Proxmox Hetzner setup

dhcpd.conf

default-lease-time 600;
max-lease-time 7200;

subnet 10.50.0.0 netmask 255.255.255.0 {
  range 10.50.0.10 10.50.0.240;
  option routers 10.50.0.1;
}

Docker.md

apt-get update
apt-get install ca-certificates curl gnupg lsb-release
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install docker-ce docker-ce-cli containerd.io
curl -L "https://github.com/docker/compose/releases/download/v1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker plugin install grafana/loki-docker-driver:latest --alias loki --grant-all-permissions

Configure /etc/docker/daemon.json and restart Docker service

{
    "userland-proxy": false,
    "log-driver": "loki",
    "log-opts": {
        "loki-url": "http://localhost:3500/loki/api/v1/push"
    }
}

Create /srv/docker and set permissions

usermod -aG docker root
mkdir /srv/docker
chown root:docker /srv/docker
chmod 775 /srv/docker

Don't forget to add Promtail container

etc_network_interfaces

# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp7s0
iface enp7s0 inet static
        address 136.243.151.3/26
        gateway 136.243.151.1
        up route add -net 136.243.151.0 netmask 255.255.255.192 gw 136.243.151.1 dev enp7s0
# route 136.243.151.0/26 via 136.243.151.1

iface enp7s0 inet6 static
        address 2a01:4f8:171:19b0:14a5:69be:7e23:89/128
        gateway fe80::1

auto vmbr0
iface vmbr0 inet static
        address 176.9.160.209/28
        bridge-ports none
        bridge-stp off
        bridge-fd 0
#public interfaces

iface vmbr0 inet6 static
        address 2a01:4f8:171:19b0::3/64
        up ip -6 route add 2a01:4f8:171:19b0::/64 dev vmbr0

auto vmbr1
iface vmbr1 inet static
        address 10.40.0.1/16
        bridge-ports none
        bridge-stp off
        bridge-fd 0
#isolated private bridge

auto vmbr2
iface vmbr2 inet static
        address 10.50.0.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
#NATed bridge

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.50.0.0/24' -o enp7s0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.50.0.0/24' -o enp7s0 -j MASQUERADE
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

FreeIPA.md

• Start with Rocky Linux 8
• dnf -y update
• dnf -y install epel-release
• dnf -y install vim nano mc htop wget curl git zsh
• Install oh-my-zsh:
  • sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
  • Enable auto update
  • Use following plugins: git z sudo systemd
  • source .zshrc
• Set full hostname in /etc/hostname: ipa.km8.vm
• TODO: Install firewalld?
• Add -x flag to /etc/sysconfig/chronyd when in LXC container
• dnf -y install ipa-server ipa-server-dns bind-dyndb-ldap
• Install FreeIPA server and sit back

ipa-server-install -v --hostname ipa.km8.vm --unattended --setup-dns --auto-reverse --forwarder 185.12.64.1 --forwarder 185.12.64.2 --domain=km8.vm --realm=KM8.VM --no-host-dns --idstart=500000 --idmax=600000 --setup-kra --reverse-zone=40.10.in-addr.arpa --ds-password pass --admin-password pass --mkhomedir

Since DNS forwarding does not work, configure it as follows:

Add the following lines to /etc/named/ipa-ext.conf:

acl "trusted_networks" {
  localhost;
  localnets;
  10.19.49.0/24;
  10.19.48.0/24;
  10.40.0.0/16;
};

Add the following lines to /etc/named/ipa-options-ext.conf:

allow-recursion { trusted_networks; };

forwarders {
  185.12.64.1
  185.12.64.2
  1.1.1.1;
};

Install client by using

ipa-client-install -v --unattended --mkhomedir --no-ntp --password pass

guide.md

• installimage
• other -> proxmox on buster
• set hostname to omega.keenmate.com
• use partitioning from the conf file
• leave the rest on default (different partitioning might be desirable)
• passwd
• optionally upgrade to bullseye
  • apt update
  • apt dist-upgrade
  • sed -i 's/buster\/updates/bullseye-security/g;s/buster/bullseye/g' /etc/apt/sources.list
  • sed -i -e 's/buster/bullseye/g' /etc/apt/sources.list.d/proxmox.list
  • apt update
  • apt dist-upgrade
  • I did not update ssh_config and sshd_config when asked
  • reboot
  • Reconnect
  • apt autoremove
• apt-get install ifupdown2 wireguard
• configure /etc/network/interfaces according to the configuration here
• add sysctl options to enable routing
  • net.ipv4.ip_forward=1
  • net.ipv6.conf.all.forwarding=1
• create space for VMs
  • lvcreate -L 3T -n data pve
  • lvextend --poolmetadatasize 1G pve/data
  • lvconvert --type thin-pool pve/data
• add LVM-Thin as data storage
  • Proxmox -> Datacenter -> Storage -> Add -> LVM-Thin
  • ID: local-lvm
  • Volume Group: pve
  • Thin pool: data
  • Content: Disk image, Container
• download LXC container templates in Proxmox -> Storage -> local -> CT Templates
• configure hetzner backup storage
  • type: CIFS
  • ID: hetzner-backup
  • server: <userid>.your-storagebox.de
  • share: backup
  • content: VZDump backup file
• configure private network for VMs
  • Proxmox -> node -> Network -> New Linux Bridge
  • Name: vmbr1
  • IP Address: 10.40.0.1/24
  • Create new network interfaces on VMs with IP from range: 10.0.0.0/24
• On wireguard add 10.40.0.0/16 to AllowedIPs
• DHCP server for NATed bridge
  • apt install isc-dhcp-server
  • Add content to /etc/dhcp/dhcpd.conf
  • Enable IPv4 DHCP on vmbr2 in /etc/default/isc-dhcp-server

installimage.conf

PART /boot ext4 512M
PART lvm pve all

LV pve swap swap swap 16G
LV pve root / ext4 250G
LV pve storage /srv/storage ext4 2T

powerdns.md

Configuring PowerDNS server

• Create new zone for VMs: pdnsutil create-zone keenmate.vm ns1.keenmate.vm
• Create new A record for web-04.keenmate.vm: pdnsutil add-record keenmate.vm web-04 A 10.0.0.3
• Add wildcard for web-04.keenmate.vm: pdnsutil add-record keenmate.vm *.web-04 A 10.40.0.3

Promtail.md

Baremetal Promtail setup

PROMTAIL_VERSION=2.4.0
sudo mkdir /opt/promtail
sudo wget -qO /opt/promtail/promtail.gz "https://github.com/grafana/loki/releases/download/v${PROMTAIL_VERSION}/promtail-linux-amd64.zip"
sudo gunzip /opt/promtail/promtail.gz
sudo chmod a+x /opt/promtail/promtail
sudo ln -s /opt/promtail/promtail /usr/local/bin/promtail

Create promtail service file /etc/systemd/system/promtail.service:

[Unit]
Description=Promtail client for sending logs to Loki
After=network.target

[Service]
ExecStart=/opt/promtail/promtail -config.file=/opt/promtail/promtail-local-config.yaml
Restart=always
TimeoutStopSec=3

[Install]
WantedBy=multi-user.target

Add promtail configuration to /opt/promtail/promtail-local-config.yaml

server:
  http_listen_port: 9080
  grpc_listen_port: 0

positions:
  filename: /tmp/positions.yaml

clients:
  - url: http://web-02.km8.vm:3100/loki/api/v1/push
    external_labels:
      host: db-02

scrape_configs:
  - job_name: local
    static_configs:
      - targets:
        - localhost
        labels:
          job: varlogs
          __path__: /var/log/*log
  - job_name: journal
    journal:
      json: false
      max_age: 12h
      path: /var/log/journal
      labels:
        job: systemd-journal
    relabel_configs:
      - source_labels: ['__journal__systemd_unit']
        target_label: 'unit'