bashclub/proxmox-zfs-postinstall
1
0
Fork 0
mirror of https://github.com/bashclub/proxmox-zfs-postinstall.git synced 2025-09-22 14:29:59 +02:00
Code Issues Projects Releases Wiki Activity

update for pve9 support

Browse Source
This commit is contained in:
Thorsten Spille
2025-09-06 16:31:43 +02:00
committed by GitHub
parent e5a2e024a7
commit b8a5a1c309
1 changed files with 279 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

359
postinstall
View File

@@ -24,7 +24,7 @@
# + Daily check (and download) for new stable virtio-win iso and prune old (unused) versions # + Daily check (and download) for new stable virtio-win iso and prune old (unused) versions
# #
# #
# Author: (C) 2023 Thorsten Spille <thorsten@bashclub.org> # Author: (C) 2025 Thorsten Spille <thorsten@bashclub.org>
set -uo pipefail set -uo pipefail
@@ -75,6 +75,13 @@ sub_status=$(pvesubscription get | grep status | cut -d' ' -f2)
# get notification address # get notification address
recipientaddress=$(pvesh get access/users/root@pam --output-format yaml| grep email | cut -d' ' -f2) recipientaddress=$(pvesh get access/users/root@pam --output-format yaml| grep email | cut -d' ' -f2)
# Default content for local storage
content="vztmpl,import,iso"
ask_local_content(){
if ! content=$(whiptail --title "SET LOCAL STORAGE CONTENT" --backtitle "$PROG" --inputbox "Please enter the content types for local storage (comma separated, allowed values: images,rootdir,vztmpl,backup,iso,import,snippets):" 9 76 "$content" 3>&1 1>&2 2>&3); then cancel_dialog ; fi
}
#### FUNCTIONS #### #### FUNCTIONS ####
log(){ log(){
@@ -123,8 +130,12 @@ arc_suggestion(){
ZFS_ARC_MAX_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024))) ZFS_ARC_MAX_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024)))
ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024))) ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024)))
if [ $ZFS_ARC_MIN_MEGABYTES -eq 0 ]; then if [ $ZFS_ARC_MIN_MEGABYTES -eq 0 ]; then
# Setze Min als Fallback auf die Hälfte von Max.
ZFS_ARC_MIN_MEGABYTES=$(($ZFS_ARC_MAX_MEGABYTES / 2)) ZFS_ARC_MIN_MEGABYTES=$(($ZFS_ARC_MAX_MEGABYTES / 2))
if [ $ARC_MIN_DEFAULT_MB -gt $ZFS_ARC_MAX_MEGABYTES ]; then
# Prüfe, ob der RAM-basierte Default-Min-Wert eine bessere Option ist,
# ABER nur, wenn dieser Wert auch kleiner als der Max-Wert ist.
if [[ $ARC_MIN_DEFAULT_MB -gt $ZFS_ARC_MIN_MEGABYTES && $ARC_MIN_DEFAULT_MB -lt $ZFS_ARC_MAX_MEGABYTES ]]; then
ZFS_ARC_MIN_MEGABYTES=$ARC_MIN_DEFAULT_MB ZFS_ARC_MIN_MEGABYTES=$ARC_MIN_DEFAULT_MB
fi fi
fi fi
@@ -201,8 +212,8 @@ select_subscription(){
if whiptail --title "NO PROXMOX SUBSCRIPTION FOUND" \ if whiptail --title "NO PROXMOX SUBSCRIPTION FOUND" \
--backtitle $PROG \ --backtitle $PROG \
--yes-button "SUPPRESS WARNING" \ --yes-button "SUPPRESS WARNING" \
--no-button "SKIP" \ --no-button "REMOVE HACK" \
--yesno "Do you want to suppress the no subscription warning in WebGUI?" 9 76 ; then --yesno "Do you want to suppress the no subscription warning in WebUI?" 9 76 ; then
suppress_warning=1 suppress_warning=1
fi fi
fi fi
@@ -249,35 +260,88 @@ set_subscription(){
} }
suppress_no_subscription_warning(){ suppress_no_subscription_warning(){
# remove old no-sub-hack
if [ -f /opt/bashclub/no-sub-hack.sh ] ; then rm -r /opt/bashclub ; fi
if [ -f /etc/apt/apt.conf.d/80bashclubapthook ] ; then rm /etc/apt/apt.conf.d/80bashclubapthook ; fi
if [ $suppress_warning -gt 0 ]; then if [ $suppress_warning -gt 0 ]; then
# remove old no-sub-hack cat << EOF > /usr/local/bin/suppress_no_subscription_warning
if [ -f /opt/bashclub/no-sub-hack.sh ] ; then rm -r /opt/bashclub ; fi #!/bin/bash
if [ -f /etc/apt/apt.conf.d/80bashclubapthook ] ; then rm /etc/apt/apt.conf.d/80bashclubapthook ; fi # Proxmox no-subscription hack
wget -q --no-cache -O /usr/local/bin/suppress_no_subscription_warning https://github.com/bashclub/no-sub-hack/raw/main/no-sub-hack.sh filename=/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
# Prüfe, ob checked_command bereits im gewünschten Zustand ist
if grep -q 'checked_command: function(orig_cmd) { orig_cmd(); },' "\$filename"; then
echo "checked_command bereits gepatcht, keine Änderung notwendig."
exit 0
fi
# Finde die erste Zeile mit checked_command
first_line=\$(grep -n -m1 'checked_command' "\$filename" | cut -d':' -f1)
# Hole die Einrückung der Startzeile
indent=\$(sed -n "\${first_line}p" "\$filename" | grep -o '^[[:space:]]*')
# Suche ab first_line die erste Zeile, die mit identischer Einrückung und '},' endet
last_line=\$(( \$(tail -n "+\${first_line}" "\$filename" | grep -nxm1 "^\${indent}},\$" | cut -d':' -f1) + first_line - 1 ))
# Entferne den Block
sed -i "\${first_line},\${last_line}d" "\$filename"
# Füge die neue checked_command-Funktion an der richtigen Stelle ein
insert_line=\$(( first_line - 1 ))
ex "\$filename" <<eof
\${insert_line} insert
\${indent}checked_command: function(orig_cmd) { orig_cmd(); },
.
xit
eof
systemctl restart pveproxy.service
EOF
chmod +x /usr/local/bin/suppress_no_subscription_warning chmod +x /usr/local/bin/suppress_no_subscription_warning
/usr/local/bin/suppress_no_subscription_warning
cat << EOF > /etc/apt/apt.conf.d/80-suppress_no_subscription_warning cat << EOF > /etc/apt/apt.conf.d/80-suppress_no_subscription_warning
DPkg::Post-Invoke {"/usr/local/bin/suppress_no_subscription_warning";}; DPkg::Post-Invoke {"/usr/local/bin/suppress_no_subscription_warning";};
EOF EOF
else
if [ -f /usr/local/bin/suppress_no_subscription_warning ] ; then rm /usr/local/bin/suppress_no_subscription_warning ; fi
if [ -f /etc/apt/apt.conf.d/80-suppress_no_subscription_warning ] ; then rm /etc/apt/apt.conf.d/80-suppress_no_subscription_warning ; fi
fi fi
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install --reinstall -y -qq proxmox-widget-toolkit > /dev/null 2>&1
} }
select_pve_repo(){ select_pve_repo(){
pveenterprise=OFF pveenterprise=OFF
pvenosubscription=OFF pvenosubscription=OFF
pvetest=OFF pvetest=OFF
if [ -f /etc/apt/sources.list.d/pve-enterprise.list ]; then if [[ $VERSION_CODENAME == "bookworm" ]]; then
if grep -v '#' /etc/apt/sources.list.d/pve-enterprise.list | grep "pve-enterprise" > /dev/null ; then if [ -f /etc/apt/sources.list.d/pve-enterprise.list ]; then
if grep -v '#' /etc/apt/sources.list.d/pve-enterprise.list | grep "pve-enterprise" > /dev/null ; then
pveenterprise=ON
else
if [ -f /etc/apt/sources.list ]; then
if grep -v '#' /etc/apt/sources.list | grep "pve-no-subscription" > /dev/null ; then
pvenosubscription=ON
elif grep -v '#' /etc/apt/sources.list | grep "pvetest" > /dev/null ; then
pvetest=ON
else
pveenterprise=ON
fi
fi
fi
fi
elif [[ $VERSION_CODENAME == "trixie" ]]; then
echo "Ensuring all apt sources are modernized"
apt -y modernize-sources
if [ -f /etc/apt/sources.list.d/pve-enterprise.sources ] && ( [[ $(grep Enabled /etc/apt/sources.list.d/pve-enterprise.sources) == *"Yes"* ]] || ! grep Enabled /etc/apt/sources.list.d/pve-enterprise.sources > /dev/null ) ; then
pveenterprise=ON pveenterprise=ON
else else
if [ -f /etc/apt/sources.list ]; then if [ -f /etc/apt/sources.list.d/proxmox.sources ]; then
if grep -v '#' /etc/apt/sources.list | grep "pve-no-subscription" > /dev/null ; then if [[ $(grep Enabled /etc/apt/sources.list.d/proxmox.sources) == "Yes" ]] || ! grep Enabled /etc/apt/sources.list.d/proxmox.sources > /dev/null ; then
pvenosubscription=ON if grep "pve-no-subscription" /etc/apt/sources.list.d/proxmox.sources > /dev/null ; then
elif grep -v '#' /etc/apt/sources.list | grep "pvetest" > /dev/null ; then pvenosubscription=ON
pvetest=ON elif grep "pvetest" /etc/apt/sources.list.d/proxmox.sources > /dev/null ; then
else pvetest=ON
pveenterprise=ON else
pveenterprise=ON
fi
fi fi
fi fi
fi fi
@@ -323,37 +387,68 @@ select_ceph_repo(){
quincyenterprise=OFF quincyenterprise=OFF
quincynosubscription=OFF quincynosubscription=OFF
quincytest=OFF quincytest=OFF
squidenterprise=OFF
squidnosubscription=OFF
squidtest=OFF
reefenterprise=OFF reefenterprise=OFF
reefnosubscription=OFF reefnosubscription=OFF
reeftest=OFF reeftest=OFF
if [ -f /etc/apt/sources.list.d/ceph.list ]; then if [[ "$VERSION_CODENAME" == "bookworm" ]]; then
if grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "enterprise" > /dev/null ; then if [ -f /etc/apt/sources.list.d/ceph.list ]; then
quincyenterprise=ON if grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "enterprise" > /dev/null ; then
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "enterprise" > /dev/null ; then quincyenterprise=ON
reefenterprise=ON elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "enterprise" > /dev/null ; then
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "no-subscription" > /dev/null ; then reefenterprise=ON
quincynosubscription=ON elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "no-subscription" > /dev/null ; then
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "no-subscription" > /dev/null ; then quincynosubscription=ON
reefnosubscription=ON elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "no-subscription" > /dev/null ; then
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "test" > /dev/null ; then reefnosubscription=ON
quincytest=ON elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "test" > /dev/null ; then
elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "test" > /dev/null ; then quincytest=ON
reeftest=ON elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "test" > /dev/null ; then
reeftest=ON
else
none=ON
fi
else else
none=ON none=ON
fi fi
ceph_repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \
--radiolist "Choose Ceph repository" 20 76 7 \
"none" "No Ceph repository" "$none" \
"quincyenterprise" "Ceph Quincy Enterprise repository" "$quincyenterprise" \
"quincynosubscription" "Ceph Quincy No Subscription repository" "$quincynosubscription" \
"quincytest" "Ceph Quincy Testing repository" "$quincytest" \
"reefenterprise" "Ceph Reef Enterprise repository" "$reefenterprise" \
"reefnosubscription" "Ceph Reef No Subscription repository" "$reefnosubscription" \
"reeftest" "Ceph Reef Testing repository" "$reeftest" 3>&1 1>&2 2>&3)
else else
none=ON if [ -f /etc/apt/sources.list.d/ceph.sources ]; then
if [[ $(grep Enabled /etc/apt/sources.list.d/ceph.sources) == "Yes" ]] || ! grep Enabled /etc/apt/sources.list.d/ceph.sources > /dev/null ; then
if grep "enterprise" /etc/apt/sources.list.d/ceph.sources > /dev/null ; then
squidenterprise=ON
elif grep "no-subscription" /etc/apt/sources.list.d/ceph.sources > /dev/null ; then
squidnosubscription=ON
elif grep "test" /etc/apt/sources.list.d/ceph.sources > /dev/null ; then
squidtest=ON
else
none=ON
fi
else
none=ON
fi
else
none=ON
fi
ceph_repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \
--radiolist "Choose Ceph repository" 20 76 4 \
"none" "No Ceph repository" "$none" \
"squidenterprise" "Ceph Squid Enterprise repository" "$squidenterprise" \
"squidnosubscription" "Ceph Squid No Subscription repository" "$squidnosubscription" \
"squidtest" "Ceph Squid Testing repository" "$squidtest" 3>&1 1>&2 2>&3)
fi fi
ceph_repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \
--radiolist "Choose Ceph repository" 20 76 7 \
"none" "No Ceph repository" "$none" \
"quincyenterprise" "Ceph Quincy Enterprise repository" "$quincyenterprise" \
"quincynosubscription" "Ceph Quincy No Subscription repository" "$quincynosubscription" \
"quincytest" "Ceph Quincy Testing repository" "$quincytest" \
"reefenterprise" "Ceph Reef Enterprise repository" "$reefenterprise" \
"reefnosubscription" "Ceph Reef No Subscription repository" "$reefnosubscription" \
"reeftest" "Ceph Reef Testing repository" "$reeftest" 3>&1 1>&2 2>&3)
} }
set_locales(){ set_locales(){
@@ -370,7 +465,9 @@ set_locales(){
set_ceph_repo(){ set_ceph_repo(){
log "Setting Ceph package repositories to $ceph_repo_selection" log "Setting Ceph package repositories to $ceph_repo_selection"
if [[ "$ceph_repo_selection" != "none" ]]; then if [[ "$ceph_repo_selection" != "none" ]]; then
if [[ "$ceph_repo_selection" == *"quincy"* ]]; then if [[ "$ceph_repo_selection" == *"squid"* ]]; then
generation=squid
elif [[ "$ceph_repo_selection" == *"quincy"* ]]; then
generation=quincy generation=quincy
elif [[ "$ceph_repo_selection" == *"reef"* ]]; then elif [[ "$ceph_repo_selection" == *"reef"* ]]; then
generation=reef generation=reef
@@ -385,48 +482,84 @@ set_ceph_repo(){
selection=test selection=test
server=http://download.proxmox.com server=http://download.proxmox.com
fi fi
echo "deb ${server}/debian/ceph-${generation} $(lsb_release -cs 2>/dev/null) ${selection}" > /etc/apt/sources.list.d/ceph.list if [[ "$VERSION_CODENAME" == "bookworm" ]] ; then
echo "deb ${server}/debian/ceph-${generation} $(lsb_release -cs 2>/dev/null) ${selection}" > /etc/apt/sources.list.d/ceph.list
else
cat << EOF > /etc/apt/sources.list.d/ceph.sources
Types: deb
URIs: http://download.proxmox.com/debian/ceph-${generation}
Suites: $VERSION_CODENAME
Components: ${selection}
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
EOF
fi
else else
rm -f /etc/apt/sources.list.d/ceph.list if [[ "$VERSION_CODENAME" == "bookworm" ]] ; then
rm -f /etc/apt/sources.list.d/ceph.list
else
rm -f /etc/apt/sources.list.d/ceph.sources
fi
fi fi
} }
set_pve_repo(){ set_pve_repo(){
log "Setting Proxmox package repositories to $repo_selection" log "Setting Proxmox package repositories to $repo_selection"
nosub=$(grep pve-no-subscription /etc/apt/sources.list) if [[ "$VERSION_CODENAME" == "bookworm" ]]; then
enterprise=$(grep pve-enterprise /etc/apt/sources.list.d/pve-enterprise.list) nosub=$(grep pve-no-subscription /etc/apt/sources.list)
test=$(grep pvetest /etc/apt/sources.list) enterprise=$(grep pve-enterprise /etc/apt/sources.list.d/pve-enterprise.list)
if [[ $repo_selection == "pve-enterprise" ]]; then test=$(grep pvetest /etc/apt/sources.list)
echo "deb https://enterprise.proxmox.com/debian/pve $VERSION_CODENAME pve-enterprise" > /etc/apt/sources.list.d/pve-enterprise.list if [[ $repo_selection == "pve-enterprise" ]]; then
if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then echo "deb https://enterprise.proxmox.com/debian/pve $VERSION_CODENAME pve-enterprise" > /etc/apt/sources.list.d/pve-enterprise.list
sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then
sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list
fi
if [[ $test != "" ]] && [[ $test != *"#"* ]]; then
sed -i "s|$test|# $test|g" /etc/apt/sources.list
fi
elif [[ $repo_selection == "pve-no-subscription" ]]; then
if [[ $nosub == "" ]]; then
echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pve-no-subscription\n" >> /etc/apt/sources.list
elif [[ $nosub == *"#"* ]]; then
sed -i "s|$nosub|$(echo $nosub | cut -d' ' -f2-)|" /etc/apt/sources.list
fi
if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then
sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list
fi
if [[ $test != "" ]] && [[ $test != *"#"* ]]; then
sed -i "s|$test|# $test|g" /etc/apt/sources.list
fi
elif [[ $repo_selection == "pvetest" ]]; then
if [[ $test == "" ]]; then
echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pvetest\n" >> /etc/apt/sources.list
elif [[ $test == *"#"* ]]; then
sed -i "s|$test|$(echo $test | cut -d' ' -f2-)|" /etc/apt/sources.list
fi
if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then
sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list
fi
if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then
sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list
fi
fi fi
if [[ $test != "" ]] && [[ $test != *"#"* ]]; then else
sed -i "s|$test|# $test|g" /etc/apt/sources.list if [[ $repo_selection == "pve-enterprise" ]]; then
fi rm -f /etc/apt/sources.list.d/proxmox.sources
elif [[ $repo_selection == "pve-no-subscription" ]]; then cat << EOF > /etc/apt/sources.list.d/pve-enterprise.sources
if [[ $nosub == "" ]]; then Types: deb
echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pve-no-subscription\n" >> /etc/apt/sources.list URIs: https://enterprise.proxmox.com/debian/pve
elif [[ $nosub == *"#"* ]]; then Suites: $VERSION_CODENAME
sed -i "s|$nosub|$(echo $nosub | cut -d' ' -f2-)|" /etc/apt/sources.list Components: pve-enterprise
fi Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then EOF
sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list elif [[ $repo_selection == "pve-no-subscription" ]] || [[ $repo_selection == "pvetest" ]]; then
fi rm -f /etc/apt/sources.list.d/pve-enterprise.sources
if [[ $test != "" ]] && [[ $test != *"#"* ]]; then cat << EOF > /etc/apt/sources.list.d/proxmox.sources
sed -i "s|$test|# $test|g" /etc/apt/sources.list Types: deb
fi URIs: http://download.proxmox.com/debian/pve/
elif [[ $repo_selection == "pvetest" ]]; then Suites: $VERSION_CODENAME
if [[ $test == "" ]]; then Components: $repo_selection
echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pvetest\n" >> /etc/apt/sources.list Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
elif [[ $test == *"#"* ]]; then EOF
sed -i "s|$test|$(echo $test | cut -d' ' -f2-)|" /etc/apt/sources.list
fi
if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then
sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list
fi
if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then
sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list
fi fi
fi fi
} }
@@ -434,8 +567,18 @@ set_pve_repo(){
set_bashclub_repo (){ set_bashclub_repo (){
if [ $bashclub_repo -gt 0 ]; then if [ $bashclub_repo -gt 0 ]; then
log "Configuring bashclub apt repositories" log "Configuring bashclub apt repositories"
echo "deb [signed-by=/usr/share/keyrings/bashclub-archive-keyring.gpg] https://apt.bashclub.org/release bookworm main" > /etc/apt/sources.list.d/bashclub.list
wget -q -O- https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-archive-keyring.gpg wget -q -O- https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-archive-keyring.gpg
if [[ "$VERSION_CODENAME" == "bookworm" ]]; then
echo "deb [signed-by=/usr/share/keyrings/bashclub-archive-keyring.gpg] https://apt.bashclub.org/release $VERSION_CODENAME main" > /etc/apt/sources.list.d/bashclub.list
else
cat << EOF > /etc/apt/sources.list.d/bashclub.sources
Types: deb
URIs: https://apt.bashclub.org/release/
Suites: $VERSION_CODENAME
Components: main
Signed-By: /usr/share/keyrings/bashclub-archive-keyring.gpg
EOF
fi
fi fi
} }
@@ -531,7 +674,7 @@ harden_ssh(){
mv /etc/ssh/moduli.safe /etc/ssh/moduli mv /etc/ssh/moduli.safe /etc/ssh/moduli
log "Writing hardened SSH config" log "Writing hardened SSH config"
if [[ $VERSION_CODENAME == "bookworm" ]]; then if [[ $VERSION_CODENAME == "$CODENAME" ]]; then
echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
elif [[ $VERSION_CODENAME == "bullseye" ]]; then elif [[ $VERSION_CODENAME == "bullseye" ]]; then
sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
@@ -655,6 +798,21 @@ remove_virtiowin_updater() {
fi fi
} }
set_autotrim=0
set_autoexpand=0
ask_autotrim(){
if whiptail --title "ENABLE AUTOTRIM" --backtitle "$PROG" --yes-button "ENABLE" --no-button "SKIP" --yesno "Enable autotrim on all supported zpools?" 9 76 ; then
set_autotrim=1
fi
}
ask_autoexpand(){
if whiptail --title "ENABLE AUTOEXPAND" --backtitle "$PROG" --yes-button "ENABLE" --no-button "SKIP" --yesno "Enable autoexpand on all zpools?" 9 76 ; then
set_autoexpand=1
fi
}
installation_task(){ installation_task(){
log "Starting Installation" log "Starting Installation"
@@ -676,9 +834,26 @@ installation_task(){
set_default_volblocksize set_default_volblocksize
remove_virtiowin_updater remove_virtiowin_updater
if [ $set_autotrim -gt 0 ]; then
log "Enabling autotrim on all supported zpools"
for p in $(zpool list -H -o name); do
if ! zpool status -t $p | grep -q "trim unsupported"; then
zpool set autotrim=on $p
fi
done
fi
if [ $set_autoexpand -gt 0 ]; then
log "Enabling autoexpand on all zpools"
for p in $(zpool list -H -o name); do
zpool set autoexpand=on $p
done
fi
log "Setting local storage content to: $content"
pvesm set local --content ${content}
log "Updating initramfs - This will take some time..." log "Updating initramfs - This will take some time..."
update-initramfs -u -k all > /dev/null 2>&1 update-initramfs -u -k all > /dev/null 2>&1
} }
summary(){ summary(){
@@ -709,8 +884,16 @@ summary(){
smarthost mode: $smtpmode smarthost mode: $smtpmode
smarthost auth: $smtpauth smarthost auth: $smtpauth
smarthost username: $username smarthost username: $username
set blocksize: $setblocksize set blocksize: $setblocksize\n\
volblocksize: $volblocksize volblocksize: $volblocksize\n\
local storage content: $content\n\
ceph repository: $ceph_repo_selection\n\
bashclub repository: $bashclub_repo\n\
virtio-win iso: $install_virtio\n\
zsync: $install_zsync\n\
autotrim: $set_autotrim\n\
autoexpand: $set_autoexpand\n\
Do you want to continue?
" 30 76 ; then " 30 76 ; then
installation_task installation_task
else else
@@ -720,6 +903,11 @@ summary(){
source /etc/os-release source /etc/os-release
if [[ "bookworm trixie" != *"$VERSION_CODENAME"* ]]; then
echo "Your Proxmox VE version $VERSION_CONDENAME is unsuported. Please use Proxmox 8 (bookworm) or Proxmox 9 (trixie). Exiting"
exit 1
fi
# Calculate and suggest values for ZFS L1ARC cache # Calculate and suggest values for ZFS L1ARC cache
arc_suggestion arc_suggestion
@@ -753,6 +941,13 @@ ask_mail_config
# set volblocksize # set volblocksize
ask_volblocksize ask_volblocksize
# ask for local storage content
ask_local_content
# ask for autotrim/autoexpand
ask_autotrim
ask_autoexpand
summary summary
log "Proxmox postinstallation finished!" log "Proxmox postinstallation finished!"