sources.list + elif [[ $repo_selection == "pve-no-subscription" ]]; then + pvesh set nodes/px1/apt/repositories --handle no-subscription + sed -i "s/$enterprise/# $enterprise/g" /etc/apt/sources.list.d/pve-enterprise.list + sed -i "s/$test/# $test/g" /etc/apt/sources.list + elif [[ $repo_selection == "pvetest" ]]; then + pvesh set nodes/px1/apt/repositories --handle test + sed -i "s/$nosub/# $nosub/g" /etc/apt/sources.list + sed -i "s/$enterprise/# $enterprise/g" /etc/apt/sources.list.d/pve-enterprise.list + fi } update_system(){ From 08542c3842e1a68d11a836dd7c8e8be7de819308 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 1 Oct 2023 22:38:19 +0200 Subject: [PATCH 08/57] Add summary --- postinstall | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/postinstall b/postinstall index 667b1b4..4a66a24 100755 --- a/postinstall +++ b/postinstall @@ -383,6 +383,21 @@ installation_task(){ } +summary(){ + whiptail --title "POSTINSTALL SUMMARY" \ + --backtitle $PROG \ + --yes-button "INSTALL" \ + --no-button "ABORT & EXIT" \ + --yesno "Summary: \n\ + zfs_arc_min: $ZFS_ARC_MIN_MEGABYTES MB\n\ + zfs_arc_max: $ZFS_ARC_MAX_MEGABYTES MB\n\ + swappiness: $SWAPPINESS %\n\ + locales: $locales\n\ + repository: $repo_selection \n\ + subscription: $(pvesubscription get | grep status | cut -d' ' -f2)\n\ + suppress subscription warning: $suppress_warning" 30 76 +} + source /etc/os-release # Calculate and suggest values for ZFS L1ARC cache @@ -403,4 +418,6 @@ select_pve_repos # subscription related actions select_subscription +summary + echo "Proxmox postinstallation finished!" From 00610cd19203f738de19232c943e748b797b6e4d Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 1 Oct 2023 23:06:48 +0200 Subject: [PATCH 09/57] Add ssh hardening question --- postinstall | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/postinstall b/postinstall index 4a66a24..43166a8 100755 --- a/postinstall +++ b/postinstall @@ -183,6 +183,17 @@ ask_locales(){ locales=$(whiptail --title "SET LOCALES" --backtitle "$PROG" --inputbox "Please enter a space separated list of locales to generate." 9 76 "$(echo $(grep -vE '#|^$' /etc/locale.gen | cut -d ' ' -f1))" 3>&1 1>&2 2>&3) } +ask_ssh_hardening(){ + ssh_hardening=0 + if whiptail --title "HARDEN SSH SERVER" \ + --backtitle "$PROG" \ + --yes-button "HARDEN SSH SERVER" \ + --no-button "SKIP" \ + --yesno "Do you want to apply the SSH hardening profile?\nHost-Keys will be changed and root-Login with password will be disabled." 9 76 ; then + ssh_hardening=1 + fi +} + input_subscription(){ key="" cancel=0 @@ -384,7 +395,12 @@ installation_task(){ } summary(){ - whiptail --title "POSTINSTALL SUMMARY" \ + autosnap="" + for interval in "${!auto_snap_keep[@]}"; do + autosnap="${interval}=${auto_snap_keep[$interval]} ${autosnap}" + done + + if whiptail --title "POSTINSTALL SUMMARY" \ --backtitle $PROG \ --yes-button "INSTALL" \ --no-button "ABORT & EXIT" \ @@ -395,7 +411,14 @@ summary(){ locales: $locales\n\ repository: $repo_selection \n\ subscription: $(pvesubscription get | grep status | cut -d' ' -f2)\n\ - suppress subscription warning: $suppress_warning" 30 76 + suppress subscription warning: $suppress_warning\n\ + auto-snapshot: $autosnap\n\ + ssh-hardening: $ssh_hardening\n\ + " 30 76 ; then + installation_task + else + cancel_dialog + fi } source /etc/os-release @@ -409,6 +432,9 @@ vm_swappiness # Ask for additional locales ask_locales +# Ask for ssh hardening +ask_ssh_hardening + # Configure count per interval of zfs-auto-snapshot auto_snapshot From 7018cb4b78796ecf30f74bead8fa7c6d8db74443 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 1 Oct 2023 23:15:14 +0200 Subject: [PATCH 10/57] run ssh hardening --- postinstall | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/postinstall b/postinstall index 43166a8..4ec20bd 100755 --- a/postinstall +++ b/postinstall @@ -358,7 +358,19 @@ pve_conf_backup(){ } harden_ssh(){ - echo "" + rm /etc/ssh/ssh_host_* + ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" + ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" + awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe + mv /etc/ssh/moduli.safe /etc/ssh/moduli + + if [[ $VERSION_CODENAME == "bookworm" ]]; then + echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf + elif [[ $VERSION_CODENAME == "bullseye" ]]; then + sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config + echo -e echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf + fi + systemctl restart ssh.service } set_mail_delivery(){ From fcaa26422adbb73272f558c5e05758dc82e39be9 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 2 Oct 2023 00:18:34 +0200 Subject: [PATCH 11/57] Install checkzfs and zsync --- postinstall | 59 ++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 45 insertions(+), 14 deletions(-) diff --git a/postinstall b/postinstall index 4ec20bd..ecda6b0 100755 --- a/postinstall +++ b/postinstall @@ -3,22 +3,23 @@ # This script configures basic settings and install standard tools on your Proxmox VE Server with ZFS storage # # Features: -# - Configure ZFS ARC Cache -# - Configure vm.swappiness -# - Install and configure zfs-auto-snapshot -# - Switch pve-enterprise/pve-no-subscription repo -# - Disable "No subscription message" in webinterface in no-subscription mode -# - Add pve-enterprise subscription key -# - Configure ceph repo -# - Update system to the latest version -# - Install common tools -# - Install Proxmox SDN Extensions -# - Configure automatic backup of /etc Folder -# - Configure locales -# - SSH server hardening +# + Configure ZFS ARC Cache +# + Configure vm.swappiness +# + Install and configure zfs-auto-snapshot +# + Switch pve-enterprise/pve-no-subscription/pvetest repo +# + Disable "No subscription message" in webinterface in no-subscription mode +# + Add pve-enterprise subscription key +# + Update system to the latest version +# + Install common tools +# + Install Proxmox SDN Extensions +# + Configure automatic backup of /etc Folder +# + Configure locales +# + SSH server hardening +# + Install checkzfs +# + Install bashclub-zsync +# - Create zfspool storage for swap disks if not exists # - Configure proxmox mail delivery with postfix # - Adjust default volblocksize for Proxmox zfspool storages -# - Create zfspool storage for swap disks if not exists # # # Author: (C) 2023 Thorsten Spille @@ -385,6 +386,34 @@ set_default_volblocksize(){ echo "" } +install_checkzfs(){ + wget -q --no-cache -O /usr/local/bin/checkzfs https://raw.githubusercontent.com/bashclub/check-zfs-replication/main/checkzfs.py + chmod +x /usr/local/bin/checkzfs + wget -q --no-cache -O /usr/local/bin/check-snapshot-age https://raw.githubusercontent.com/bashclub/check-zfs-replication/main/check-snapshot-age + chmod +x /usr/local/bin/check-snapshot-age +} + +install_zsync(){ + wget -q --no-cache -O /usr/bin/bashclub-zsync https://git.bashclub.org/bashclub/zsync/raw/branch/main/bashclub-zsync/usr/bin/bashclub-zsync + chmod +x /usr/bin/bashclub-zsync + bashclub-zsync + cat << EOF > /etc/logrotate.d/bashclub-zsync +/var/log/bashclub-zsync/*.log { + weekly + rotate 12 + compress + delaycompress + missingok + notifempty + create 644 root root +} +EOF + mkdir -p /var/log/bashclub-zsync-example + cat << EOF > /etc/cron.d/bashclub-zsync +#00 23 * * * root /usr/bin/bashclub-zsync -c /etc/bashclub/zsync.conf > /var/log/bashclub-zsync/zsync.log +EOF +} + installation_task(){ set_locales set_pve_repo @@ -397,6 +426,8 @@ installation_task(){ pve_conf_backup suppress_no_subscription_warning harden_ssh + install_checkzfs + install_zsync set_mail_delivery create_swap_pool set_default_volblocksize From ab0df81156e0977333522bdac9439c757bb20ac5 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 2 Oct 2023 00:51:46 +0200 Subject: [PATCH 12/57] Set blocksize, create swap storage --- postinstall | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/postinstall b/postinstall index ecda6b0..f99c41a 100755 --- a/postinstall +++ b/postinstall @@ -17,9 +17,10 @@ # + SSH server hardening # + Install checkzfs # + Install bashclub-zsync -# - Create zfspool storage for swap disks if not exists +# + Create zfspool storage for swap disks if not exists +# + Adjust default volblocksize for Proxmox zfspool storages +# - Configure swap file # - Configure proxmox mail delivery with postfix -# - Adjust default volblocksize for Proxmox zfspool storages # # # Author: (C) 2023 Thorsten Spille @@ -379,11 +380,20 @@ set_mail_delivery(){ } create_swap_pool(){ - echo "" + if ! pvesm status | grep swap; then + if ! zfs list rpool/swap > /dev/null 2>&1 ; then + zfs create -O com.sun:auto-snapshot=false rpool/swap + else + zfs set com.sun:auto-snapshot=false rpool/swap + fi + pvesm add zfspool swap --blocksize 16k --content images,rootdir --pool rpool/swap + fi } set_default_volblocksize(){ - echo "" + for storage in $(pvesm status | grep zfspool | cut -d' ' -f1); do + pvesm set $storage --blocksize 16k + done } install_checkzfs(){ From 834a8704120e060bbbc212d546b24a5572f21911 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 2 Oct 2023 17:08:16 +0200 Subject: [PATCH 13/57] Add smtp config --- postinstall | 79 ++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 66 insertions(+), 13 deletions(-) diff --git a/postinstall b/postinstall index f99c41a..58a5918 100755 --- a/postinstall +++ b/postinstall @@ -19,7 +19,6 @@ # + Install bashclub-zsync # + Create zfspool storage for swap disks if not exists # + Adjust default volblocksize for Proxmox zfspool storages -# - Configure swap file # - Configure proxmox mail delivery with postfix # # @@ -360,23 +359,77 @@ pve_conf_backup(){ } harden_ssh(){ - rm /etc/ssh/ssh_host_* - ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" - ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" - awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe - mv /etc/ssh/moduli.safe /etc/ssh/moduli + if [ $ssh_hardening -gt 0 ]; then + rm /etc/ssh/ssh_host_* + ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" + ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" + awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe + mv /etc/ssh/moduli.safe /etc/ssh/moduli - if [[ $VERSION_CODENAME == "bookworm" ]]; then - echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf - elif [[ $VERSION_CODENAME == "bullseye" ]]; then - sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config - echo -e echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf + if [[ $VERSION_CODENAME == "bookworm" ]]; then + echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf + elif [[ $VERSION_CODENAME == "bullseye" ]]; then + sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config + echo -e echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf + fi + systemctl restart ssh.service fi - systemctl restart ssh.service } set_mail_delivery(){ - echo "" + cat << EOF > /etc/postfix/main.cf +myhostname=$(hostname -f) +smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU) +biff = no +append_dot_mydomain = no +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +mydestination = \$myhostname, localhost.\$mydomain, localhost +mynetworks = 127.0.0.0/8 +inet_interfaces = loopback-only +recipient_delimiter = + +compatibility_level = 2 + +#### sasl extension +relayhost = [$smtphost]:$smtpport +smtp_tls_CAfile = /etc/postfix/cacert.pem +smtp_use_tls = yes +sender_canonical_classes = envelope_sender, header_sender +sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps +smtp_header_checks = regexp:/etc/postfix/header_check +EOF + + cat << EOF > /etc/postfix/header_check +/From:.*/ REPLACE From: $displayname <$senderaddress> +EOF + + cat << EOF > /etc/postfix/sender_canonical_maps +/.+/ $displayname <$senderaddress> +EOF + + if [ $smtpauth -gt 0 ]; then + cat << EOF > /etc/postfix/sasl_passwd +[$smtphost]:$smtpport $username:$password +EOF + postmap /etc/postfix/sasl_passwd + postmap /etc/aliases + chown root:root /etc/postfix/sasl_passwd + chown root:root /etc/postfix/sasl_passwd.db + chmod 0600 /etc/postfix/sasl_passwd + chmod 0600 /etc/postfix/sasl_passwd.db + + cat << EOF >> /etc/postfix/main.cf +smtp_sasl_auth_enable = yes +smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +smtp_sasl_security_options = noanonymous +EOF + fi + + ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/postfix/cacert.pem + + systemctl restart postfix.service + + pvesh set access/users/root@pam -email $recipientaddress } create_swap_pool(){ From 800259bb433eb1e4b607b15da141b9a65808eecf Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 2 Oct 2023 18:11:32 +0200 Subject: [PATCH 14/57] Add mail config dialogs --- postinstall | 67 +++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 49 insertions(+), 18 deletions(-) diff --git a/postinstall b/postinstall index 58a5918..c20d1fd 100755 --- a/postinstall +++ b/postinstall @@ -376,8 +376,35 @@ harden_ssh(){ fi } +ask_mail_config(){ + mailconfig=0 + smtpauth=0 + if whiptail --title "MAIL DELIVERY" \ + --backtitle "$PROG" \ + --yes-button "MAIL CONFIG" \ + --no-button "SKIP" \ + --yesno "Do you want to configure postfix with a smarthost?" 9 76 ; then + mailconfig=1 + senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 3>&1 1>&2 2>&3) + displayname=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender display name." 9 76 3>&1 1>&2 2>&3) + recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 3>&1 1>&2 2>&3) + smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 3>&1 1>&2 2>&3) + smtpport=$(inputbox_int 'MAIL DELIVERY' 'Please enter the port of your smarthost' 7 25) + if whiptail --title "MAIL DELIVERY" \ + --backtitle "$PROG" \ + --yes-button "CONFIGURE AUTH" \ + --no-button "SKIP" \ + --yesno "Do you want to configure authentication against your smarthost?" 9 76 ; then + smtpauth=1 + username=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the username for authentication." 9 76 3>&1 1>&2 2>&3) + password=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --passwordbox "Please enter the passsword for authentication." 9 76 3>&1 1>&2 2>&3) + fi + fi +} + set_mail_delivery(){ - cat << EOF > /etc/postfix/main.cf + if [ $mailconfig -gt 0 ]; then + cat << EOF > /etc/postfix/main.cf myhostname=$(hostname -f) smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU) biff = no @@ -399,37 +426,38 @@ sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps smtp_header_checks = regexp:/etc/postfix/header_check EOF - cat << EOF > /etc/postfix/header_check + cat << EOF > /etc/postfix/header_check /From:.*/ REPLACE From: $displayname <$senderaddress> EOF - cat << EOF > /etc/postfix/sender_canonical_maps + cat << EOF > /etc/postfix/sender_canonical_maps /.+/ $displayname <$senderaddress> EOF - if [ $smtpauth -gt 0 ]; then - cat << EOF > /etc/postfix/sasl_passwd + if [ $smtpauth -gt 0 ]; then + cat << EOF > /etc/postfix/sasl_passwd [$smtphost]:$smtpport $username:$password EOF - postmap /etc/postfix/sasl_passwd - postmap /etc/aliases - chown root:root /etc/postfix/sasl_passwd - chown root:root /etc/postfix/sasl_passwd.db - chmod 0600 /etc/postfix/sasl_passwd - chmod 0600 /etc/postfix/sasl_passwd.db + postmap /etc/postfix/sasl_passwd + postmap /etc/aliases + chown root:root /etc/postfix/sasl_passwd + chown root:root /etc/postfix/sasl_passwd.db + chmod 0600 /etc/postfix/sasl_passwd + chmod 0600 /etc/postfix/sasl_passwd.db - cat << EOF >> /etc/postfix/main.cf + cat << EOF >> /etc/postfix/main.cf smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous EOF + fi + + ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/postfix/cacert.pem + + systemctl restart postfix.service + + pvesh set access/users/root@pam -email $recipientaddress fi - - ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/postfix/cacert.pem - - systemctl restart postfix.service - - pvesh set access/users/root@pam -email $recipientaddress } create_swap_pool(){ @@ -550,6 +578,9 @@ select_pve_repos # subscription related actions select_subscription +# mail delivery config +ask_mail_config + summary echo "Proxmox postinstallation finished!" From cb3b5e40194d0ad5015a4c14fbd084e3579d6740 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Mon, 2 Oct 2023 18:16:03 +0200 Subject: [PATCH 15/57] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8619c70..67e2fda 100644 --- a/README.md +++ b/README.md @@ -18,8 +18,8 @@ Following settings are made: Just download and execute the script, all settings are made interactively. ``` -wget https://github.com/bashclub/proxmox-zfs-postinstall/raw/main/proxmox-zfs-postinstall.sh -bash ./proxmox-zfs-postinstall.sh +wget https://github.com/bashclub/proxmox-zfs-postinstall/raw/dev/postinstall +./postinstall ``` # Author From 616773b0e9bf251c3e92d49db63e0a68c481f974 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 2 Oct 2023 19:40:38 +0200 Subject: [PATCH 16/57] Fix dialogs, summary --- postinstall | 28 +++- proxmox-zfs-postinstall.sh | 312 ------------------------------------- 2 files changed, 21 insertions(+), 319 deletions(-) delete mode 100644 proxmox-zfs-postinstall.sh diff --git a/postinstall b/postinstall index c20d1fd..1225ab6 100755 --- a/postinstall +++ b/postinstall @@ -181,7 +181,7 @@ select_subscription(){ } ask_locales(){ - locales=$(whiptail --title "SET LOCALES" --backtitle "$PROG" --inputbox "Please enter a space separated list of locales to generate." 9 76 "$(echo $(grep -vE '#|^$' /etc/locale.gen | cut -d ' ' -f1))" 3>&1 1>&2 2>&3) + if ! locales=$(whiptail --title "SET LOCALES" --backtitle "$PROG" --inputbox "Please enter a space separated list of locales to generate." 9 76 "$(echo $(grep -vE '#|^$' /etc/locale.gen | cut -d ' ' -f1))" 3>&1 1>&2 2>&3); then cancel_dialog ; fi } ask_ssh_hardening(){ @@ -379,16 +379,22 @@ harden_ssh(){ ask_mail_config(){ mailconfig=0 smtpauth=0 + senderaddress="" + displayname="" + recipientaddress="" + smtphost="" + smtpport=25 + username="" if whiptail --title "MAIL DELIVERY" \ --backtitle "$PROG" \ --yes-button "MAIL CONFIG" \ --no-button "SKIP" \ --yesno "Do you want to configure postfix with a smarthost?" 9 76 ; then mailconfig=1 - senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 3>&1 1>&2 2>&3) - displayname=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender display name." 9 76 3>&1 1>&2 2>&3) - recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 3>&1 1>&2 2>&3) - smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 3>&1 1>&2 2>&3) + if ! senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! displayname=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender display name." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi + if !recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi smtpport=$(inputbox_int 'MAIL DELIVERY' 'Please enter the port of your smarthost' 7 25) if whiptail --title "MAIL DELIVERY" \ --backtitle "$PROG" \ @@ -396,8 +402,8 @@ ask_mail_config(){ --no-button "SKIP" \ --yesno "Do you want to configure authentication against your smarthost?" 9 76 ; then smtpauth=1 - username=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the username for authentication." 9 76 3>&1 1>&2 2>&3) - password=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --passwordbox "Please enter the passsword for authentication." 9 76 3>&1 1>&2 2>&3) + if ! username=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the username for authentication." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! password=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --passwordbox "Please enter the passsword for authentication." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi fi fi } @@ -548,6 +554,14 @@ summary(){ suppress subscription warning: $suppress_warning\n\ auto-snapshot: $autosnap\n\ ssh-hardening: $ssh_hardening\n\ + mail delivery: $mailconfig + sender email: $senderaddress + sender display name: $displayname + notification address: $recipientaddress + smarthost: $smtphost + smarthost port: $smtpport + smarthost auth: $smtpauth + smarthost username: $username " 30 76 ; then installation_task else diff --git a/proxmox-zfs-postinstall.sh b/proxmox-zfs-postinstall.sh deleted file mode 100644 index 8ff9246..0000000 --- a/proxmox-zfs-postinstall.sh +++ /dev/null @@ -1,312 +0,0 @@ -#!/bin/bash - -###### CONFIG SECTION ###### - -# Define basic tools to install -TOOLS="sudo vim ifupdown2 libpve-network-perl net-tools dnsutils ethtool git curl unzip screen tmux iftop lshw smartmontools nvme-cli lsscsi sysstat zfs-auto-snapshot htop mc rpl lsb-release" - -#### PVE CONF BACKUP CONFIGURATION #### - -# Define target dataset for backup of /etc -# IMPORTANT NOTE: Don't type in the leading /, this will be set where needed -PVE_CONF_BACKUP_TARGET=rpool/pveconf - -# Define timer for your backup cronjob (default: every 15 minutes from 3 through 59) -PVE_CONF_BACKUP_CRON_TIMER="3,18,33,48 * * * *" - -# Get Debian version info -source /etc/os-release - -###### SYSTEM INFO AND INTERACTIVE CONFIGURATION SECTION ###### - -ROUND_FACTOR=512 - -roundup(){ - echo $(((($1 + $ROUND_FACTOR) / $ROUND_FACTOR) * $ROUND_FACTOR)) -} - -roundoff(){ - echo $((($1 / $ROUND_FACTOR) * $ROUND_FACTOR)) -} - -#### L1ARC SIZE CONFIGURATION #### - -# get total size of all zpools -ZPOOL_SIZE_SUM_BYTES=0 -for line in $(zpool list -o size -Hp); do ZPOOL_SIZE_SUM_BYTES=$(($ZPOOL_SIZE_SUM_BYTES+$line)); done - -# get information about available ram -MEM_TOTAL_BYTES=$(($(awk '/MemTotal/ {print $2}' /proc/meminfo) * 1024)) - -# get values if defaults are set -ARC_MAX_DEFAULT_BYTES=$(($MEM_TOTAL_BYTES / 2)) -ARC_MIN_DEFAULT_BYTES=$(($MEM_TOTAL_BYTES / 32)) - -# get current settings -ARC_MIN_CUR_BYTES=$(cat /sys/module/zfs/parameters/zfs_arc_min) -ARC_MAX_CUR_BYTES=$(cat /sys/module/zfs/parameters/zfs_arc_max) - -# calculate suggested l1arc sice -ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024))) -ZFS_ARC_MAX_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024))) - -echo -e "######## CONFIGURE ZFS L1ARC SIZE ########\n" -echo "System Summary:" -echo -e "\tSystem Memory:\t\t$(($MEM_TOTAL_BYTES / 1024 / 1024))\tMB" -echo -e "\tZpool size (sum):\t$(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024))\tMB" -echo -e "Calculated l1arc if set to defaults:" -if [ $ARC_MIN_DEFAULT_BYTES -lt 33554432 ]; then - echo -e "\tDefault zfs_arc_min:\t32\tMB" -else - echo -e "\tDefault zfs_arc_min:\t$(($ARC_MIN_DEFAULT_BYTES / 1024 / 1024))\tMB" -fi -echo -e "\tDefault zfs_arc_max:\t$(($ARC_MAX_DEFAULT_BYTES / 1024 / 1024))\tMB" -echo -e "Current l1arc configuration:" -if [ $ARC_MIN_CUR_BYTES -gt 0 ]; then - echo -e "\tCurrent zfs_arc_min:\t$(($ARC_MIN_CUR_BYTES / 1024 / 1024))\tMB" -else - echo -e "\tCurrent zfs_arc_min:\t0" -fi -if [ $ARC_MAX_CUR_BYTES -gt 0 ]; then - echo -e "\tCurrent zfs_arc_max:\t$(($ARC_MAX_CUR_BYTES / 1024 / 1024))\tMB" -else - echo -e "\tCurrent zfs_arc_max:\t0" -fi -echo -e "Note: If your current values are 0, the calculated values above will apply." -echo "" -echo -e "The l1arc cache will be set relative to the size (sum) of your zpools by policy" -echo -e "zfs_arc_min:\t\t\t$(($ZFS_ARC_MIN_MEGABYTES))\tMB\t\t= 512 MB RAM per 1 TB ZFS storage (round off in 512 MB steps)" -echo -e "zfs_arc_max:\t\t\t$(($ZFS_ARC_MAX_MEGABYTES))\tMB\t\t= 1 GB RAM per 1 TB ZFS storage (round up in 512 MB steps)" -echo "" -RESULT=not_set -while [ "$(echo $RESULT | awk '{print tolower($0)}')" != "y" ] && [ "$(echo $RESULT | awk '{print tolower($0)}')" != "n" ] && [ "$(echo $RESULT | awk '{print tolower($0)}')" != "" ]; do - read -p "If you want to apply the values by script policy type 'y', type 'n' to adjust the values yourself [Y/n]? " - RESULT=${REPLY} -done -if [[ "$(echo $RESULT | awk '{print tolower($0)}')" == "n" ]]; then - read -p "Please type in the desired value in MB for 'zfs_arc_min' [$(($ZFS_ARC_MIN_MEGABYTES))]: " - if [[ ${REPLY} -gt 0 ]]; then - ZFS_ARC_MIN_MEGABYTES=$((${REPLY})) - fi - read -p "Please type in the desired value in MB for 'zfs_arc_max' [$(($ZFS_ARC_MAX_MEGABYTES))]: " - if [[ ${REPLY} -gt 0 ]]; then - ZFS_ARC_MAX_MEGABYTES=$((${REPLY})) - fi -fi - -#### SWAPPINESS #### - -echo -e "######## CONFIGURE SWAPPINESS ########\n" -SWAPPINESS=$(cat /proc/sys/vm/swappiness) -echo "The current swappiness is configured to '$SWAPPINESS %' of free memory until using swap." -read -p "If you want to change the swappiness, please type in the percentage as number (0 = disabled):" user_input -if echo "$user_input" | grep -qE '^[0-9]+$'; then - echo "Changing swappiness from '$SWAPPINESS %' to '$user_input %'" - SWAPPINESS=$user_input -else - echo "No input - swappiness unchanged at '$SWAPPINESS %'." -fi - -#### ZFS AUTO SNAPSHOT CONFIGURATION #### - -# get information about zfs-auto-snapshot and ask for snapshot retention -declare -A auto_snap_keep=( ["frequent"]="8" ["hourly"]="48" ["daily"]="31" ["weekly"]="8" ["monthly"]="3" ) -dpkg -l zfs-auto-snapshot > /dev/null - -if [ $? -eq 0 ]; then - echo "'zfs-auto-snapshot' already installed. Reading config..." - for interval in "${!auto_snap_keep[@]}"; do - if [[ "$interval" == "frequent" ]]; then - auto_snap_keep[$interval]=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2) - else - auto_snap_keep[$interval]=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2) - fi - done -else - echo "'zfs-auto-snapshot' not installed yet, using script defaults..." -fi -echo -e "######## CONFIGURE ZFS AUTO SNAPSHOT ########\n" -for interval in "${!auto_snap_keep[@]}"; do - read -p "Please set how many $interval snapshots to keep (current: keep=${auto_snap_keep[$interval]})" user_input - if echo "$user_input" | grep -qE '^[0-9]+$'; then - echo "Changing $interval from ${auto_snap_keep[$interval]} to $user_input" - auto_snap_keep[$interval]=$user_input - else - echo "No input - $interval unchanged at ${auto_snap_keep[$interval]}." - fi -done - -#### CHECKMK AGENT CONFIGURATION #### -read -p "Do you want to install checkmk agent on this machine? [y/N] " install_checkmk -if [[ "$install_checkmk" == "y" ]]; then - read -p "Please specify the base url to your checkmk server (e.g. https://check.zmb.rocks/bashclub): " cmk_agent_url - read -p "Enable agent encryption (requires setup of Agent Encryption on your checkmk instance). Do you want to activate agent encryption? [y/N] " cmk_encrypt - if [[ "$cmk_encrypt" == "y" ]]; then - read -p "Please enter the encryption passphrase: " cmk_enc_pass - fi - read -p "Register your machine on your checkmk server (requires preconfigured automation secret)? [y/N] " cmk_register - if [[ "$cmk_register" == "y" ]]; then - read -p "Please enter your automation secret: " cmk_secret - read -p "Please enter the folder where to store the host: " cmk_folder - cmk_site=$(echo $cmk_agent_url | cut -d'/' -f4) - read -p "Please enter the checkmk site name: [$cmk_site]" user_input - if [[ $(echo -n "$user_input") != "" ]]; then - cmk_site=$user_input - fi - echo "Please select which agent ip address to register:" - select ip in $(ip a | grep "inet " | cut -d ' ' -f6 | cut -d/ -f1); do - cmk_reg_ip=$ip - break - done - fi -fi - - -###### INSTALLER SECTION ###### - -# disable pve-enterprise repo and add pve-no-subscription repo - -#Not tested, yet! -read -p "Do you want to disable pve-enterprise repo and add pve-no-subscription repo (y/N)? " response - -if [ "${response,,}" == "y" ]; then - if [[ "$(uname -r)" == *"-pve" ]]; then - echo "Deactivating pve-enterprise repository" - mv /etc/apt/sources.list.d/pve-enterprise.list /etc/apt/sources.list.d/pve-enterprise.list.bak > /dev/null 2>&1 - echo "Activating pve-no-subscription repository" - q=$(cat /etc/apt/sources.list | grep "pve-no-subscription") - if [ $? -gt 0 ]; then - echo "deb http://download.proxmox.com/debian/pve $VERSION_CODENAME pve-no-subscription" >> /etc/apt/sources.list - fi - rm -f /etc/apt/sources.list.d/pve-no-subscription.list - fi -fi - -echo "Getting latest package lists" -apt update > /dev/null 2>&1 - -# include interfaces.d to enable SDN features -q=$(cat /etc/network/interfaces | grep "source /etc/network/interfaces.d/*") -if [ $? -gt 0 ]; then - echo "source /etc/network/interfaces.d/*" >> /etc/network/interfaces -fi - -# update system and install basic tools -echo "Upgrading system to latest version - Depending on your version this could take a while..." -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade > /dev/null 2>&1 -echo "Installing toolset - Depending on your version this could take a while..." -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install $TOOLS > /dev/null 2>&1 - -# configure zfs-auto-snapshot -for interval in "${!auto_snap_keep[@]}"; do - echo "Setting zfs-auto-snapshot retention: $interval = ${auto_snap_keep[$interval]}" - if [[ "$interval" == "frequent" ]]; then - CURRENT=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2) - if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then - rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.d/zfs-auto-snapshot > /dev/null 2>&1 - fi - else - CURRENT=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2) - if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then - rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.$interval/zfs-auto-snapshot > /dev/null 2>&1 - fi - fi -done - -echo "Configuring swappiness" -echo "vm.swappiness=$SWAPPINESS" > /etc/sysctl.d/swappiness.conf -sysctl -w vm.swappiness=$SWAPPINESS - -echo "Configuring pve-conf-backup" -# create backup jobs of /etc -zfs list $PVE_CONF_BACKUP_TARGET > /dev/null 2>&1 -if [ $? -ne 0 ]; then - zfs create $PVE_CONF_BACKUP_TARGET -fi - -if [[ "$(df -h -t zfs | grep /$ | cut -d ' ' -f1)" == "rpool/ROOT/pve-1" ]] ; then - echo "$PVE_CONF_BACKUP_CRON_TIMER root rsync -va --delete /etc /$PVE_CONF_BACKUP_TARGET > /$PVE_CONF_BACKUP_TARGET/pve-conf-backup.log" > /etc/cron.d/pve-conf-backup -fi - -ZFS_ARC_MIN_BYTES=$((ZFS_ARC_MIN_MEGABYTES * 1024 *1024)) -ZFS_ARC_MAX_BYTES=$((ZFS_ARC_MAX_MEGABYTES * 1024 *1024)) - -echo "Adjusting ZFS level 1 arc" -echo $ZFS_ARC_MIN_BYTES > /sys/module/zfs/parameters/zfs_arc_min -echo $ZFS_ARC_MAX_BYTES > /sys/module/zfs/parameters/zfs_arc_max - -cat << EOF > /etc/modprobe.d/zfs.conf -options zfs zfs_arc_max=$ZFS_ARC_MAX_BYTES -options zfs zfs_arc_min=$ZFS_ARC_MIN_BYTES -EOF - -if [[ "$install_checkmk" == "y" ]]; then - echo "Installing checkmk agent..." - if [[ $( echo -n "$(openssl s_client -connect $(echo $cmk_agent_url | cut -d'/' -f3):443 <<< "Q" 2>/dev/null | grep "Verify return code" | cut -d ' ' -f4)" ) -gt 0 ]]; then - wget_opts="--no-check-certificate" - curl_opts="--insecure" - fi - wget -q -O /usr/local/bin/check_mk_agent $wget_opts $cmk_agent_url/check_mk/agents/check_mk_agent.linux - wget -q -O /usr/local/bin/mk-job $wget_opts $cmk_agent_url/check_mk/agents/mk-job - wget -q -O /usr/local/bin/check_mk_caching_agent $wget_opts $cmk_agent_url/check_mk/agents/check_mk_caching_agent.linux - wget -q -O /usr/local/bin/waitmax $wget_opts $cmk_agent_url/check_mk/agents/waitmax - chmod +x /usr/local/bin/check_mk_agent - chmod +x /usr/local/bin/mk-job - chmod +x /usr/local/bin/check_mk_caching_agent - chmod +x /usr/local/bin/waitmax - /usr/local/bin/check_mk_agent > /dev/null - wget -q -O /etc/systemd/system/check_mk.socket $wget_opts $cmk_agent_url/check_mk/agents/cfg_examples/systemd/check_mk.socket - cat << EOF > /etc/systemd/system/check_mk@.service -# systemd service definition file -[Unit] -Description=Check_MK - -[Service] -# "-" path prefix makes systemd record the exit code, -# but the unit is not set to failed. -ExecStart=-/usr/local/bin/check_mk_agent -Type=forking - -User=root -Group=root - -StandardInput=socket -EOF - - mkdir -p /etc/check_mk - if [[ "$cmk_encrypt" == "y" ]]; then - mkdir -p /etc/check_mk - cat << EOF > /etc/check_mk/encryption.cfg -ENCRYPTED=yes -PASSPHRASE='$cmk_enc_pass' -EOF - chmod 600 /etc/check_mk/encryption.cfg - fi - - mkdir -p /var/lib/check_mk_agent - mkdir -p /var/lib/check_mk_agent/spool - mkdir -p /var/lib/check_mk_agent/job - mkdir -p /usr/lib/check_mk_agent/local - mkdir -p /usr/lib/check_mk_agent/plugins - wget -q -O /usr/lib/check_mk_agent/plugins/smart $wget_opts $cmk_agent_url/check_mk/agents/plugins/smart - chmod +x /usr/lib/check_mk_agent/plugins/smart - wget -q -O /usr/lib/check_mk_agent/plugins/mk_inventory $wget_opts $cmk_agent_url/check_mk/agents/plugins/mk_inventory.linux - chmod +x /usr/lib/check_mk_agent/plugins/mk_inventory - wget -q -O /usr/lib/check_mk_agent/plugins/mk_apt $wget_opts $cmk_agent_url/check_mk/agents/plugins/mk_apt - chmod +x /usr/lib/check_mk_agent/plugins/mk_apt - #LocalDirectory: /usr/lib/check_mk_agent/local - systemctl daemon-reload - systemctl enable check_mk.socket - systemctl restart sockets.target - - if [[ "$cmk_register" == "y" ]]; then - cmk_request="request={\"hostname\":\"$(echo -n $(hostname -f))\",\"folder\":\"$cmk_folder\",\"attributes\":{\"ipaddress\":\"$cmk_reg_ip\",\"site\":\"$cmk_site\",\"tag_agent\":\"cmk-agent\"},\"create_folders\":\"1\"}" - curl $curl_opts "$cmk_agent_url/check_mk/webapi.py?action=add_host&_secret=$cmk_secret&_username=automation" -d $cmk_request - curl $curl_opts "$cmk_agent_url/check_mk/webapi.py?action=activate_changes&_secret=$cmk_secret&_username=automation" -d "request={\"sites\":[\"$cmk_site\"],\"allow_foreign_changes\":\"0\"}" - fi -fi - -echo "Updating initramfs - This will take some time..." -update-initramfs -u -k all > /dev/null 2>&1 - -echo "Proxmox postinstallation finished!" From c71244bf28374ab55d2913c238e3f90c80d1becb Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 2 Oct 2023 20:14:35 +0200 Subject: [PATCH 17/57] Set default values in mailconfig --- postinstall | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/postinstall b/postinstall index 1225ab6..2522b1f 100755 --- a/postinstall +++ b/postinstall @@ -382,7 +382,7 @@ ask_mail_config(){ senderaddress="" displayname="" recipientaddress="" - smtphost="" + smtphost=$(grep relayhost /etc/postfix/main.cf | cut -d : -f1 | cut -d ' ' -f3 | cut -d ']' -f1 | cut -d '[' -f2) smtpport=25 username="" if whiptail --title "MAIL DELIVERY" \ @@ -392,10 +392,10 @@ ask_mail_config(){ --yesno "Do you want to configure postfix with a smarthost?" 9 76 ; then mailconfig=1 if ! senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi - if ! displayname=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender display name." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi - if !recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi - if ! smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi - smtpport=$(inputbox_int 'MAIL DELIVERY' 'Please enter the port of your smarthost' 7 25) + if ! displayname=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender display name." 9 76 $(hostname -f) 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 $(pvesh get access/users/root@pam --output-format yaml| grep email | cut -d' ' -f2) 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 $smtphost 3>&1 1>&2 2>&3); then cancel_dialog; fi + smtpport=$(inputbox_int 'MAIL DELIVERY' 'Please enter the port of your smarthost' 7 $(grep relayhost /etc/postfix/main.cf | cut -d':' -f2)) if whiptail --title "MAIL DELIVERY" \ --backtitle "$PROG" \ --yes-button "CONFIGURE AUTH" \ From fdde5ae6f9ba1807c7b96a95cf7363daad027c80 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Mon, 2 Oct 2023 20:49:40 +0200 Subject: [PATCH 18/57] Update README.md --- README.md | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 67e2fda..7e7a99c 100644 --- a/README.md +++ b/README.md @@ -2,17 +2,21 @@ This script installs and configures basic tools for running a Proxmox Server. Following settings are made: -- Disable `pve-enterprise` repo -- Add `pve-no-subscription` repo -- Upgrade system to latest version -- Install basic tools: `sudo vim ifupdown2 net-tools dnsutils ethtool git curl unzip screen iftop lshw smartmontools nvme-cli lsscsi sysstat zfs-auto-snapshot htop mc rpl` -- Configure snapshot retention for `zfs-auto-snapshot` interactively -- `zfs_arc_[min|max]` will be calculated by size sum of all zpools in 512 MB steps -- Configure backup of `/etc` folder to new zfs dataset on `rpool/pveconf` -- Configure `vm.swappiness` interactively -- Install checkmk Agent with optional encryption and registration -- Added Support for Proxmox VE 7.0 -- Added Proxmox SDN features +- Install and configure zfs-auto-snapshot +- Switch pve-enterprise/pve-no-subscription/pvetest repo +- Disable "No subscription message" in webinterface in no-subscription mode +- Add pve-enterprise subscription key +- Update system to the latest version +- Install common tools +- Install Proxmox SDN Extensions +- Configure automatic backup of /etc Folder +- Configure locales +- SSH server hardening +- Install checkzfs +- Install bashclub-zsync +- Create zfspool storage for swap disks if not exists +- Adjust default volblocksize for Proxmox zfspool storage +- Configure proxmox mail delivery with postfix # Usage From e34a9ccdb5ed6bcddd305e251a254b953848d5f1 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Mon, 2 Oct 2023 21:21:22 +0200 Subject: [PATCH 19/57] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7e7a99c..3d980f1 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Following settings are made: Just download and execute the script, all settings are made interactively. ``` -wget https://github.com/bashclub/proxmox-zfs-postinstall/raw/dev/postinstall +wget -O ./postinstall --no-cache https://github.com/bashclub/proxmox-zfs-postinstall/raw/dev/postinstall ./postinstall ``` From 1544b50340f8b226cf1e4b60c3675f4c073e1805 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Mon, 2 Oct 2023 21:21:46 +0200 Subject: [PATCH 20/57] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3d980f1..3743e27 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ Following settings are made: Just download and execute the script, all settings are made interactively. ``` wget -O ./postinstall --no-cache https://github.com/bashclub/proxmox-zfs-postinstall/raw/dev/postinstall -./postinstall +bash ./postinstall ``` # Author From 23c20522b18567758c40456b6d3af660ce677a3d Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 2 Oct 2023 21:27:05 +0200 Subject: [PATCH 21/57] Fix zsync install --- postinstall | 1 - 1 file changed, 1 deletion(-) diff --git a/postinstall b/postinstall index 2522b1f..31ce909 100755 --- a/postinstall +++ b/postinstall @@ -493,7 +493,6 @@ install_checkzfs(){ install_zsync(){ wget -q --no-cache -O /usr/bin/bashclub-zsync https://git.bashclub.org/bashclub/zsync/raw/branch/main/bashclub-zsync/usr/bin/bashclub-zsync chmod +x /usr/bin/bashclub-zsync - bashclub-zsync cat << EOF > /etc/logrotate.d/bashclub-zsync /var/log/bashclub-zsync/*.log { weekly From 75cbd7d9dfcff1959e6d9b57fb09d4d7c04a3cbc Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Mon, 2 Oct 2023 21:30:11 +0200 Subject: [PATCH 22/57] Fix repo edit --- postinstall | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/postinstall b/postinstall index 31ce909..8f9a7ec 100755 --- a/postinstall +++ b/postinstall @@ -276,16 +276,16 @@ set_pve_repo(){ test=$(grep pvetest /etc/apt/sources.list) if [[ $repo_selection == "pve-enterprise" ]]; then pvesh set nodes/px1/apt/repositories --handle enterprise - sed -i "s/$nosub/# $nosub/g" /etc/apt/sources.list - sed -i "s/$test/# $test/g" /etc/apt/sources.list + sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list + sed -i "s|$test|# $test|g" /etc/apt/sources.list elif [[ $repo_selection == "pve-no-subscription" ]]; then pvesh set nodes/px1/apt/repositories --handle no-subscription - sed -i "s/$enterprise/# $enterprise/g" /etc/apt/sources.list.d/pve-enterprise.list - sed -i "s/$test/# $test/g" /etc/apt/sources.list + sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list + sed -i "s|$test|# $test|g" /etc/apt/sources.list elif [[ $repo_selection == "pvetest" ]]; then pvesh set nodes/px1/apt/repositories --handle test - sed -i "s/$nosub/# $nosub/g" /etc/apt/sources.list - sed -i "s/$enterprise/# $enterprise/g" /etc/apt/sources.list.d/pve-enterprise.list + sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list + sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list fi } From 858e1419dd246af779f559b81cdc37c4614e422d Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 3 Oct 2023 13:38:05 +0200 Subject: [PATCH 23/57] Fix manual arc setting --- postinstall | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/postinstall b/postinstall index 8f9a7ec..3d88c6f 100755 --- a/postinstall +++ b/postinstall @@ -131,8 +131,8 @@ Suggested values: \n \ } arc_set_manual() { - if [ $ARC_MIN_CURRENT_MB -gt 0 ]; then MIN_VALUE=$ARC_MIN_CURRENT_MB; else $ZFS_ARC_MIN_MEGABYTES; fi - if [ $ARC_MAX_CURRENT_MB -gt 0 ]; then MAX_VALUE=$ARC_MAX_CURRENT_MB; else $ZFS_ARC_MAX_MEGABYTES; fi + if [ $ARC_MIN_CURRENT_MB -gt 0 ]; then MIN_VALUE=$ARC_MIN_CURRENT_MB; else MIN_VALUE=$ZFS_ARC_MIN_MEGABYTES; fi + if [ $ARC_MAX_CURRENT_MB -gt 0 ]; then MAX_VALUE=$ARC_MAX_CURRENT_MB; else MAX_VALUE=$ZFS_ARC_MAX_MEGABYTES; fi if ! ZFS_ARC_MIN_MEGABYTES=$(inputbox_int 'CONFIGURE ZFS L1ARC MIN SIZE' 'Please enter zfs_arc_min in MB' 7 $MIN_VALUE) ; then cancel_dialog ; fi if ! ZFS_ARC_MAX_MEGABYTES=$(inputbox_int 'CONFIGURE ZFS L1ARC MAX SIZE' 'Please enter zfs_arc_max in MB' 7 $MAX_VALUE) ; then cancel_dialog ; fi From eb4bc95c9aafbce005f95b28cab38ff1a7f14ec4 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 3 Oct 2023 14:01:58 +0200 Subject: [PATCH 24/57] Fix repo edit --- postinstall | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/postinstall b/postinstall index 3d88c6f..1dc5c06 100755 --- a/postinstall +++ b/postinstall @@ -264,7 +264,7 @@ set_locales(){ for locale in $locales; do line=$(grep $locale /etc/locale.gen) if echo $line | grep "#" ; then - sed -i "s/$line/$(echo $line | cut -d' ' -f2-)" /etc/locale.gen + sed -i "s/$line/$(echo $line | cut -d' ' -f2-)/" /etc/locale.gen fi done locale-gen @@ -276,16 +276,28 @@ set_pve_repo(){ test=$(grep pvetest /etc/apt/sources.list) if [[ $repo_selection == "pve-enterprise" ]]; then pvesh set nodes/px1/apt/repositories --handle enterprise - sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list - sed -i "s|$test|# $test|g" /etc/apt/sources.list + if [[ $nosub != "" ]]; then + sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list + fi + if [[ $test != "" ]]; then + sed -i "s|$test|# $test|g" /etc/apt/sources.list + fi elif [[ $repo_selection == "pve-no-subscription" ]]; then pvesh set nodes/px1/apt/repositories --handle no-subscription - sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list - sed -i "s|$test|# $test|g" /etc/apt/sources.list + if [[ $enterprise != "" ]]; then + sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list + fi + if [[ $test != "" ]]; then + sed -i "s|$test|# $test|g" /etc/apt/sources.list + fi elif [[ $repo_selection == "pvetest" ]]; then pvesh set nodes/px1/apt/repositories --handle test - sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list - sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list + if [[ $nosub != "" ]]; then + sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list + fi + if [[ $enterprise != "" ]]; then + sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list + fi fi } From 9f5c44029bb67e6e367add592f517a0835a12ca9 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 3 Oct 2023 15:05:53 +0200 Subject: [PATCH 25/57] Fix apt repo --- postinstall | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/postinstall b/postinstall index 1dc5c06..bb5338a 100755 --- a/postinstall +++ b/postinstall @@ -275,27 +275,35 @@ set_pve_repo(){ enterprise=$(grep pve-enterprise /etc/apt/sources.list.d/pve-enterprise.list) test=$(grep pvetest /etc/apt/sources.list) if [[ $repo_selection == "pve-enterprise" ]]; then - pvesh set nodes/px1/apt/repositories --handle enterprise - if [[ $nosub != "" ]]; then + echo "deb https://enterprise.proxmox.com/debian/pve $VERSION_CODENAME pve-enterprise" > /etc/apt/sources.list.d/pve-enterprise.list + if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list fi - if [[ $test != "" ]]; then + if [[ $test != "" ]] && [[ $test != *"#"* ]]; then sed -i "s|$test|# $test|g" /etc/apt/sources.list fi elif [[ $repo_selection == "pve-no-subscription" ]]; then - pvesh set nodes/px1/apt/repositories --handle no-subscription - if [[ $enterprise != "" ]]; then - sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list + if [[ $nosub == "" ]]; then + echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pve-no-subscription\n" >> /etc/apt/sources.list + elif [[ $nosub == *"#"* ]]; then + sed -i "s|$nosub|$(echo $nosub | cut -d' ' -f2-)|" /etc/apt/sources.list fi - if [[ $test != "" ]]; then + if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then + sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list + fi + if [[ $test != "" ]] && [[ $test != *"#"* ]]; then sed -i "s|$test|# $test|g" /etc/apt/sources.list fi elif [[ $repo_selection == "pvetest" ]]; then - pvesh set nodes/px1/apt/repositories --handle test - if [[ $nosub != "" ]]; then + if [[ $test == "" ]]; then + echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pvetest\n" >> /etc/apt/sources.list + elif [[ $test == *"#"* ]]; then + sed -i "s|$test|$(echo $test | cut -d' ' -f2-)|" /etc/apt/sources.list + fi + if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list fi - if [[ $enterprise != "" ]]; then + if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list fi fi From 601eb5c7e4af25679dcd6c729c36ce1be108f985 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 3 Oct 2023 15:16:25 +0200 Subject: [PATCH 26/57] Fix swap creation --- postinstall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postinstall b/postinstall index bb5338a..c230f85 100755 --- a/postinstall +++ b/postinstall @@ -489,7 +489,7 @@ EOF create_swap_pool(){ if ! pvesm status | grep swap; then if ! zfs list rpool/swap > /dev/null 2>&1 ; then - zfs create -O com.sun:auto-snapshot=false rpool/swap + zfs create -o com.sun:auto-snapshot=false rpool/swap else zfs set com.sun:auto-snapshot=false rpool/swap fi From 8fee5bcb2fe26f4644b624ccabab09e6fb4b05cb Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 3 Oct 2023 15:38:37 +0200 Subject: [PATCH 27/57] wget no-sub-hack quiet --- postinstall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postinstall b/postinstall index c230f85..0751cdd 100755 --- a/postinstall +++ b/postinstall @@ -224,7 +224,7 @@ suppress_no_subscription_warning(){ if [ -f /opt/bashclub/no-sub-hack.sh ] ; then rm -r /opt/bashclub ; fi if [ -f /etc/apt/apt.conf.d/80bashclubapthook ] ; then rm /etc/apt/apt.conf.d/80bashclubapthook ; fi - wget --no-cache -O /usr/local/bin/suppress_no_subscription_warning https://github.com/bashclub/no-sub-hack/raw/main/no-sub-hack.sh + wget -q --no-cache -O /usr/local/bin/suppress_no_subscription_warning https://github.com/bashclub/no-sub-hack/raw/main/no-sub-hack.sh chmod +x /usr/local/bin/suppress_no_subscription_warning /usr/local/bin/suppress_no_subscription_warning cat << EOF > /etc/apt/apt.conf.d/80-suppress_no_subscription_warning From a2272055f18c15eba034e5fb322aaf419e6b7873 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Tue, 3 Oct 2023 15:50:32 +0200 Subject: [PATCH 28/57] Remove printing of swap status --- postinstall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postinstall b/postinstall index 0751cdd..d50be63 100755 --- a/postinstall +++ b/postinstall @@ -487,7 +487,7 @@ EOF } create_swap_pool(){ - if ! pvesm status | grep swap; then + if ! pvesm status | grep swap > /dev/null; then if ! zfs list rpool/swap > /dev/null 2>&1 ; then zfs create -o com.sun:auto-snapshot=false rpool/swap else From 640c946d5bfb9a88204b5c9ab8192e9b23d87f45 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Wed, 4 Oct 2023 06:25:39 +0200 Subject: [PATCH 29/57] Rewrite log messages --- postinstall | 37 ++++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/postinstall b/postinstall index d50be63..69f178f 100755 --- a/postinstall +++ b/postinstall @@ -69,6 +69,10 @@ sub_status=$(pvesubscription get | grep status | cut -d' ' -f2) #### FUNCTIONS #### +log(){ + echo "$(date) $1" +} + roundup(){ echo $(((($1 + $ROUND_FACTOR) / $ROUND_FACTOR) * $ROUND_FACTOR)) } @@ -211,6 +215,7 @@ input_subscription(){ } set_subscription(){ + log "Setting subscription key $1" if ! pvesubscription set $1; then input_subscription elif [[ $(pvesubscription get | grep status | cut -d' ' -f2) == "invalid" ]]; then @@ -261,6 +266,7 @@ select_pve_repos(){ } set_locales(){ + log "Setting locales" for locale in $locales; do line=$(grep $locale /etc/locale.gen) if echo $line | grep "#" ; then @@ -271,6 +277,7 @@ set_locales(){ } set_pve_repo(){ + log "Setting Proxmox package repositories to $repo_selection" nosub=$(grep pve-no-subscription /etc/apt/sources.list) enterprise=$(grep pve-enterprise /etc/apt/sources.list.d/pve-enterprise.list) test=$(grep pvetest /etc/apt/sources.list) @@ -310,19 +317,19 @@ set_pve_repo(){ } update_system(){ - echo "Getting latest package lists" + log "Downloading latest package lists" apt update > /dev/null 2>&1 - echo "Upgrading system to latest version - Depending on your version this could take a while..." + log "Upgrading system to latest version - Depending on your version this could take a while..." DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade > /dev/null 2>&1 } install_tools(){ - echo "Installing toolset - Depending on your version this could take a while..." + log "Installing toolset - Depending on your version this could take a while..." DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install $REQUIRED_TOOLS $OPTIONAL_TOOLS > /dev/null 2>&1 } enable_sdn(){ - # include interfaces.d to enable SDN features + log "Enabling SDN features" q=$(cat /etc/network/interfaces | grep "source /etc/network/interfaces.d/*") if [ $? -gt 0 ]; then echo "source /etc/network/interfaces.d/*" >> /etc/network/interfaces @@ -330,9 +337,9 @@ enable_sdn(){ } set_arc_cache(){ + log "Adjusting ZFS level 1 arc (Min: $ZFS_ARC_MIN_MEGABYTES, Max: $ZFS_ARC_MAX_MEGABYTES)" ZFS_ARC_MIN_BYTES=$((ZFS_ARC_MIN_MEGABYTES * 1024 *1024)) ZFS_ARC_MAX_BYTES=$((ZFS_ARC_MAX_MEGABYTES * 1024 *1024)) - echo "Adjusting ZFS level 1 arc" echo $ZFS_ARC_MIN_BYTES > /sys/module/zfs/parameters/zfs_arc_min echo $ZFS_ARC_MAX_BYTES > /sys/module/zfs/parameters/zfs_arc_max cat << EOF > /etc/modprobe.d/zfs.conf @@ -344,7 +351,7 @@ EOF set_auto_snapshot(){ # configure zfs-auto-snapshot for interval in "${!auto_snap_keep[@]}"; do - echo "Setting zfs-auto-snapshot retention: $interval = ${auto_snap_keep[$interval]}" + log "Setting zfs-auto-snapshot retention: $interval = ${auto_snap_keep[$interval]}" if [[ "$interval" == "frequent" ]]; then CURRENT=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2) if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then @@ -360,14 +367,13 @@ set_auto_snapshot(){ } set_swappiness(){ - echo "Configuring swappiness" + log "Setting swappiness to $SWAPPINESS %" echo "vm.swappiness=$SWAPPINESS" > /etc/sysctl.d/swappiness.conf - sysctl -w vm.swappiness=$SWAPPINESS + sysctl -w vm.swappiness=$SWAPPINESS > /dev/null } pve_conf_backup(){ - echo "Configuring pve-conf-backup" - # create backup jobs of /etc + log "Configuring pve-conf-backup" zfs list $PVE_CONF_BACKUP_TARGET > /dev/null 2>&1 if [ $? -ne 0 ]; then zfs create $PVE_CONF_BACKUP_TARGET @@ -380,6 +386,7 @@ pve_conf_backup(){ harden_ssh(){ if [ $ssh_hardening -gt 0 ]; then + log "Hardening ssh server" rm /etc/ssh/ssh_host_* ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" @@ -430,6 +437,7 @@ ask_mail_config(){ set_mail_delivery(){ if [ $mailconfig -gt 0 ]; then + log "Configuring mail delivery" cat << EOF > /etc/postfix/main.cf myhostname=$(hostname -f) smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU) @@ -487,6 +495,7 @@ EOF } create_swap_pool(){ + log "Configuring swap storage" if ! pvesm status | grep swap > /dev/null; then if ! zfs list rpool/swap > /dev/null 2>&1 ; then zfs create -o com.sun:auto-snapshot=false rpool/swap @@ -498,19 +507,23 @@ create_swap_pool(){ } set_default_volblocksize(){ + log "Setting default volblocksize=16k to all zfspool storages" for storage in $(pvesm status | grep zfspool | cut -d' ' -f1); do pvesm set $storage --blocksize 16k done } install_checkzfs(){ + log "Installing checkzfs to /usr/local/bin/checkzfs" wget -q --no-cache -O /usr/local/bin/checkzfs https://raw.githubusercontent.com/bashclub/check-zfs-replication/main/checkzfs.py chmod +x /usr/local/bin/checkzfs + log "Installing check-snapshot-age to /usr/local/bin/check-snapshot-age" wget -q --no-cache -O /usr/local/bin/check-snapshot-age https://raw.githubusercontent.com/bashclub/check-zfs-replication/main/check-snapshot-age chmod +x /usr/local/bin/check-snapshot-age } install_zsync(){ + log "Installing bashclub-zsync" wget -q --no-cache -O /usr/bin/bashclub-zsync https://git.bashclub.org/bashclub/zsync/raw/branch/main/bashclub-zsync/usr/bin/bashclub-zsync chmod +x /usr/bin/bashclub-zsync cat << EOF > /etc/logrotate.d/bashclub-zsync @@ -531,6 +544,8 @@ EOF } installation_task(){ + log "Starting Installation" + set_locales set_pve_repo update_system @@ -548,7 +563,7 @@ installation_task(){ create_swap_pool set_default_volblocksize - echo "Updating initramfs - This will take some time..." + log "Updating initramfs - This will take some time..." update-initramfs -u -k all > /dev/null 2>&1 } From ac93aca125836ed541711787ec22003d89f7391b Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Wed, 4 Oct 2023 06:33:50 +0200 Subject: [PATCH 30/57] Fix ZFS_ARC_MIN calculation --- postinstall | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/postinstall b/postinstall index 69f178f..6a9f512 100755 --- a/postinstall +++ b/postinstall @@ -110,8 +110,14 @@ cancel_dialog() { } arc_suggestion(){ - ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024))) ZFS_ARC_MAX_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024))) + ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024))) + if [ $ZFS_ARC_MIN_MEGABYTES -eq 0 ]; then + ZFS_ARC_MIN_MEGABYTES=$(($ZFS_ARC_MAX_MEGABYTES / 2)) + if [ $ARC_MIN_DEFAULT_MB -gt $ZFS_ARC_MAX_MEGABYTES ]; then + ZFS_ARC_MIN_MEGABYTES=$ARC_MIN_DEFAULT_MB + fi + fi if [ $ARC_MIN_DEFAULT_BYTES -lt 33554432 ]; then ARC_MIN_DEFAULT_MB="32" ; else ARC_MIN_DEFAULT_MB="$(($ARC_MIN_DEFAULT_BYTES / 1024 / 1024))" ; fi if [ $ARC_MIN_CUR_BYTES -gt 0 ]; then ARC_MIN_CURRENT_MB="$(($ARC_MIN_CUR_BYTES / 1024 / 1024))" ; else ARC_MIN_CURRENT_MB="0" ; fi From 77477348f51fd0f1bcb651cb26256cc017324412 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Wed, 4 Oct 2023 06:34:52 +0200 Subject: [PATCH 31/57] Fix calculation --- postinstall | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/postinstall b/postinstall index 6a9f512..6529f01 100755 --- a/postinstall +++ b/postinstall @@ -110,6 +110,8 @@ cancel_dialog() { } arc_suggestion(){ + if [ $ARC_MIN_DEFAULT_BYTES -lt 33554432 ]; then ARC_MIN_DEFAULT_MB="32" ; else ARC_MIN_DEFAULT_MB="$(($ARC_MIN_DEFAULT_BYTES / 1024 / 1024))" ; fi + ZFS_ARC_MAX_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024))) ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024))) if [ $ZFS_ARC_MIN_MEGABYTES -eq 0 ]; then @@ -119,7 +121,6 @@ arc_suggestion(){ fi fi - if [ $ARC_MIN_DEFAULT_BYTES -lt 33554432 ]; then ARC_MIN_DEFAULT_MB="32" ; else ARC_MIN_DEFAULT_MB="$(($ARC_MIN_DEFAULT_BYTES / 1024 / 1024))" ; fi if [ $ARC_MIN_CUR_BYTES -gt 0 ]; then ARC_MIN_CURRENT_MB="$(($ARC_MIN_CUR_BYTES / 1024 / 1024))" ; else ARC_MIN_CURRENT_MB="0" ; fi if [ $ARC_MAX_CUR_BYTES -gt 0 ]; then ARC_MAX_CURRENT_MB="$(($ARC_MAX_CUR_BYTES / 1024 / 1024))" ; else ARC_MAX_CURRENT_MB="0" ; fi From 99438a44a469d15eea318c335e6b0bfe38baa110 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Wed, 4 Oct 2023 06:45:19 +0200 Subject: [PATCH 32/57] Suppress postmap output --- postinstall | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/postinstall b/postinstall index 6529f01..df1e84f 100755 --- a/postinstall +++ b/postinstall @@ -111,7 +111,7 @@ cancel_dialog() { arc_suggestion(){ if [ $ARC_MIN_DEFAULT_BYTES -lt 33554432 ]; then ARC_MIN_DEFAULT_MB="32" ; else ARC_MIN_DEFAULT_MB="$(($ARC_MIN_DEFAULT_BYTES / 1024 / 1024))" ; fi - + ZFS_ARC_MAX_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024))) ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024))) if [ $ZFS_ARC_MIN_MEGABYTES -eq 0 ]; then @@ -479,8 +479,8 @@ EOF cat << EOF > /etc/postfix/sasl_passwd [$smtphost]:$smtpport $username:$password EOF - postmap /etc/postfix/sasl_passwd - postmap /etc/aliases + postmap /etc/postfix/sasl_passwd > /dev/null 2>&1 + postmap /etc/aliases > /dev/null 2>&1 chown root:root /etc/postfix/sasl_passwd chown root:root /etc/postfix/sasl_passwd.db chmod 0600 /etc/postfix/sasl_passwd From 583443d2fcd5d71443e89969a8a103dc0740df4b Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Wed, 4 Oct 2023 06:50:44 +0200 Subject: [PATCH 33/57] Fix logging of SSH hardening --- postinstall | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/postinstall b/postinstall index df1e84f..e189c6a 100755 --- a/postinstall +++ b/postinstall @@ -395,11 +395,14 @@ harden_ssh(){ if [ $ssh_hardening -gt 0 ]; then log "Hardening ssh server" rm /etc/ssh/ssh_host_* - ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" - ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" + log "Creating new SSH host keys" + ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" > /dev/null 2>&1 + ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" > /dev/null 2>&1 + log "Creating new SSH moduli" awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe mv /etc/ssh/moduli.safe /etc/ssh/moduli + log "Writing hardened SSH config" if [[ $VERSION_CODENAME == "bookworm" ]]; then echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf elif [[ $VERSION_CODENAME == "bullseye" ]]; then From 8c1cf0c4b6ecd8c5b2a2aed621c5dfd407d38fc7 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Wed, 4 Oct 2023 06:55:09 +0200 Subject: [PATCH 34/57] Fix logging --- postinstall | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/postinstall b/postinstall index e189c6a..3f65394 100755 --- a/postinstall +++ b/postinstall @@ -280,7 +280,7 @@ set_locales(){ sed -i "s/$line/$(echo $line | cut -d' ' -f2-)/" /etc/locale.gen fi done - locale-gen + locale-gen > /dev/null 2>&1 } set_pve_repo(){ @@ -641,4 +641,4 @@ ask_mail_config summary -echo "Proxmox postinstallation finished!" +log "Proxmox postinstallation finished!" From 44c79b86ca0f5d5a5d586e2070906008f2aa8b76 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Wed, 4 Oct 2023 07:17:21 +0200 Subject: [PATCH 35/57] Autofill mailconfig --- postinstall | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/postinstall b/postinstall index 3f65394..6a3b3c5 100755 --- a/postinstall +++ b/postinstall @@ -418,29 +418,40 @@ ask_mail_config(){ smtpauth=0 senderaddress="" displayname="" + if [ -f /etc/postfix/sender_canonical_maps ]; then + senderaddress=$(grep "@" -m1 /etc/postfix/sender_canonical_maps | cut -d '<' -f2 | cut -d '>' -f1) + displayname=$(grep "@" -m1 /etc/postfix/sender_canonical_maps | cut -d' ' -f5) + fi recipientaddress="" smtphost=$(grep relayhost /etc/postfix/main.cf | cut -d : -f1 | cut -d ' ' -f3 | cut -d ']' -f1 | cut -d '[' -f2) smtpport=25 username="" + password="" + if [ -f /etc/postfix/sasl_passwd ]; then + username=$(cat /etc/postfix/sasl_passwd | cut -d ' ' -f2- | cut -d':' -f1) + password=$(cat /etc/postfix/sasl_passwd | cut -d ' ' -f2- | cut -d':' -f2-) + else + username=$senderaddress + fi if whiptail --title "MAIL DELIVERY" \ --backtitle "$PROG" \ --yes-button "MAIL CONFIG" \ --no-button "SKIP" \ --yesno "Do you want to configure postfix with a smarthost?" 9 76 ; then mailconfig=1 - if ! senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi if ! displayname=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender display name." 9 76 $(hostname -f) 3>&1 1>&2 2>&3); then cancel_dialog; fi if ! recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 $(pvesh get access/users/root@pam --output-format yaml| grep email | cut -d' ' -f2) 3>&1 1>&2 2>&3); then cancel_dialog; fi if ! smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 $smtphost 3>&1 1>&2 2>&3); then cancel_dialog; fi smtpport=$(inputbox_int 'MAIL DELIVERY' 'Please enter the port of your smarthost' 7 $(grep relayhost /etc/postfix/main.cf | cut -d':' -f2)) + if ! senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi if whiptail --title "MAIL DELIVERY" \ --backtitle "$PROG" \ --yes-button "CONFIGURE AUTH" \ --no-button "SKIP" \ --yesno "Do you want to configure authentication against your smarthost?" 9 76 ; then smtpauth=1 - if ! username=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the username for authentication." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi - if ! password=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --passwordbox "Please enter the passsword for authentication." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! username=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the username for authentication." 9 76 $username 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! password=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --passwordbox "Please enter the passsword for authentication." 9 76 $password 3>&1 1>&2 2>&3); then cancel_dialog; fi fi fi } From bff05d5784f1512ce13b077b6825a4db59de4654 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Wed, 4 Oct 2023 07:21:31 +0200 Subject: [PATCH 36/57] Fix mailconfig --- postinstall | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/postinstall b/postinstall index 6a3b3c5..e5b11ac 100755 --- a/postinstall +++ b/postinstall @@ -424,7 +424,10 @@ ask_mail_config(){ fi recipientaddress="" smtphost=$(grep relayhost /etc/postfix/main.cf | cut -d : -f1 | cut -d ' ' -f3 | cut -d ']' -f1 | cut -d '[' -f2) - smtpport=25 + smtpport=$(grep relayhost /etc/postfix/main.cf | cut -d':' -f2) + if [[ $smtpport == "" ]] || [[ $smtpport == "relayhost" ]]; then + smtpport=25 + fi username="" password="" if [ -f /etc/postfix/sasl_passwd ]; then @@ -442,8 +445,8 @@ ask_mail_config(){ if ! displayname=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender display name." 9 76 $(hostname -f) 3>&1 1>&2 2>&3); then cancel_dialog; fi if ! recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 $(pvesh get access/users/root@pam --output-format yaml| grep email | cut -d' ' -f2) 3>&1 1>&2 2>&3); then cancel_dialog; fi if ! smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 $smtphost 3>&1 1>&2 2>&3); then cancel_dialog; fi - smtpport=$(inputbox_int 'MAIL DELIVERY' 'Please enter the port of your smarthost' 7 $(grep relayhost /etc/postfix/main.cf | cut -d':' -f2)) - if ! senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi + smtpport=$(inputbox_int 'MAIL DELIVERY' 'Please enter the port of your smarthost' 7 $smtpport) + if ! senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 $senderaddress 3>&1 1>&2 2>&3); then cancel_dialog; fi if whiptail --title "MAIL DELIVERY" \ --backtitle "$PROG" \ --yes-button "CONFIGURE AUTH" \ From 9b6183ad183506770f753f902cb7ac0e1b7d5beb Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Wed, 4 Oct 2023 07:26:42 +0200 Subject: [PATCH 37/57] Fix mailconfig --- postinstall | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/postinstall b/postinstall index e5b11ac..2def98a 100755 --- a/postinstall +++ b/postinstall @@ -67,6 +67,9 @@ declare -A auto_snap_keep=( ["frequent"]="12" ["hourly"]="96" ["daily"]="14" ["w serverid=$(pvesubscription get | grep serverid | cut -d' ' -f2) sub_status=$(pvesubscription get | grep status | cut -d' ' -f2) +# get notification address +recipientaddress=$(pvesh get access/users/root@pam --output-format yaml| grep email | cut -d' ' -f2) + #### FUNCTIONS #### log(){ @@ -422,7 +425,6 @@ ask_mail_config(){ senderaddress=$(grep "@" -m1 /etc/postfix/sender_canonical_maps | cut -d '<' -f2 | cut -d '>' -f1) displayname=$(grep "@" -m1 /etc/postfix/sender_canonical_maps | cut -d' ' -f5) fi - recipientaddress="" smtphost=$(grep relayhost /etc/postfix/main.cf | cut -d : -f1 | cut -d ' ' -f3 | cut -d ']' -f1 | cut -d '[' -f2) smtpport=$(grep relayhost /etc/postfix/main.cf | cut -d':' -f2) if [[ $smtpport == "" ]] || [[ $smtpport == "relayhost" ]]; then @@ -443,7 +445,7 @@ ask_mail_config(){ --yesno "Do you want to configure postfix with a smarthost?" 9 76 ; then mailconfig=1 if ! displayname=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender display name." 9 76 $(hostname -f) 3>&1 1>&2 2>&3); then cancel_dialog; fi - if ! recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 $(pvesh get access/users/root@pam --output-format yaml| grep email | cut -d' ' -f2) 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 $recipientaddress 3>&1 1>&2 2>&3); then cancel_dialog; fi if ! smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 $smtphost 3>&1 1>&2 2>&3); then cancel_dialog; fi smtpport=$(inputbox_int 'MAIL DELIVERY' 'Please enter the port of your smarthost' 7 $smtpport) if ! senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 $senderaddress 3>&1 1>&2 2>&3); then cancel_dialog; fi From fe32ca48d3f85ce20496decf62253581bc183d00 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sat, 7 Oct 2023 13:52:20 +0200 Subject: [PATCH 38/57] Add volblocksize question --- postinstall | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/postinstall b/postinstall index 2def98a..4baf43a 100755 --- a/postinstall +++ b/postinstall @@ -19,7 +19,7 @@ # + Install bashclub-zsync # + Create zfspool storage for swap disks if not exists # + Adjust default volblocksize for Proxmox zfspool storages -# - Configure proxmox mail delivery with postfix +# + Configure proxmox mail delivery with postfix # # # Author: (C) 2023 Thorsten Spille @@ -63,6 +63,9 @@ SWAPPINESS=$(cat /proc/sys/vm/swappiness) # zfs-auto-snapshot default values declare -A auto_snap_keep=( ["frequent"]="12" ["hourly"]="96" ["daily"]="14" ["weekly"]="6" ["monthly"]="3" ) +setblocksize=0 +volblocksize=16k + # gather proxmox subscription info serverid=$(pvesubscription get | grep serverid | cut -d' ' -f2) sub_status=$(pvesubscription get | grep status | cut -d' ' -f2) @@ -528,15 +531,28 @@ create_swap_pool(){ else zfs set com.sun:auto-snapshot=false rpool/swap fi - pvesm add zfspool swap --blocksize 16k --content images,rootdir --pool rpool/swap + pvesm add zfspool swap --content images,rootdir --pool rpool/swap + fi +} + +ask_volblocksize(){ + if whiptail --title "SET DEFAULT BLOCKSIZE" \ + --backtitle "$PROG" \ + --yes-button "SET BLOCKSIZE" \ + --no-button "SKIP" \ + --yesno "Do you want to adjust the default blocksize on all zfspool storages?" 9 76 ; then + setblocksize=1 + if ! volblocksize=$(whiptail --title "SET DEFAULT BLOCKSIZE" --backtitle "$PROG" --inputbox "Please enter the desired blocksize for your zfspool storages." 9 76 $volblocksize 3>&1 1>&2 2>&3); then cancel_dialog; fi fi } set_default_volblocksize(){ - log "Setting default volblocksize=16k to all zfspool storages" - for storage in $(pvesm status | grep zfspool | cut -d' ' -f1); do - pvesm set $storage --blocksize 16k - done + if [ $setblocksize -gt 0 ]; then + log "Setting default volblocksize=16k to all zfspool storages" + for storage in $(pvesm status | grep zfspool | cut -d' ' -f1); do + pvesm set $storage --blocksize $volblocksize + done + fi } install_checkzfs(){ @@ -622,6 +638,8 @@ summary(){ smarthost port: $smtpport smarthost auth: $smtpauth smarthost username: $username + set blocksize: $setblocksize + volblocksize: $volblocksize " 30 76 ; then installation_task else @@ -655,6 +673,9 @@ select_subscription # mail delivery config ask_mail_config +# set volblocksize +ask_volblocksize + summary log "Proxmox postinstallation finished!" From ca14233bcdab44b0e61c9a278df9e4c01349c907 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 12 Oct 2023 11:34:52 +0200 Subject: [PATCH 39/57] Add virtio-win-updater --- postinstall | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/postinstall b/postinstall index 4baf43a..267fbfd 100755 --- a/postinstall +++ b/postinstall @@ -585,6 +585,41 @@ EOF EOF } +virtiowin_updater() { + log "Installing virtio-win-updater" + cat << EOF > /usr/local/bin/virtio-win-updater +#!/bin/bash +# +# This script updates the virtio-win iso in Proxmox local storage +content=\$(wget -q -O - https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/) +server=https://fedorapeople.org +path=\$(echo -e "\$content" | grep -m1 title | cut -d "<" -f2 | cut -d " " -f3) +file=\$(echo -e "\$content" | grep -Eo "virtio-win-0.1.[0-9]+.iso" | grep -m1 virtio) +url=\$server\$path/\$file +if ! find /var/lib/vz/template/iso/\$file > /dev/null 2>&1 ; then + echo "\$(date) New version available. Downloading \$file." + wget -q -O /var/lib/vz/template/iso/\$file \$url + old_virtio=\$(find /var/lib/vz/template/iso/ -name virtio-win* | grep -v \$file) + if [ \$? -eq 0 ]; then + for line in \$old_virtio; do + if ! grep \$(echo \$line | cut -d'/' -f7) /etc/pve/qemu-server/* ; then + echo "\$(date) Deleting \$line." + rm -f \$line + else + echo "\$(date) Keeping \$line - Still in use by VMs." + fi + done + fi +else + echo "\$(date) Already on the current stable version: \$file." +fi +EOF + chmod +x /usr/local/bin/virtio-win-updater + ln -sf /usr/local/bin/virtio-win-updater /etc/cron.daily/virtio-win-updater + log "Running virtio-win-updater" + virtio-win-updater +} + installation_task(){ log "Starting Installation" @@ -604,6 +639,7 @@ installation_task(){ set_mail_delivery create_swap_pool set_default_volblocksize + virtiowin_updater log "Updating initramfs - This will take some time..." update-initramfs -u -k all > /dev/null 2>&1 From 4d38ffd140b4c1deaa595f5bc280ee15387035a5 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Thu, 12 Oct 2023 16:39:26 +0200 Subject: [PATCH 40/57] Add documentation --- README.md | 1 + postinstall | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index 3743e27..8939309 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ Following settings are made: - Create zfspool storage for swap disks if not exists - Adjust default volblocksize for Proxmox zfspool storage - Configure proxmox mail delivery with postfix +- Daily check (and download) for new stable virtio-win iso and prune old (unused) versions # Usage diff --git a/postinstall b/postinstall index 267fbfd..3ce5a37 100755 --- a/postinstall +++ b/postinstall @@ -20,6 +20,7 @@ # + Create zfspool storage for swap disks if not exists # + Adjust default volblocksize for Proxmox zfspool storages # + Configure proxmox mail delivery with postfix +# + Daily check (and download) for new stable virtio-win iso and prune old (unused) versions # # # Author: (C) 2023 Thorsten Spille From 8c59f490f02b08e9e81fa2006a6ef787dca3ce2f Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Thu, 16 Nov 2023 19:22:06 +0100 Subject: [PATCH 41/57] Update postinstall add ipmitool --- postinstall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postinstall b/postinstall index 3ce5a37..aebe676 100755 --- a/postinstall +++ b/postinstall @@ -31,7 +31,7 @@ set -uo pipefail PROG=$(basename "$0") # Required tools for usage in postinstall -REQUIRED_TOOLS="curl ifupdown2 git gron libsasl2-modules lsb-release libpve-network-perl postfix ssl-cert zfs-auto-snapshot" +REQUIRED_TOOLS="curl ifupdown2 git gron ipmitool libsasl2-modules lsb-release libpve-network-perl postfix ssl-cert zfs-auto-snapshot" # Optional tools to install OPTIONAL_TOOLS="dnsutils ethtool htop iftop jq lshw lsscsi mc net-tools nvme-cli rpl screen smartmontools sudo sysstat tmux unzip vim" From 8cd25f9342e3833c19b8a05d8441984792d87f6f Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 21 Nov 2023 14:14:22 +0100 Subject: [PATCH 42/57] Update postinstall swap: disable auto-snapshot per label, not globally zsync: fix log path virtio-win-updater: rework cronjob --- postinstall | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/postinstall b/postinstall index aebe676..fc7c37a 100755 --- a/postinstall +++ b/postinstall @@ -528,9 +528,10 @@ create_swap_pool(){ log "Configuring swap storage" if ! pvesm status | grep swap > /dev/null; then if ! zfs list rpool/swap > /dev/null 2>&1 ; then - zfs create -o com.sun:auto-snapshot=false rpool/swap + zfs create -o com.sun:auto-snapshot:frequent=false -o com.sun:auto-snapshot:hourly=false -o com.sun:auto-snapshot:daily=false -o com.sun:auto-snapshot:weekly=false -o com.sun:auto-snapshot:monthly=false rpool/swap else - zfs set com.sun:auto-snapshot=false rpool/swap + zfs set com.sun:auto-snapshot:frequent=false com.sun:auto-snapshot:hourly=false com.sun:auto-snapshot:daily=false com.sun:auto-snapshot:weekly=false com.sun:auto-snapshot:monthly=false rpool/swap + zfs inherit com.sun:auto-snapshot rpool/swap fi pvesm add zfspool swap --content images,rootdir --pool rpool/swap fi @@ -580,7 +581,7 @@ install_zsync(){ create 644 root root } EOF - mkdir -p /var/log/bashclub-zsync-example + mkdir -p /var/log/bashclub-zsync cat << EOF > /etc/cron.d/bashclub-zsync #00 23 * * * root /usr/bin/bashclub-zsync -c /etc/bashclub/zsync.conf > /var/log/bashclub-zsync/zsync.log EOF @@ -616,7 +617,10 @@ else fi EOF chmod +x /usr/local/bin/virtio-win-updater - ln -sf /usr/local/bin/virtio-win-updater /etc/cron.daily/virtio-win-updater + cat << EOF > /etc/cron.daily/virtio-win-updater +#!/bin/bash +/usr/local/bin/virtio-win-updater >> /var/log/virtio-win-updater.log 2>&1 +EOF log "Running virtio-win-updater" virtio-win-updater } From e28be8415fe6015d55e7e71dd903db07123254a5 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 21 Nov 2023 14:16:46 +0100 Subject: [PATCH 43/57] Update postinstall virtio-win-updater: add logrotation --- postinstall | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/postinstall b/postinstall index fc7c37a..8812999 100755 --- a/postinstall +++ b/postinstall @@ -620,6 +620,17 @@ EOF cat << EOF > /etc/cron.daily/virtio-win-updater #!/bin/bash /usr/local/bin/virtio-win-updater >> /var/log/virtio-win-updater.log 2>&1 +EOF + cat << EOF > /etc/logrotate.d/virtio-win-updater +/var/log/virtio-win-updater.log { + weekly + rotate 12 + compress + delaycompress + missingok + notifempty + create 644 root root +} EOF log "Running virtio-win-updater" virtio-win-updater From 069e54844df2a6ea23c9439908e209ddf86f2627 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 21 Nov 2023 14:22:49 +0100 Subject: [PATCH 44/57] Update postinstall --- postinstall | 1 + 1 file changed, 1 insertion(+) diff --git a/postinstall b/postinstall index 8812999..6d7f1c6 100755 --- a/postinstall +++ b/postinstall @@ -617,6 +617,7 @@ else fi EOF chmod +x /usr/local/bin/virtio-win-updater + rm -f /etc/cron.daily/virtio-win-updater cat << EOF > /etc/cron.daily/virtio-win-updater #!/bin/bash /usr/local/bin/virtio-win-updater >> /var/log/virtio-win-updater.log 2>&1 From 72f2c83c377dd04ce04781edde72cb42ab7f0d2f Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 21 Nov 2023 14:56:58 +0100 Subject: [PATCH 45/57] Update postinstall Add Ceph repo selector --- postinstall | 44 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/postinstall b/postinstall index 6d7f1c6..ffc7014 100755 --- a/postinstall +++ b/postinstall @@ -252,7 +252,7 @@ EOF fi } -select_pve_repos(){ +select_pve_repo(){ pveenterprise=OFF pvenosubscription=OFF pvetest=OFF @@ -279,6 +279,43 @@ select_pve_repos(){ } +select_ceph_repo(){ + none=OFF + quincyenterprise=OFF + quincynosubscription=OFF + quincytest=OFF + reefenterprise=OFF + reefnosubscription=OFF + reeftest=OFF + if [ -f /etc/apt/sources.list.d/ceph.list ]; then + if grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "enterprise" > /dev/null ; then + quincyenterprise=ON + elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "enterprise" > /dev/null ; then + reefenterprise=ON + elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "no-subscription" > /dev/null ; then + quincynosubscription=ON + elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "no-subscription" > /dev/null ; then + reefnosubscription=ON + elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "test" > /dev/null ; then + quincytest=ON + elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "test" > /dev/null ; then + reeftest=ON + else + none=ON + fi + else + none=ON + fi + repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \ + --radiolist "Choose Ceph repository" 20 76 4 \ + "quincyenterprise" "Ceph Quincy Enterprise repository" "$quincyenterprise" \ + "quincynosubscription" "Ceph Quincy No Subscription repository" "$quincynosubscription" \ + "quincytest" "Ceph Quincy Testing repository" "$quincytest" \ + "reefenterprise" "Ceph Reef Enterprise repository" "$reefenterprise" \ + "reefnosubscription" "Ceph Reef No Subscription repository" "$reefnosubscription" \ + "reeftest" "Ceph Reef Testing repository" "$reeftest" 3>&1 1>&2 2>&3) +} + set_locales(){ log "Setting locales" for locale in $locales; do @@ -718,7 +755,10 @@ ask_ssh_hardening auto_snapshot # Select proxmox repository -select_pve_repos +select_pve_repo + +# Select Ceoh repository +select_ceph_repo # subscription related actions select_subscription From daccbc8209b99fb27060baf29a5137736ccbf99a Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 21 Nov 2023 15:17:18 +0100 Subject: [PATCH 46/57] Update postinstall Add Ceph repo setting --- postinstall | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/postinstall b/postinstall index ffc7014..cf7a3d3 100755 --- a/postinstall +++ b/postinstall @@ -306,7 +306,7 @@ select_ceph_repo(){ else none=ON fi - repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \ + ceph_repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \ --radiolist "Choose Ceph repository" 20 76 4 \ "quincyenterprise" "Ceph Quincy Enterprise repository" "$quincyenterprise" \ "quincynosubscription" "Ceph Quincy No Subscription repository" "$quincynosubscription" \ @@ -327,6 +327,30 @@ set_locales(){ locale-gen > /dev/null 2>&1 } +set_ceph_repo(){ + log "Setting Proxmox package repositories to $ceph_repo_selection" + if [[ "$ceph_repo_selection" != "none" ]]; then + if [[ "$ceph_repo_selection" == *"quincy"* ]]; then + generation=quincy + elif [[ "$ceph_repo_selection" == *"reef"* ]]; then + generation=reef + fi + if [[ "$ceph_repo_selection" == *"enterprise"* ]]; then + selection=enterprise + server=https://enterprise.proxmox.com + elif [[ "$ceph_repo_selection" == *"nosubscription"* ]]; then + selection=no-subscription + server=http://download.proxmox.com + elif [[ "$ceph_repo_selection" == *"test"* ]]; then + selection=test + server=http://download.proxmox.com + fi + echo "deb ${server}/debian/ceph-${generation} $(lsb_release -cs 2>/dev/null) ${selection}" > /etc/apt/sources.list.d/ceph.list + else + rm -f /etc/apt/sources.list.d/ceph.list + fi +} + set_pve_repo(){ log "Setting Proxmox package repositories to $repo_selection" nosub=$(grep pve-no-subscription /etc/apt/sources.list) @@ -679,6 +703,7 @@ installation_task(){ set_locales set_pve_repo + set_ceph_repo update_system install_tools enable_sdn From d4fda4f0a94765ee8d70cb43a90854803530ae85 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 21 Nov 2023 15:20:11 +0100 Subject: [PATCH 47/57] Update postinstall Add option for no ceph repo --- postinstall | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/postinstall b/postinstall index cf7a3d3..3b10195 100755 --- a/postinstall +++ b/postinstall @@ -307,7 +307,8 @@ select_ceph_repo(){ none=ON fi ceph_repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \ - --radiolist "Choose Ceph repository" 20 76 4 \ + --radiolist "Choose Ceph repository" 20 76 7 \ + "none" "No Ceph repository" "$none" \ "quincyenterprise" "Ceph Quincy Enterprise repository" "$quincyenterprise" \ "quincynosubscription" "Ceph Quincy No Subscription repository" "$quincynosubscription" \ "quincytest" "Ceph Quincy Testing repository" "$quincytest" \ From dc7fa5c76293fe481e9833cf0bfdb8f3ce3110e0 Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 21 Nov 2023 15:24:56 +0100 Subject: [PATCH 48/57] Update postinstall Fix log message --- postinstall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postinstall b/postinstall index 3b10195..9d9ab85 100755 --- a/postinstall +++ b/postinstall @@ -329,7 +329,7 @@ set_locales(){ } set_ceph_repo(){ - log "Setting Proxmox package repositories to $ceph_repo_selection" + log "Setting Ceph package repositories to $ceph_repo_selection" if [[ "$ceph_repo_selection" != "none" ]]; then if [[ "$ceph_repo_selection" == *"quincy"* ]]; then generation=quincy From bf40b5e641a65d18e601bbc6d826e1a003e8806d Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 21 Nov 2023 15:28:14 +0100 Subject: [PATCH 49/57] Update postinstall Fix documentation --- postinstall | 1 + 1 file changed, 1 insertion(+) diff --git a/postinstall b/postinstall index 9d9ab85..00a4d66 100755 --- a/postinstall +++ b/postinstall @@ -7,6 +7,7 @@ # + Configure vm.swappiness # + Install and configure zfs-auto-snapshot # + Switch pve-enterprise/pve-no-subscription/pvetest repo +# + Switch ceph repo between quincy/reef and enterprise/no-subscription/test or remove # + Disable "No subscription message" in webinterface in no-subscription mode # + Add pve-enterprise subscription key # + Update system to the latest version From a55271c868c1a19572f1da56efd03ba0b63f0bbc Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Tue, 21 Nov 2023 15:29:16 +0100 Subject: [PATCH 50/57] Update README.md Add Ceph repo selection --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 8939309..5cb6ab4 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,7 @@ This script installs and configures basic tools for running a Proxmox Server. Following settings are made: - Install and configure zfs-auto-snapshot - Switch pve-enterprise/pve-no-subscription/pvetest repo +- Switch ceph repo between quincy/reef and enterprise/no-subscription/test or remove it - Disable "No subscription message" in webinterface in no-subscription mode - Add pve-enterprise subscription key - Update system to the latest version From 35be4b2c0f3a3f4ea42a0652a39bbb9a2547d72c Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 23 Jun 2024 15:01:28 +0200 Subject: [PATCH 51/57] zfs-auto-snapshot optional, zsync install via repo --- postinstall | 133 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 76 insertions(+), 57 deletions(-) diff --git a/postinstall b/postinstall index 00a4d66..cfd8ffe 100755 --- a/postinstall +++ b/postinstall @@ -32,7 +32,7 @@ set -uo pipefail PROG=$(basename "$0") # Required tools for usage in postinstall -REQUIRED_TOOLS="curl ifupdown2 git gron ipmitool libsasl2-modules lsb-release libpve-network-perl postfix ssl-cert zfs-auto-snapshot" +REQUIRED_TOOLS="curl ifupdown2 git gron ipmitool libsasl2-modules lsb-release libpve-network-perl postfix ssl-cert" # Optional tools to install OPTIONAL_TOOLS="dnsutils ethtool htop iftop jq lshw lsscsi mc net-tools nvme-cli rpl screen smartmontools sudo sysstat tmux unzip vim" @@ -162,18 +162,28 @@ vm_swappiness () { } auto_snapshot(){ - if dpkg -l zfs-auto-snapshot > /dev/null 2>&1 ; then + install_zas=0 + if whiptail --title "INSTALL ZFS-AUTO-SNAPSHOT" \ + --backtitle "$PROG" \ + --yes-button "INSTALL" \ + --no-button "SKIP" \ + --yesno "Do you want to install and configure zfs-auto-snapshot?" 9 76 ; then + install_zas=1 + + if dpkg -l zfs-auto-snapshot > /dev/null 2>&1 ; then + for interval in "${!auto_snap_keep[@]}"; do + if [[ "$interval" == "frequent" ]]; then + auto_snap_keep[$interval]=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2) + else + auto_snap_keep[$interval]=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2) + fi + done + fi for interval in "${!auto_snap_keep[@]}"; do - if [[ "$interval" == "frequent" ]]; then - auto_snap_keep[$interval]=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2) - else - auto_snap_keep[$interval]=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2) - fi + if ! auto_snap_keep[$interval]=$(inputbox_int "CONFIGURE ZFS-AUTO-SNAPSHOT" "Please set number of $interval snapshots to keep" 7 ${auto_snap_keep[$interval]}) ; then cancel_dialog ; fi done + fi - for interval in "${!auto_snap_keep[@]}"; do - if ! auto_snap_keep[$interval]=$(inputbox_int "CONFIGURE ZFS-AUTO-SNAPSHOT" "Please set number of $interval snapshots to keep" 7 ${auto_snap_keep[$interval]}) ; then cancel_dialog ; fi - done } select_subscription(){ @@ -280,6 +290,26 @@ select_pve_repo(){ } +ask_bashclub_repo(){ + + bashclub_repo=0 + install_zsync=0 + if whiptail --title "INSTALL BASHCLUB REPOSITORY" \ + --backtitle "$PROG" \ + --yes-button "INSTALL" \ + --no-button "SKIP" \ + --yesno "Do you want to install the bashclub apt repository?" 9 76 ; then + bashclub_repo=1 + if whiptail --title "INSTALL CHECKZFS AND ZSYNC" \ + --backtitle "$PROG" \ + --yes-button "INSTALL" \ + --no-button "SKIP" \ + --yesno "Do you want to install checkzfs and bashclub-zsync?" 9 76 ; then + install_zsync=1 + fi + fi +} + select_ceph_repo(){ none=OFF quincyenterprise=OFF @@ -393,6 +423,14 @@ set_pve_repo(){ fi } +set_bashclub_repo (){ + if [ $bashclub_repo -gt 0 ]; then + log "Configuring bashclub apt repositories" + echo "deb [signed-by=/usr/share/keyrings/bashclub-archive-keyring.gpg] https://apt.bashclub.org/release bookworm main" > /etc/apt/sources.list.d/bashclub.list + wget -O- https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-archive-keyring.gpg + fi +} + update_system(){ log "Downloading latest package lists" apt update > /dev/null 2>&1 @@ -402,6 +440,12 @@ update_system(){ install_tools(){ log "Installing toolset - Depending on your version this could take a while..." + if [ $install_zas -gt 0 ]; then + OPTIONAL_TOOLS="zfs-auto-snapshot $OPTIONAL_TOOLS" + fi + if [ $install_zsync -gt 0 ]; then + OPTIONAL_TOOLS="bashclub-zsync $OPTIONAL_TOOLS" + fi DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install $REQUIRED_TOOLS $OPTIONAL_TOOLS > /dev/null 2>&1 } @@ -426,21 +470,24 @@ EOF } set_auto_snapshot(){ - # configure zfs-auto-snapshot - for interval in "${!auto_snap_keep[@]}"; do - log "Setting zfs-auto-snapshot retention: $interval = ${auto_snap_keep[$interval]}" - if [[ "$interval" == "frequent" ]]; then - CURRENT=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2) - if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then - rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.d/zfs-auto-snapshot > /dev/null 2>&1 + + if [ $install_zas -gt 0 ]; then + # configure zfs-auto-snapshot + for interval in "${!auto_snap_keep[@]}"; do + log "Setting zfs-auto-snapshot retention: $interval = ${auto_snap_keep[$interval]}" + if [[ "$interval" == "frequent" ]]; then + CURRENT=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2) + if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then + rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.d/zfs-auto-snapshot > /dev/null 2>&1 + fi + else + CURRENT=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2) + if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then + rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.$interval/zfs-auto-snapshot > /dev/null 2>&1 + fi fi - else - CURRENT=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2) - if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then - rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.$interval/zfs-auto-snapshot > /dev/null 2>&1 - fi - fi - done + done + fi } set_swappiness(){ @@ -620,36 +667,6 @@ set_default_volblocksize(){ fi } -install_checkzfs(){ - log "Installing checkzfs to /usr/local/bin/checkzfs" - wget -q --no-cache -O /usr/local/bin/checkzfs https://raw.githubusercontent.com/bashclub/check-zfs-replication/main/checkzfs.py - chmod +x /usr/local/bin/checkzfs - log "Installing check-snapshot-age to /usr/local/bin/check-snapshot-age" - wget -q --no-cache -O /usr/local/bin/check-snapshot-age https://raw.githubusercontent.com/bashclub/check-zfs-replication/main/check-snapshot-age - chmod +x /usr/local/bin/check-snapshot-age -} - -install_zsync(){ - log "Installing bashclub-zsync" - wget -q --no-cache -O /usr/bin/bashclub-zsync https://git.bashclub.org/bashclub/zsync/raw/branch/main/bashclub-zsync/usr/bin/bashclub-zsync - chmod +x /usr/bin/bashclub-zsync - cat << EOF > /etc/logrotate.d/bashclub-zsync -/var/log/bashclub-zsync/*.log { - weekly - rotate 12 - compress - delaycompress - missingok - notifempty - create 644 root root -} -EOF - mkdir -p /var/log/bashclub-zsync - cat << EOF > /etc/cron.d/bashclub-zsync -#00 23 * * * root /usr/bin/bashclub-zsync -c /etc/bashclub/zsync.conf > /var/log/bashclub-zsync/zsync.log -EOF -} - virtiowin_updater() { log "Installing virtio-win-updater" cat << EOF > /usr/local/bin/virtio-win-updater @@ -706,6 +723,7 @@ installation_task(){ set_locales set_pve_repo set_ceph_repo + set_bashclub_repo update_system install_tools enable_sdn @@ -715,8 +733,6 @@ installation_task(){ pve_conf_backup suppress_no_subscription_warning harden_ssh - install_checkzfs - install_zsync set_mail_delivery create_swap_pool set_default_volblocksize @@ -745,7 +761,7 @@ summary(){ repository: $repo_selection \n\ subscription: $(pvesubscription get | grep status | cut -d' ' -f2)\n\ suppress subscription warning: $suppress_warning\n\ - auto-snapshot: $autosnap\n\ + install auto-snapshot: $install_zas ($autosnap)\n\ ssh-hardening: $ssh_hardening\n\ mail delivery: $mailconfig sender email: $senderaddress @@ -787,6 +803,9 @@ select_pve_repo # Select Ceoh repository select_ceph_repo +# Ask for adding bashclub repo +ask_bashclub_repo + # subscription related actions select_subscription From 1e0d350de6b8efe58088e6df4591cad96f08d16e Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 23 Jun 2024 15:25:23 +0200 Subject: [PATCH 52/57] Cosmetic fixes --- postinstall | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/postinstall b/postinstall index cfd8ffe..3520399 100755 --- a/postinstall +++ b/postinstall @@ -352,7 +352,7 @@ set_locales(){ log "Setting locales" for locale in $locales; do line=$(grep $locale /etc/locale.gen) - if echo $line | grep "#" ; then + if echo $line | grep "#" > /dev/null 2>&1 ; then sed -i "s/$line/$(echo $line | cut -d' ' -f2-)/" /etc/locale.gen fi done @@ -427,7 +427,7 @@ set_bashclub_repo (){ if [ $bashclub_repo -gt 0 ]; then log "Configuring bashclub apt repositories" echo "deb [signed-by=/usr/share/keyrings/bashclub-archive-keyring.gpg] https://apt.bashclub.org/release bookworm main" > /etc/apt/sources.list.d/bashclub.list - wget -O- https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-archive-keyring.gpg + wget -q -O- https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-archive-keyring.gpg fi } From 81b6b17fd0dcec04ac1e68a375c6a8c8e5b2ba38 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 23 Jun 2024 16:36:35 +0200 Subject: [PATCH 53/57] Configure mail delivery via notification feature --- postinstall | 106 ++++++++++++++-------------------------------------- 1 file changed, 29 insertions(+), 77 deletions(-) diff --git a/postinstall b/postinstall index 3520399..b54e57b 100755 --- a/postinstall +++ b/postinstall @@ -531,106 +531,58 @@ harden_ssh(){ } ask_mail_config(){ - mailconfig=0 - smtpauth=0 - senderaddress="" - displayname="" - if [ -f /etc/postfix/sender_canonical_maps ]; then - senderaddress=$(grep "@" -m1 /etc/postfix/sender_canonical_maps | cut -d '<' -f2 | cut -d '>' -f1) - displayname=$(grep "@" -m1 /etc/postfix/sender_canonical_maps | cut -d' ' -f5) - fi - smtphost=$(grep relayhost /etc/postfix/main.cf | cut -d : -f1 | cut -d ' ' -f3 | cut -d ']' -f1 | cut -d '[' -f2) - smtpport=$(grep relayhost /etc/postfix/main.cf | cut -d':' -f2) - if [[ $smtpport == "" ]] || [[ $smtpport == "relayhost" ]]; then - smtpport=25 - fi - username="" - password="" - if [ -f /etc/postfix/sasl_passwd ]; then - username=$(cat /etc/postfix/sasl_passwd | cut -d ' ' -f2- | cut -d':' -f1) - password=$(cat /etc/postfix/sasl_passwd | cut -d ' ' -f2- | cut -d':' -f2-) - else - username=$senderaddress - fi if whiptail --title "MAIL DELIVERY" \ --backtitle "$PROG" \ --yes-button "MAIL CONFIG" \ --no-button "SKIP" \ - --yesno "Do you want to configure postfix with a smarthost?" 9 76 ; then + --yesno "Do you want to configure notifications for root@pam(OVERWRITES CURRENT CONFIG)?" 9 76 ; then mailconfig=1 if ! displayname=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender display name." 9 76 $(hostname -f) 3>&1 1>&2 2>&3); then cancel_dialog; fi if ! recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 $recipientaddress 3>&1 1>&2 2>&3); then cancel_dialog; fi - if ! smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 $smtphost 3>&1 1>&2 2>&3); then cancel_dialog; fi - smtpport=$(inputbox_int 'MAIL DELIVERY' 'Please enter the port of your smarthost' 7 $smtpport) - if ! senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 $senderaddress 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 "" 3>&1 1>&2 2>&3); then cancel_dialog; fi + smtpmode=$(whiptail --title "SELECT SMTP MODE" --backtitle "$PROG" \ + --radiolist "Choose SMTP mode" 20 76 7 \ + "insecure" "insecure (tcp/25)" "OFF" \ + "tls" "TLS (tcp/465)" "OFF" \ + "starttls" "StartTLS (tcp/587)" "ON" 3>&1 1>&2 2>&3) + if ! senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 "root@$(hostname -f)" 3>&1 1>&2 2>&3); then cancel_dialog; fi if whiptail --title "MAIL DELIVERY" \ --backtitle "$PROG" \ --yes-button "CONFIGURE AUTH" \ --no-button "SKIP" \ --yesno "Do you want to configure authentication against your smarthost?" 9 76 ; then smtpauth=1 - if ! username=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the username for authentication." 9 76 $username 3>&1 1>&2 2>&3); then cancel_dialog; fi - if ! password=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --passwordbox "Please enter the passsword for authentication." 9 76 $password 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! username=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the username for authentication." 9 76 "" 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! password=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --passwordbox "Please enter the passsword for authentication." 9 76 "" 3>&1 1>&2 2>&3); then cancel_dialog; fi fi fi } -set_mail_delivery(){ +set_notification() { if [ $mailconfig -gt 0 ]; then - log "Configuring mail delivery" - cat << EOF > /etc/postfix/main.cf -myhostname=$(hostname -f) -smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU) -biff = no -append_dot_mydomain = no -alias_maps = hash:/etc/aliases -alias_database = hash:/etc/aliases -mydestination = \$myhostname, localhost.\$mydomain, localhost -mynetworks = 127.0.0.0/8 -inet_interfaces = loopback-only -recipient_delimiter = + -compatibility_level = 2 + cat << EOF > /etc/pve/notifications.cfg +smtp: $smtphost + mailto-user root@pam + mailto $recipientaddress + author $displayname + from-address $senderaddress + server $smtphost + mode $smtpmode +EOF + if [ $smtpauth -gt 0 ];then + cat << EOF >> /etc/pve/notifications.cfg + username $username -#### sasl extension -relayhost = [$smtphost]:$smtpport -smtp_tls_CAfile = /etc/postfix/cacert.pem -smtp_use_tls = yes -sender_canonical_classes = envelope_sender, header_sender -sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps -smtp_header_checks = regexp:/etc/postfix/header_check EOF - cat << EOF > /etc/postfix/header_check -/From:.*/ REPLACE From: $displayname <$senderaddress> -EOF - - cat << EOF > /etc/postfix/sender_canonical_maps -/.+/ $displayname <$senderaddress> -EOF - - if [ $smtpauth -gt 0 ]; then - cat << EOF > /etc/postfix/sasl_passwd -[$smtphost]:$smtpport $username:$password -EOF - postmap /etc/postfix/sasl_passwd > /dev/null 2>&1 - postmap /etc/aliases > /dev/null 2>&1 - chown root:root /etc/postfix/sasl_passwd - chown root:root /etc/postfix/sasl_passwd.db - chmod 0600 /etc/postfix/sasl_passwd - chmod 0600 /etc/postfix/sasl_passwd.db - - cat << EOF >> /etc/postfix/main.cf -smtp_sasl_auth_enable = yes -smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd -smtp_sasl_security_options = noanonymous + cat << EOF > /etc/pve/priv/notifications.cfg +smtp: $smtphost + password $password EOF fi - ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/postfix/cacert.pem - - systemctl restart postfix.service - pvesh set access/users/root@pam -email $recipientaddress + fi } @@ -733,7 +685,7 @@ installation_task(){ pve_conf_backup suppress_no_subscription_warning harden_ssh - set_mail_delivery + set_notification create_swap_pool set_default_volblocksize virtiowin_updater @@ -768,7 +720,7 @@ summary(){ sender display name: $displayname notification address: $recipientaddress smarthost: $smtphost - smarthost port: $smtpport + smarthost mode: $smtpmode smarthost auth: $smtpauth smarthost username: $username set blocksize: $setblocksize From 6a4672bb371f538debd6157b22e0ac79f548653a Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 23 Jun 2024 17:04:19 +0200 Subject: [PATCH 54/57] Fix notifications --- postinstall | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/postinstall b/postinstall index b54e57b..ab2289d 100755 --- a/postinstall +++ b/postinstall @@ -561,7 +561,12 @@ ask_mail_config(){ set_notification() { if [ $mailconfig -gt 0 ]; then cat << EOF > /etc/pve/notifications.cfg -smtp: $smtphost +matcher: default-matcher + comment Route all notifications to mail-to-root + mode all + target smtp-notification + +smtp: smtp-notification mailto-user root@pam mailto $recipientaddress author $displayname @@ -576,7 +581,7 @@ EOF EOF cat << EOF > /etc/pve/priv/notifications.cfg -smtp: $smtphost +smtp: smtp-notification password $password EOF fi From d75402198f09e845c6db54d1fdbb9c612149c6fb Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 23 Jun 2024 18:14:05 +0200 Subject: [PATCH 55/57] fix skipping notifications --- postinstall | 1 + 1 file changed, 1 insertion(+) diff --git a/postinstall b/postinstall index ab2289d..f9767e4 100755 --- a/postinstall +++ b/postinstall @@ -531,6 +531,7 @@ harden_ssh(){ } ask_mail_config(){ + mailconfig=0 if whiptail --title "MAIL DELIVERY" \ --backtitle "$PROG" \ --yes-button "MAIL CONFIG" \ From 7546e8834e1db9334d6b0618f4bb613aebd763ab Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 23 Jun 2024 18:48:00 +0200 Subject: [PATCH 56/57] Fix empty vars --- postinstall | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/postinstall b/postinstall index f9767e4..6d2b591 100755 --- a/postinstall +++ b/postinstall @@ -532,6 +532,15 @@ harden_ssh(){ ask_mail_config(){ mailconfig=0 + smtpauth=0 + displayname="" + recipientaddress="" + smtpmode="" + recipientaddress="" + senderaddress="" + username="" + password="" + smtphost="" if whiptail --title "MAIL DELIVERY" \ --backtitle "$PROG" \ --yes-button "MAIL CONFIG" \ From f69bd1d9ac6b7147337ffc675bc64fcda6aa4b94 Mon Sep 17 00:00:00 2001 From: thorstenspille Date: Sun, 23 Jun 2024 21:20:17 +0200 Subject: [PATCH 57/57] remove virtio-win updater and use deb from repo --- postinstall | 67 +++++++++++++++-------------------------------------- 1 file changed, 19 insertions(+), 48 deletions(-) diff --git a/postinstall b/postinstall index 6d2b591..bc7e854 100755 --- a/postinstall +++ b/postinstall @@ -294,6 +294,7 @@ ask_bashclub_repo(){ bashclub_repo=0 install_zsync=0 + install_virtio=0 if whiptail --title "INSTALL BASHCLUB REPOSITORY" \ --backtitle "$PROG" \ --yes-button "INSTALL" \ @@ -307,6 +308,13 @@ ask_bashclub_repo(){ --yesno "Do you want to install checkzfs and bashclub-zsync?" 9 76 ; then install_zsync=1 fi + if whiptail --title "INSTALL VIRTIO-WIN-ISO" \ + --backtitle "$PROG" \ + --yes-button "INSTALL" \ + --no-button "SKIP" \ + --yesno "Do you want to install current stable virtio-win iso?" 9 76 ; then + install_virtio=1 + fi fi } @@ -446,6 +454,9 @@ install_tools(){ if [ $install_zsync -gt 0 ]; then OPTIONAL_TOOLS="bashclub-zsync $OPTIONAL_TOOLS" fi + if [ $install_virtio -gt 0 ]; then + OPTIONAL_TOOLS="virtio-win-iso $OPTIONAL_TOOLS" + fi DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install $REQUIRED_TOOLS $OPTIONAL_TOOLS > /dev/null 2>&1 } @@ -634,54 +645,14 @@ set_default_volblocksize(){ fi } -virtiowin_updater() { - log "Installing virtio-win-updater" - cat << EOF > /usr/local/bin/virtio-win-updater -#!/bin/bash -# -# This script updates the virtio-win iso in Proxmox local storage -content=\$(wget -q -O - https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/) -server=https://fedorapeople.org -path=\$(echo -e "\$content" | grep -m1 title | cut -d "<" -f2 | cut -d " " -f3) -file=\$(echo -e "\$content" | grep -Eo "virtio-win-0.1.[0-9]+.iso" | grep -m1 virtio) -url=\$server\$path/\$file -if ! find /var/lib/vz/template/iso/\$file > /dev/null 2>&1 ; then - echo "\$(date) New version available. Downloading \$file." - wget -q -O /var/lib/vz/template/iso/\$file \$url - old_virtio=\$(find /var/lib/vz/template/iso/ -name virtio-win* | grep -v \$file) - if [ \$? -eq 0 ]; then - for line in \$old_virtio; do - if ! grep \$(echo \$line | cut -d'/' -f7) /etc/pve/qemu-server/* ; then - echo "\$(date) Deleting \$line." - rm -f \$line - else - echo "\$(date) Keeping \$line - Still in use by VMs." - fi - done +remove_virtiowin_updater() { + log "Removing virtio-win updater if exists" + if [ -f /usr/local/bin/virtio-win-updater ]; then + rm -f /usr/local/bin/virtio-win-updater + fi + if [ -f /etc/cron.daily/virtio-win-updater]; then + rm -f /etc/cron.daily/virtio-win-updater fi -else - echo "\$(date) Already on the current stable version: \$file." -fi -EOF - chmod +x /usr/local/bin/virtio-win-updater - rm -f /etc/cron.daily/virtio-win-updater - cat << EOF > /etc/cron.daily/virtio-win-updater -#!/bin/bash -/usr/local/bin/virtio-win-updater >> /var/log/virtio-win-updater.log 2>&1 -EOF - cat << EOF > /etc/logrotate.d/virtio-win-updater -/var/log/virtio-win-updater.log { - weekly - rotate 12 - compress - delaycompress - missingok - notifempty - create 644 root root -} -EOF - log "Running virtio-win-updater" - virtio-win-updater } installation_task(){ @@ -703,7 +674,7 @@ installation_task(){ set_notification create_swap_pool set_default_volblocksize - virtiowin_updater + remove_virtiowin_updater log "Updating initramfs - This will take some time..." update-initramfs -u -k all > /dev/null 2>&1