diff --git a/postinstall b/postinstall index c20d1fd..1225ab6 100755 --- a/postinstall +++ b/postinstall @@ -181,7 +181,7 @@ select_subscription(){ } ask_locales(){ - locales=$(whiptail --title "SET LOCALES" --backtitle "$PROG" --inputbox "Please enter a space separated list of locales to generate." 9 76 "$(echo $(grep -vE '#|^$' /etc/locale.gen | cut -d ' ' -f1))" 3>&1 1>&2 2>&3) + if ! locales=$(whiptail --title "SET LOCALES" --backtitle "$PROG" --inputbox "Please enter a space separated list of locales to generate." 9 76 "$(echo $(grep -vE '#|^$' /etc/locale.gen | cut -d ' ' -f1))" 3>&1 1>&2 2>&3); then cancel_dialog ; fi } ask_ssh_hardening(){ @@ -379,16 +379,22 @@ harden_ssh(){ ask_mail_config(){ mailconfig=0 smtpauth=0 + senderaddress="" + displayname="" + recipientaddress="" + smtphost="" + smtpport=25 + username="" if whiptail --title "MAIL DELIVERY" \ --backtitle "$PROG" \ --yes-button "MAIL CONFIG" \ --no-button "SKIP" \ --yesno "Do you want to configure postfix with a smarthost?" 9 76 ; then mailconfig=1 - senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 3>&1 1>&2 2>&3) - displayname=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender display name." 9 76 3>&1 1>&2 2>&3) - recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 3>&1 1>&2 2>&3) - smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 3>&1 1>&2 2>&3) + if ! senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! displayname=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender display name." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi + if !recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi smtpport=$(inputbox_int 'MAIL DELIVERY' 'Please enter the port of your smarthost' 7 25) if whiptail --title "MAIL DELIVERY" \ --backtitle "$PROG" \ @@ -396,8 +402,8 @@ ask_mail_config(){ --no-button "SKIP" \ --yesno "Do you want to configure authentication against your smarthost?" 9 76 ; then smtpauth=1 - username=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the username for authentication." 9 76 3>&1 1>&2 2>&3) - password=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --passwordbox "Please enter the passsword for authentication." 9 76 3>&1 1>&2 2>&3) + if ! username=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the username for authentication." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi + if ! password=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --passwordbox "Please enter the passsword for authentication." 9 76 3>&1 1>&2 2>&3); then cancel_dialog; fi fi fi } @@ -548,6 +554,14 @@ summary(){ suppress subscription warning: $suppress_warning\n\ auto-snapshot: $autosnap\n\ ssh-hardening: $ssh_hardening\n\ + mail delivery: $mailconfig + sender email: $senderaddress + sender display name: $displayname + notification address: $recipientaddress + smarthost: $smtphost + smarthost port: $smtpport + smarthost auth: $smtpauth + smarthost username: $username " 30 76 ; then installation_task else diff --git a/proxmox-zfs-postinstall.sh b/proxmox-zfs-postinstall.sh deleted file mode 100644 index 8ff9246..0000000 --- a/proxmox-zfs-postinstall.sh +++ /dev/null @@ -1,312 +0,0 @@ -#!/bin/bash - -###### CONFIG SECTION ###### - -# Define basic tools to install -TOOLS="sudo vim ifupdown2 libpve-network-perl net-tools dnsutils ethtool git curl unzip screen tmux iftop lshw smartmontools nvme-cli lsscsi sysstat zfs-auto-snapshot htop mc rpl lsb-release" - -#### PVE CONF BACKUP CONFIGURATION #### - -# Define target dataset for backup of /etc -# IMPORTANT NOTE: Don't type in the leading /, this will be set where needed -PVE_CONF_BACKUP_TARGET=rpool/pveconf - -# Define timer for your backup cronjob (default: every 15 minutes from 3 through 59) -PVE_CONF_BACKUP_CRON_TIMER="3,18,33,48 * * * *" - -# Get Debian version info -source /etc/os-release - -###### SYSTEM INFO AND INTERACTIVE CONFIGURATION SECTION ###### - -ROUND_FACTOR=512 - -roundup(){ - echo $(((($1 + $ROUND_FACTOR) / $ROUND_FACTOR) * $ROUND_FACTOR)) -} - -roundoff(){ - echo $((($1 / $ROUND_FACTOR) * $ROUND_FACTOR)) -} - -#### L1ARC SIZE CONFIGURATION #### - -# get total size of all zpools -ZPOOL_SIZE_SUM_BYTES=0 -for line in $(zpool list -o size -Hp); do ZPOOL_SIZE_SUM_BYTES=$(($ZPOOL_SIZE_SUM_BYTES+$line)); done - -# get information about available ram -MEM_TOTAL_BYTES=$(($(awk '/MemTotal/ {print $2}' /proc/meminfo) * 1024)) - -# get values if defaults are set -ARC_MAX_DEFAULT_BYTES=$(($MEM_TOTAL_BYTES / 2)) -ARC_MIN_DEFAULT_BYTES=$(($MEM_TOTAL_BYTES / 32)) - -# get current settings -ARC_MIN_CUR_BYTES=$(cat /sys/module/zfs/parameters/zfs_arc_min) -ARC_MAX_CUR_BYTES=$(cat /sys/module/zfs/parameters/zfs_arc_max) - -# calculate suggested l1arc sice -ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024))) -ZFS_ARC_MAX_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024))) - -echo -e "######## CONFIGURE ZFS L1ARC SIZE ########\n" -echo "System Summary:" -echo -e "\tSystem Memory:\t\t$(($MEM_TOTAL_BYTES / 1024 / 1024))\tMB" -echo -e "\tZpool size (sum):\t$(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024))\tMB" -echo -e "Calculated l1arc if set to defaults:" -if [ $ARC_MIN_DEFAULT_BYTES -lt 33554432 ]; then - echo -e "\tDefault zfs_arc_min:\t32\tMB" -else - echo -e "\tDefault zfs_arc_min:\t$(($ARC_MIN_DEFAULT_BYTES / 1024 / 1024))\tMB" -fi -echo -e "\tDefault zfs_arc_max:\t$(($ARC_MAX_DEFAULT_BYTES / 1024 / 1024))\tMB" -echo -e "Current l1arc configuration:" -if [ $ARC_MIN_CUR_BYTES -gt 0 ]; then - echo -e "\tCurrent zfs_arc_min:\t$(($ARC_MIN_CUR_BYTES / 1024 / 1024))\tMB" -else - echo -e "\tCurrent zfs_arc_min:\t0" -fi -if [ $ARC_MAX_CUR_BYTES -gt 0 ]; then - echo -e "\tCurrent zfs_arc_max:\t$(($ARC_MAX_CUR_BYTES / 1024 / 1024))\tMB" -else - echo -e "\tCurrent zfs_arc_max:\t0" -fi -echo -e "Note: If your current values are 0, the calculated values above will apply." -echo "" -echo -e "The l1arc cache will be set relative to the size (sum) of your zpools by policy" -echo -e "zfs_arc_min:\t\t\t$(($ZFS_ARC_MIN_MEGABYTES))\tMB\t\t= 512 MB RAM per 1 TB ZFS storage (round off in 512 MB steps)" -echo -e "zfs_arc_max:\t\t\t$(($ZFS_ARC_MAX_MEGABYTES))\tMB\t\t= 1 GB RAM per 1 TB ZFS storage (round up in 512 MB steps)" -echo "" -RESULT=not_set -while [ "$(echo $RESULT | awk '{print tolower($0)}')" != "y" ] && [ "$(echo $RESULT | awk '{print tolower($0)}')" != "n" ] && [ "$(echo $RESULT | awk '{print tolower($0)}')" != "" ]; do - read -p "If you want to apply the values by script policy type 'y', type 'n' to adjust the values yourself [Y/n]? " - RESULT=${REPLY} -done -if [[ "$(echo $RESULT | awk '{print tolower($0)}')" == "n" ]]; then - read -p "Please type in the desired value in MB for 'zfs_arc_min' [$(($ZFS_ARC_MIN_MEGABYTES))]: " - if [[ ${REPLY} -gt 0 ]]; then - ZFS_ARC_MIN_MEGABYTES=$((${REPLY})) - fi - read -p "Please type in the desired value in MB for 'zfs_arc_max' [$(($ZFS_ARC_MAX_MEGABYTES))]: " - if [[ ${REPLY} -gt 0 ]]; then - ZFS_ARC_MAX_MEGABYTES=$((${REPLY})) - fi -fi - -#### SWAPPINESS #### - -echo -e "######## CONFIGURE SWAPPINESS ########\n" -SWAPPINESS=$(cat /proc/sys/vm/swappiness) -echo "The current swappiness is configured to '$SWAPPINESS %' of free memory until using swap." -read -p "If you want to change the swappiness, please type in the percentage as number (0 = disabled):" user_input -if echo "$user_input" | grep -qE '^[0-9]+$'; then - echo "Changing swappiness from '$SWAPPINESS %' to '$user_input %'" - SWAPPINESS=$user_input -else - echo "No input - swappiness unchanged at '$SWAPPINESS %'." -fi - -#### ZFS AUTO SNAPSHOT CONFIGURATION #### - -# get information about zfs-auto-snapshot and ask for snapshot retention -declare -A auto_snap_keep=( ["frequent"]="8" ["hourly"]="48" ["daily"]="31" ["weekly"]="8" ["monthly"]="3" ) -dpkg -l zfs-auto-snapshot > /dev/null - -if [ $? -eq 0 ]; then - echo "'zfs-auto-snapshot' already installed. Reading config..." - for interval in "${!auto_snap_keep[@]}"; do - if [[ "$interval" == "frequent" ]]; then - auto_snap_keep[$interval]=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2) - else - auto_snap_keep[$interval]=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2) - fi - done -else - echo "'zfs-auto-snapshot' not installed yet, using script defaults..." -fi -echo -e "######## CONFIGURE ZFS AUTO SNAPSHOT ########\n" -for interval in "${!auto_snap_keep[@]}"; do - read -p "Please set how many $interval snapshots to keep (current: keep=${auto_snap_keep[$interval]})" user_input - if echo "$user_input" | grep -qE '^[0-9]+$'; then - echo "Changing $interval from ${auto_snap_keep[$interval]} to $user_input" - auto_snap_keep[$interval]=$user_input - else - echo "No input - $interval unchanged at ${auto_snap_keep[$interval]}." - fi -done - -#### CHECKMK AGENT CONFIGURATION #### -read -p "Do you want to install checkmk agent on this machine? [y/N] " install_checkmk -if [[ "$install_checkmk" == "y" ]]; then - read -p "Please specify the base url to your checkmk server (e.g. https://check.zmb.rocks/bashclub): " cmk_agent_url - read -p "Enable agent encryption (requires setup of Agent Encryption on your checkmk instance). Do you want to activate agent encryption? [y/N] " cmk_encrypt - if [[ "$cmk_encrypt" == "y" ]]; then - read -p "Please enter the encryption passphrase: " cmk_enc_pass - fi - read -p "Register your machine on your checkmk server (requires preconfigured automation secret)? [y/N] " cmk_register - if [[ "$cmk_register" == "y" ]]; then - read -p "Please enter your automation secret: " cmk_secret - read -p "Please enter the folder where to store the host: " cmk_folder - cmk_site=$(echo $cmk_agent_url | cut -d'/' -f4) - read -p "Please enter the checkmk site name: [$cmk_site]" user_input - if [[ $(echo -n "$user_input") != "" ]]; then - cmk_site=$user_input - fi - echo "Please select which agent ip address to register:" - select ip in $(ip a | grep "inet " | cut -d ' ' -f6 | cut -d/ -f1); do - cmk_reg_ip=$ip - break - done - fi -fi - - -###### INSTALLER SECTION ###### - -# disable pve-enterprise repo and add pve-no-subscription repo - -#Not tested, yet! -read -p "Do you want to disable pve-enterprise repo and add pve-no-subscription repo (y/N)? " response - -if [ "${response,,}" == "y" ]; then - if [[ "$(uname -r)" == *"-pve" ]]; then - echo "Deactivating pve-enterprise repository" - mv /etc/apt/sources.list.d/pve-enterprise.list /etc/apt/sources.list.d/pve-enterprise.list.bak > /dev/null 2>&1 - echo "Activating pve-no-subscription repository" - q=$(cat /etc/apt/sources.list | grep "pve-no-subscription") - if [ $? -gt 0 ]; then - echo "deb http://download.proxmox.com/debian/pve $VERSION_CODENAME pve-no-subscription" >> /etc/apt/sources.list - fi - rm -f /etc/apt/sources.list.d/pve-no-subscription.list - fi -fi - -echo "Getting latest package lists" -apt update > /dev/null 2>&1 - -# include interfaces.d to enable SDN features -q=$(cat /etc/network/interfaces | grep "source /etc/network/interfaces.d/*") -if [ $? -gt 0 ]; then - echo "source /etc/network/interfaces.d/*" >> /etc/network/interfaces -fi - -# update system and install basic tools -echo "Upgrading system to latest version - Depending on your version this could take a while..." -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade > /dev/null 2>&1 -echo "Installing toolset - Depending on your version this could take a while..." -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install $TOOLS > /dev/null 2>&1 - -# configure zfs-auto-snapshot -for interval in "${!auto_snap_keep[@]}"; do - echo "Setting zfs-auto-snapshot retention: $interval = ${auto_snap_keep[$interval]}" - if [[ "$interval" == "frequent" ]]; then - CURRENT=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2) - if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then - rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.d/zfs-auto-snapshot > /dev/null 2>&1 - fi - else - CURRENT=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2) - if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then - rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.$interval/zfs-auto-snapshot > /dev/null 2>&1 - fi - fi -done - -echo "Configuring swappiness" -echo "vm.swappiness=$SWAPPINESS" > /etc/sysctl.d/swappiness.conf -sysctl -w vm.swappiness=$SWAPPINESS - -echo "Configuring pve-conf-backup" -# create backup jobs of /etc -zfs list $PVE_CONF_BACKUP_TARGET > /dev/null 2>&1 -if [ $? -ne 0 ]; then - zfs create $PVE_CONF_BACKUP_TARGET -fi - -if [[ "$(df -h -t zfs | grep /$ | cut -d ' ' -f1)" == "rpool/ROOT/pve-1" ]] ; then - echo "$PVE_CONF_BACKUP_CRON_TIMER root rsync -va --delete /etc /$PVE_CONF_BACKUP_TARGET > /$PVE_CONF_BACKUP_TARGET/pve-conf-backup.log" > /etc/cron.d/pve-conf-backup -fi - -ZFS_ARC_MIN_BYTES=$((ZFS_ARC_MIN_MEGABYTES * 1024 *1024)) -ZFS_ARC_MAX_BYTES=$((ZFS_ARC_MAX_MEGABYTES * 1024 *1024)) - -echo "Adjusting ZFS level 1 arc" -echo $ZFS_ARC_MIN_BYTES > /sys/module/zfs/parameters/zfs_arc_min -echo $ZFS_ARC_MAX_BYTES > /sys/module/zfs/parameters/zfs_arc_max - -cat << EOF > /etc/modprobe.d/zfs.conf -options zfs zfs_arc_max=$ZFS_ARC_MAX_BYTES -options zfs zfs_arc_min=$ZFS_ARC_MIN_BYTES -EOF - -if [[ "$install_checkmk" == "y" ]]; then - echo "Installing checkmk agent..." - if [[ $( echo -n "$(openssl s_client -connect $(echo $cmk_agent_url | cut -d'/' -f3):443 <<< "Q" 2>/dev/null | grep "Verify return code" | cut -d ' ' -f4)" ) -gt 0 ]]; then - wget_opts="--no-check-certificate" - curl_opts="--insecure" - fi - wget -q -O /usr/local/bin/check_mk_agent $wget_opts $cmk_agent_url/check_mk/agents/check_mk_agent.linux - wget -q -O /usr/local/bin/mk-job $wget_opts $cmk_agent_url/check_mk/agents/mk-job - wget -q -O /usr/local/bin/check_mk_caching_agent $wget_opts $cmk_agent_url/check_mk/agents/check_mk_caching_agent.linux - wget -q -O /usr/local/bin/waitmax $wget_opts $cmk_agent_url/check_mk/agents/waitmax - chmod +x /usr/local/bin/check_mk_agent - chmod +x /usr/local/bin/mk-job - chmod +x /usr/local/bin/check_mk_caching_agent - chmod +x /usr/local/bin/waitmax - /usr/local/bin/check_mk_agent > /dev/null - wget -q -O /etc/systemd/system/check_mk.socket $wget_opts $cmk_agent_url/check_mk/agents/cfg_examples/systemd/check_mk.socket - cat << EOF > /etc/systemd/system/check_mk@.service -# systemd service definition file -[Unit] -Description=Check_MK - -[Service] -# "-" path prefix makes systemd record the exit code, -# but the unit is not set to failed. -ExecStart=-/usr/local/bin/check_mk_agent -Type=forking - -User=root -Group=root - -StandardInput=socket -EOF - - mkdir -p /etc/check_mk - if [[ "$cmk_encrypt" == "y" ]]; then - mkdir -p /etc/check_mk - cat << EOF > /etc/check_mk/encryption.cfg -ENCRYPTED=yes -PASSPHRASE='$cmk_enc_pass' -EOF - chmod 600 /etc/check_mk/encryption.cfg - fi - - mkdir -p /var/lib/check_mk_agent - mkdir -p /var/lib/check_mk_agent/spool - mkdir -p /var/lib/check_mk_agent/job - mkdir -p /usr/lib/check_mk_agent/local - mkdir -p /usr/lib/check_mk_agent/plugins - wget -q -O /usr/lib/check_mk_agent/plugins/smart $wget_opts $cmk_agent_url/check_mk/agents/plugins/smart - chmod +x /usr/lib/check_mk_agent/plugins/smart - wget -q -O /usr/lib/check_mk_agent/plugins/mk_inventory $wget_opts $cmk_agent_url/check_mk/agents/plugins/mk_inventory.linux - chmod +x /usr/lib/check_mk_agent/plugins/mk_inventory - wget -q -O /usr/lib/check_mk_agent/plugins/mk_apt $wget_opts $cmk_agent_url/check_mk/agents/plugins/mk_apt - chmod +x /usr/lib/check_mk_agent/plugins/mk_apt - #LocalDirectory: /usr/lib/check_mk_agent/local - systemctl daemon-reload - systemctl enable check_mk.socket - systemctl restart sockets.target - - if [[ "$cmk_register" == "y" ]]; then - cmk_request="request={\"hostname\":\"$(echo -n $(hostname -f))\",\"folder\":\"$cmk_folder\",\"attributes\":{\"ipaddress\":\"$cmk_reg_ip\",\"site\":\"$cmk_site\",\"tag_agent\":\"cmk-agent\"},\"create_folders\":\"1\"}" - curl $curl_opts "$cmk_agent_url/check_mk/webapi.py?action=add_host&_secret=$cmk_secret&_username=automation" -d $cmk_request - curl $curl_opts "$cmk_agent_url/check_mk/webapi.py?action=activate_changes&_secret=$cmk_secret&_username=automation" -d "request={\"sites\":[\"$cmk_site\"],\"allow_foreign_changes\":\"0\"}" - fi -fi - -echo "Updating initramfs - This will take some time..." -update-initramfs -u -k all > /dev/null 2>&1 - -echo "Proxmox postinstallation finished!"