bashclub/proxmox-zfs-postinstall
1
0
Fork 0
mirror of https://github.com/bashclub/proxmox-zfs-postinstall.git synced 2025-09-22 06:20:12 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #31 from bashclub/dev

Browse Source 
Dev
This commit is contained in:
Thorsten Spille
2025-09-15 19:14:40 +02:00
committed by GitHub
parent 305987a6f9 7af710cfd4
commit a11c458eb2
1 changed files with 181 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

259
postinstall
View File

@@ -130,8 +130,12 @@ arc_suggestion(){
ZFS_ARC_MAX_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024)))
ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024)))
if [ $ZFS_ARC_MIN_MEGABYTES -eq 0 ]; then
# Setze Min als Fallback auf die Hälfte von Max.
ZFS_ARC_MIN_MEGABYTES=$(($ZFS_ARC_MAX_MEGABYTES / 2))
if [ $ARC_MIN_DEFAULT_MB -gt $ZFS_ARC_MAX_MEGABYTES ]; then
# Prüfe, ob der RAM-basierte Default-Min-Wert eine bessere Option ist,
# ABER nur, wenn dieser Wert auch kleiner als der Max-Wert ist.
if [[ $ARC_MIN_DEFAULT_MB -gt $ZFS_ARC_MIN_MEGABYTES && $ARC_MIN_DEFAULT_MB -lt $ZFS_ARC_MAX_MEGABYTES ]]; then
ZFS_ARC_MIN_MEGABYTES=$ARC_MIN_DEFAULT_MB
fi
fi
@@ -307,18 +311,38 @@ select_pve_repo(){
pveenterprise=OFF
pvenosubscription=OFF
pvetest=OFF
if [ -f /etc/apt/sources.list.d/pve-enterprise.list ]; then
if grep -v '#' /etc/apt/sources.list.d/pve-enterprise.list | grep "pve-enterprise" > /dev/null ; then
if [[ $VERSION_CODENAME == "bookworm" ]]; then
if [ -f /etc/apt/sources.list.d/pve-enterprise.list ]; then
if grep -v '#' /etc/apt/sources.list.d/pve-enterprise.list | grep "pve-enterprise" > /dev/null ; then
pveenterprise=ON
else
if [ -f /etc/apt/sources.list ]; then
if grep -v '#' /etc/apt/sources.list | grep "pve-no-subscription" > /dev/null ; then
pvenosubscription=ON
elif grep -v '#' /etc/apt/sources.list | grep "pvetest" > /dev/null ; then
pvetest=ON
else
pveenterprise=ON
fi
fi
fi
fi
elif [[ $VERSION_CODENAME == "trixie" ]]; then
echo "Ensuring all apt sources are modernized"
apt -y modernize-sources
if [ -f /etc/apt/sources.list.d/pve-enterprise.sources ] && ( [[ $(grep Enabled /etc/apt/sources.list.d/pve-enterprise.sources) == *"Yes"* ]] || ! grep Enabled /etc/apt/sources.list.d/pve-enterprise.sources > /dev/null ) ; then
pveenterprise=ON
else
if [ -f /etc/apt/sources.list ]; then
if grep -v '#' /etc/apt/sources.list | grep "pve-no-subscription" > /dev/null ; then
pvenosubscription=ON
elif grep -v '#' /etc/apt/sources.list | grep "pvetest" > /dev/null ; then
pvetest=ON
else
pveenterprise=ON
fi
if [ -f /etc/apt/sources.list.d/proxmox.sources ]; then
if [[ $(grep Enabled /etc/apt/sources.list.d/proxmox.sources) == "Yes" ]] || ! grep Enabled /etc/apt/sources.list.d/proxmox.sources > /dev/null ; then
if grep "pve-no-subscription" /etc/apt/sources.list.d/proxmox.sources > /dev/null ; then
pvenosubscription=ON
elif grep "pvetest" /etc/apt/sources.list.d/proxmox.sources > /dev/null ; then
pvetest=ON
else
pveenterprise=ON
fi
fi
fi
fi
fi
@@ -363,37 +387,68 @@ select_ceph_repo(){
quincyenterprise=OFF
quincynosubscription=OFF
quincytest=OFF
squidenterprise=OFF
squidnosubscription=OFF
squidtest=OFF
reefenterprise=OFF
reefnosubscription=OFF
reeftest=OFF
if [ -f /etc/apt/sources.list.d/ceph.list ]; then
if grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "enterprise" > /dev/null ; then
quincyenterprise=ON
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "enterprise" > /dev/null ; then
reefenterprise=ON
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "no-subscription" > /dev/null ; then
quincynosubscription=ON
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "no-subscription" > /dev/null ; then
reefnosubscription=ON
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "test" > /dev/null ; then
quincytest=ON
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "test" > /dev/null ; then
reeftest=ON
if [[ "$VERSION_CODENAME" == "bookworm" ]]; then
if [ -f /etc/apt/sources.list.d/ceph.list ]; then
if grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "enterprise" > /dev/null ; then
quincyenterprise=ON
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "enterprise" > /dev/null ; then
reefenterprise=ON
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "no-subscription" > /dev/null ; then
quincynosubscription=ON
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "no-subscription" > /dev/null ; then
reefnosubscription=ON
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "test" > /dev/null ; then
quincytest=ON
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "test" > /dev/null ; then
reeftest=ON
else
none=ON
fi
else
none=ON
fi
fi
ceph_repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \
--radiolist "Choose Ceph repository" 20 76 7 \
"none" "No Ceph repository" "$none" \
"quincyenterprise" "Ceph Quincy Enterprise repository" "$quincyenterprise" \
"quincynosubscription" "Ceph Quincy No Subscription repository" "$quincynosubscription" \
"quincytest" "Ceph Quincy Testing repository" "$quincytest" \
"reefenterprise" "Ceph Reef Enterprise repository" "$reefenterprise" \
"reefnosubscription" "Ceph Reef No Subscription repository" "$reefnosubscription" \
"reeftest" "Ceph Reef Testing repository" "$reeftest" 3>&1 1>&2 2>&3)
else
none=ON
if [ -f /etc/apt/sources.list.d/ceph.sources ]; then
if [[ $(grep Enabled /etc/apt/sources.list.d/ceph.sources) == "Yes" ]] || ! grep Enabled /etc/apt/sources.list.d/ceph.sources > /dev/null ; then
if grep "enterprise" /etc/apt/sources.list.d/ceph.sources > /dev/null ; then
squidenterprise=ON
elif grep "no-subscription" /etc/apt/sources.list.d/ceph.sources > /dev/null ; then
squidnosubscription=ON
elif grep "test" /etc/apt/sources.list.d/ceph.sources > /dev/null ; then
squidtest=ON
else
none=ON
fi
else
none=ON
fi
else
none=ON
fi
ceph_repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \
--radiolist "Choose Ceph repository" 20 76 4 \
"none" "No Ceph repository" "$none" \
"squidenterprise" "Ceph Squid Enterprise repository" "$squidenterprise" \
"squidnosubscription" "Ceph Squid No Subscription repository" "$squidnosubscription" \
"squidtest" "Ceph Squid Testing repository" "$squidtest" 3>&1 1>&2 2>&3)
fi
ceph_repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \
--radiolist "Choose Ceph repository" 20 76 7 \
"none" "No Ceph repository" "$none" \
"quincyenterprise" "Ceph Quincy Enterprise repository" "$quincyenterprise" \
"quincynosubscription" "Ceph Quincy No Subscription repository" "$quincynosubscription" \
"quincytest" "Ceph Quincy Testing repository" "$quincytest" \
"reefenterprise" "Ceph Reef Enterprise repository" "$reefenterprise" \
"reefnosubscription" "Ceph Reef No Subscription repository" "$reefnosubscription" \
"reeftest" "Ceph Reef Testing repository" "$reeftest" 3>&1 1>&2 2>&3)
}
set_locales(){
@@ -410,7 +465,9 @@ set_locales(){
set_ceph_repo(){
log "Setting Ceph package repositories to $ceph_repo_selection"
if [[ "$ceph_repo_selection" != "none" ]]; then
if [[ "$ceph_repo_selection" == *"quincy"* ]]; then
if [[ "$ceph_repo_selection" == *"squid"* ]]; then
generation=squid
elif [[ "$ceph_repo_selection" == *"quincy"* ]]; then
generation=quincy
elif [[ "$ceph_repo_selection" == *"reef"* ]]; then
generation=reef
@@ -425,48 +482,84 @@ set_ceph_repo(){
selection=test
server=http://download.proxmox.com
fi
echo "deb ${server}/debian/ceph-${generation} $(lsb_release -cs 2>/dev/null) ${selection}" > /etc/apt/sources.list.d/ceph.list
if [[ "$VERSION_CODENAME" == "bookworm" ]] ; then
echo "deb ${server}/debian/ceph-${generation} $(lsb_release -cs 2>/dev/null) ${selection}" > /etc/apt/sources.list.d/ceph.list
else
cat << EOF > /etc/apt/sources.list.d/ceph.sources
Types: deb
URIs: http://download.proxmox.com/debian/ceph-${generation}
Suites: $VERSION_CODENAME
Components: ${selection}
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
EOF
fi
else
rm -f /etc/apt/sources.list.d/ceph.list
if [[ "$VERSION_CODENAME" == "bookworm" ]] ; then
rm -f /etc/apt/sources.list.d/ceph.list
else
rm -f /etc/apt/sources.list.d/ceph.sources
fi
fi
}
set_pve_repo(){
log "Setting Proxmox package repositories to $repo_selection"
nosub=$(grep pve-no-subscription /etc/apt/sources.list)
enterprise=$(grep pve-enterprise /etc/apt/sources.list.d/pve-enterprise.list)
test=$(grep pvetest /etc/apt/sources.list)
if [[ $repo_selection == "pve-enterprise" ]]; then
echo "deb https://enterprise.proxmox.com/debian/pve $VERSION_CODENAME pve-enterprise" > /etc/apt/sources.list.d/pve-enterprise.list
if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then
sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list
if [[ "$VERSION_CODENAME" == "bookworm" ]]; then
nosub=$(grep pve-no-subscription /etc/apt/sources.list)
enterprise=$(grep pve-enterprise /etc/apt/sources.list.d/pve-enterprise.list)
test=$(grep pvetest /etc/apt/sources.list)
if [[ $repo_selection == "pve-enterprise" ]]; then
echo "deb https://enterprise.proxmox.com/debian/pve $VERSION_CODENAME pve-enterprise" > /etc/apt/sources.list.d/pve-enterprise.list
if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then
sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list
fi
if [[ $test != "" ]] && [[ $test != *"#"* ]]; then
sed -i "s|$test|# $test|g" /etc/apt/sources.list
fi
elif [[ $repo_selection == "pve-no-subscription" ]]; then
if [[ $nosub == "" ]]; then
echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pve-no-subscription\n" >> /etc/apt/sources.list
elif [[ $nosub == *"#"* ]]; then
sed -i "s|$nosub|$(echo $nosub | cut -d' ' -f2-)|" /etc/apt/sources.list
fi
if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then
sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list
fi
if [[ $test != "" ]] && [[ $test != *"#"* ]]; then
sed -i "s|$test|# $test|g" /etc/apt/sources.list
fi
elif [[ $repo_selection == "pvetest" ]]; then
if [[ $test == "" ]]; then
echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pvetest\n" >> /etc/apt/sources.list
elif [[ $test == *"#"* ]]; then
sed -i "s|$test|$(echo $test | cut -d' ' -f2-)|" /etc/apt/sources.list
fi
if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then
sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list
fi
if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then
sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list
fi
fi
if [[ $test != "" ]] && [[ $test != *"#"* ]]; then
sed -i "s|$test|# $test|g" /etc/apt/sources.list
fi
elif [[ $repo_selection == "pve-no-subscription" ]]; then
if [[ $nosub == "" ]]; then
echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pve-no-subscription\n" >> /etc/apt/sources.list
elif [[ $nosub == *"#"* ]]; then
sed -i "s|$nosub|$(echo $nosub | cut -d' ' -f2-)|" /etc/apt/sources.list
fi
if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then
sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list
fi
if [[ $test != "" ]] && [[ $test != *"#"* ]]; then
sed -i "s|$test|# $test|g" /etc/apt/sources.list
fi
elif [[ $repo_selection == "pvetest" ]]; then
if [[ $test == "" ]]; then
echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pvetest\n" >> /etc/apt/sources.list
elif [[ $test == *"#"* ]]; then
sed -i "s|$test|$(echo $test | cut -d' ' -f2-)|" /etc/apt/sources.list
fi
if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then
sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list
fi
if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then
sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list
else
if [[ $repo_selection == "pve-enterprise" ]]; then
rm -f /etc/apt/sources.list.d/proxmox.sources
cat << EOF > /etc/apt/sources.list.d/pve-enterprise.sources
Types: deb
URIs: https://enterprise.proxmox.com/debian/pve
Suites: $VERSION_CODENAME
Components: pve-enterprise
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
EOF
elif [[ $repo_selection == "pve-no-subscription" ]] || [[ $repo_selection == "pvetest" ]]; then
rm -f /etc/apt/sources.list.d/pve-enterprise.sources
cat << EOF > /etc/apt/sources.list.d/proxmox.sources
Types: deb
URIs: http://download.proxmox.com/debian/pve/
Suites: $VERSION_CODENAME
Components: $repo_selection
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
EOF
fi
fi
}
@@ -474,8 +567,18 @@ set_pve_repo(){
set_bashclub_repo (){
if [ $bashclub_repo -gt 0 ]; then
log "Configuring bashclub apt repositories"
echo "deb [signed-by=/usr/share/keyrings/bashclub-archive-keyring.gpg] https://apt.bashclub.org/release bookworm main" > /etc/apt/sources.list.d/bashclub.list
wget -q -O- https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-archive-keyring.gpg
if [[ "$VERSION_CODENAME" == "bookworm" ]]; then
echo "deb [signed-by=/usr/share/keyrings/bashclub-archive-keyring.gpg] https://apt.bashclub.org/release $VERSION_CODENAME main" > /etc/apt/sources.list.d/bashclub.list
else
cat << EOF > /etc/apt/sources.list.d/bashclub.sources
Types: deb
URIs: https://apt.bashclub.org/release/
Suites: $VERSION_CODENAME
Components: main
Signed-By: /usr/share/keyrings/bashclub-archive-keyring.gpg
EOF
fi
fi
}
@@ -571,12 +674,7 @@ harden_ssh(){
mv /etc/ssh/moduli.safe /etc/ssh/moduli
log "Writing hardened SSH config"
if [[ $VERSION_CODENAME == "bookworm" ]]; then
echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
elif [[ $VERSION_CODENAME == "bullseye" ]]; then
sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
echo -e echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
fi
echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
systemctl restart ssh.service
fi
}
@@ -800,6 +898,11 @@ summary(){
source /etc/os-release
if [[ "bookworm trixie" != *"$VERSION_CODENAME"* ]]; then
echo "Your Proxmox VE version $VERSION_CONDENAME is unsuported. Please use Proxmox 8 (bookworm) or Proxmox 9 (trixie). Exiting"
exit 1
fi
# Calculate and suggest values for ZFS L1ARC cache
arc_suggestion