sbellver/proxmox-install-post.sh

## proxmox-install-post.sh
#!/usr/bin/env bash
################################################################################
# This is property of eXtremeSHOK.com
# You are free to use, modify and distribute, however you may not remove this notice.
# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
################################################################################
#
# Script updates can be found at: https://github.com/extremeshok/xshok-proxmox
#
# post-installation script for Proxmox
#
# License: BSD (Berkeley Software Distribution)
#
################################################################################
#
# Assumptions: proxmox installed
#
# Notes:
# to disable the MOTD banner, set the env NO_MOTD_BANNER to true (export NO_MOTD_BANNER=true)
#
################################################################################
#
#    THERE ARE NO USER CONFIGURABLE OPTIONS IN THIS SCRIPT
#
################################################################################

# Set the local
export LANG="es_ES.UTF-8"
export LC_ALL="C"

## Force APT to use IPv4
echo -e "Acquire::ForceIPv4 \"true\";\\n" > /etc/apt/apt.conf.d/99force-ipv4

## disable enterprise proxmox repo
if [ -f /etc/apt/sources.list.d/pve-enterprise.list ]; then
  echo -e "#deb https://enterprise.proxmox.com/debian stretch pve-enterprise\\n" > /etc/apt/sources.list.d/pve-enterprise.list
fi
## enable public proxmox repo
if [ ! -f /etc/apt/sources.list.d/proxmox.list ] && [ ! -f /etc/apt/sources.list.d/pve-public-repo.list ] && [ ! -f /etc/apt/sources.list.d/pve-install-repo.list ] ; then
  echo -e "deb http://download.proxmox.com/debian stretch pve-no-subscription\\n" > /etc/apt/sources.list.d/pve-public-repo.list
fi

## Add non-free to sources
sed -i "s/main contrib/main non-free contrib/g" /etc/apt/sources.list

## Add the latest ceph provided by proxmox
echo "deb http://download.proxmox.com/debian/ceph-luminous stretch main" > /etc/apt/sources.list.d/ceph.list

## Refresh the package lists
apt-get update > /dev/null

## Remove conflicting utilities
/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' purge ntp openntpd chrony ksm-control-daemon

## Fix no public key error for debian repo
/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install debian-archive-keyring

## Update proxmox and install various system utils
/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' dist-upgrade
pveam update

## Fix no public key error for debian repo
/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install debian-archive-keyring

## Install openvswitch for a virtual internal network
/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install openvswitch-switch

## Install zfs support, appears to be missing on some Proxmox installs.
/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install zfsutils

## Install zfs-auto-snapshot
/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install zfs-auto-snapshot
# make 5min snapshots , keep 12 5min snapshots
if [ -f "/etc/cron.d/zfs-auto-snapshot" ] ; then
  sed -i 's|--keep=[0-9]*|--keep=5|g' /etc/cron.d/zfs-auto-snapshot
  sed -i 's|*/[0-9]*|*/5|g' /etc/cron.d/zfs-auto-snapshot
fi
# keep 24 hourly snapshots
if [ -f "/etc/cron.hourly/zfs-auto-snapshot" ] ; then
  sed -i 's|--keep=[0-9]*|--keep=12|g' /etc/cron.hourly/zfs-auto-snapshot
fi
# keep 7 daily snapshots
if [ -f "/etc/cron.daily/zfs-auto-snapshot" ] ; then
  sed -i 's|--keep=[0-9]*|--keep=7|g' /etc/cron.daily/zfs-auto-snapshot
fi
# keep 4 weekly snapshots
if [ -f "/etc/cron.weekly/zfs-auto-snapshot" ] ; then
  sed -i 's|--keep=[0-9]*|--keep=1|g' /etc/cron.weekly/zfs-auto-snapshot
fi
# keep 3 monthly snapshots
if [ -f "/etc/cron.monthly/zfs-auto-snapshot" ] ; then
  sed -i 's|--keep=[0-9]*|--keep=1|g' /etc/cron.monthly/zfs-auto-snapshot
fi

## Install missing ksmtuned
/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install ksmtuned
systemctl enable ksmtuned
systemctl enable ksm

## Install ceph support
echo "Y" | pveceph install

## Install common system utilities
/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install whois omping tmux sshpass wget axel nano pigz net-tools htop iptraf iotop iftop iperf vim vim-nox unzip zip software-properties-common aptitude curl dos2unix dialog mlocate build-essential git ipset
#snmpd snmp-mibs-downloader


## Install kexec, allows for quick reboots into the latest updated kernel set as primary in the boot-loader.
# use command 'reboot-quick'
echo "kexec-tools kexec-tools/load_kexec boolean false" | debconf-set-selections
/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install kexec-tools

cat <<'EOF' > /etc/systemd/system/kexec-pve.service
[Unit]
Description=boot into into the latest pve kernel set as primary in the boot-loader
Documentation=man:kexec(8)
DefaultDependencies=no
Before=shutdown.target umount.target final.target

[Service]
Type=oneshot
ExecStart=/sbin/kexec -l /boot/pve/vmlinuz --initrd=/boot/pve/initrd.img --reuse-cmdline

[Install]
WantedBy=kexec.target
EOF
systemctl enable kexec-pve.service
echo "alias reboot-quick='systemctl kexec'" >> /root/.bash_profile

## Remove no longer required packages and purge old cached updates
/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' autoremove
/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' autoclean

## Disable portmapper / rpcbind (security)
systemctl disable rpcbind
systemctl stop rpcbind

## Set Timezone to UTC and enable NTP
timedatectl set-timezone UTC
cat <<EOF > /etc/systemd/timesyncd.conf
[Time]
NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
RootDistanceMaxSec=5
PollIntervalMinSec=32
PollIntervalMaxSec=2048
EOF
service systemd-timesyncd start
timedatectl set-ntp true

## Set pigz to replace gzip, 2x faster gzip compression
cat  <<EOF > /bin/pigzwrapper
#!/bin/sh
PATH=/bin:\$PATH
GZIP="-1"
exec /usr/bin/pigz "\$@"
EOF
mv -f /bin/gzip /bin/gzip.original
cp -f /bin/pigzwrapper /bin/gzip
chmod +x /bin/pigzwrapper
chmod +x /bin/gzip

## Detect if this is an OVH server by getting the global IP and checking the ASN
if [ "$(whois -h v4.whois.cymru.com " -t $(curl ipinfo.io/ip 2> /dev/null)" | tail -n 1 | cut -d'|' -f3 | grep -i "ovh")" != "" ] ; then
  echo "Deteted OVH Server, installing OVH RTM (real time monitoring)"
  #http://help.ovh.co.uk/RealTimeMonitoring
  wget ftp://ftp.ovh.net/made-in-ovh/rtm/install_rtm.sh -c -O install_rtm.sh && bash install_rtm.sh && rm install_rtm.sh
fi

## Protect the web interface with fail2ban
/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install fail2ban
# shellcheck disable=1117
cat <<EOF > /etc/fail2ban/filter.d/proxmox.conf
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
EOF
cat <<EOF > /etc/fail2ban/jail.d/proxmox.conf
[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
# 1 hour
bantime = 3600
EOF
cat <<EOF > /etc/fail2ban/jail.local
[DEFAULT]
banaction = iptables-ipset-proto4
EOF
systemctl enable fail2ban
##testing
#fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf

## Increase vzdump backup speed, enable pigz and fix ionice
sed -i "s/#bwlimit:.*/bwlimit: 0/" /etc/vzdump.conf
sed -i "s/#pigz:.*/pigz: 1/" /etc/vzdump.conf
sed -i "s/#ionice:.*/ionice: 5/" /etc/vzdump.conf

## Bugfix: pve 5.1 high swap usage with low memory usage
echo "vm.swappiness=10" >> /etc/sysctl.conf
sysctl -p

## Bugfix: reserve 512MB memory for system
echo "vm.min_free_kbytes = 524288" >> /etc/sysctl.conf
sysctl -p

## Remove subscription banner
if [ -f "/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js" ] ; then
  sed -i "s/data.status !== 'Active'/false/g" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
  # create a daily cron to make sure the banner does not re-appear
  cat <<'EOF' > /etc/cron.daily/proxmox-nosub
#!/bin/sh
sed -i "s/data.status !== 'Active'/false/g" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
EOF
  chmod 755 /etc/cron.daily/proxmox-nosub
fi


## Increase max user watches
# BUG FIX : No space left on device
echo 1048576 > /proc/sys/fs/inotify/max_user_watches
echo "fs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf

## Increase max FD limit / ulimit
cat <<EOF >> /etc/security/limits.conf
# eXtremeSHOK.com Increase max FD limit / ulimit
* soft     nproc          256000
* hard     nproc          256000
* soft     nofile         256000
* hard     nofile         256000
root soft     nproc          256000
root hard     nproc          256000
root soft     nofile         256000
root hard     nofile         256000
EOF

## Enable TCP BBR congestion control
cat <<EOF > /etc/sysctl.d/10-kernel-bbr.conf
# eXtremeSHOK.com
# TCP BBR congestion control
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
EOF

## Increase kernel max Key limit
cat <<EOF > /etc/sysctl.d/60-maxkeys.conf
# eXtremeSHOK.com
# Increase kernel max Key limit
kernel.keys.root_maxkeys=1000000
kernel.keys.maxkeys=1000000
EOF

## Set systemd ulimits
echo "DefaultLimitNOFILE=256000" >> /etc/systemd/system.conf
echo "DefaultLimitNOFILE=256000" >> /etc/systemd/user.conf
echo 'session required pam_limits.so' | tee -a /etc/pam.d/common-session-noninteractive
echo 'session required pam_limits.so' | tee -a /etc/pam.d/common-session
echo 'session required pam_limits.so' | tee -a /etc/pam.d/runuser-l

## Set ulimit for the shell user
cd ~ && echo "ulimit -n 256000" >> .bashrc ; echo "ulimit -n 256000" >> .profile

## Optimise ZFS arc size
if [ "$(command -v zfs)" != "" ] ; then
  RAM_SIZE_GB=$(( $(vmstat -s | grep -i "total memory" | xargs | cut -d" " -f 1) / 1024 / 1000))
  if [[ RAM_SIZE_GB -lt 16 ]] ; then
    # 1GB/1GB
    MY_ZFS_ARC_MIN=1073741824
    MY_ZFS_ARC_MAX=1073741824
  else
    MY_ZFS_ARC_MIN=$((RAM_SIZE_GB * 1073741824 / 16))
    MY_ZFS_ARC_MAX=$((RAM_SIZE_GB * 1073741824 / 8))
  fi
  # Enforce the minimum, incase of a faulty vmstat
  if [[ MY_ZFS_ARC_MIN -lt 1073741824 ]] ; then
    MY_ZFS_ARC_MIN=1073741824
  fi
  if [[ MY_ZFS_ARC_MAX -lt 1073741824 ]] ; then
    MY_ZFS_ARC_MAX=1073741824
  fi
  cat <<EOF > /etc/modprobe.d/zfs.conf

# Use 1/16 RAM for MAX cache, 1/8 RAM for MIN cache, or 1GB
options zfs zfs_arc_min=$MY_ZFS_ARC_MIN
options zfs zfs_arc_max=$MY_ZFS_ARC_MAX

# use the prefetch method
options zfs l2arc_noprefetch=0

# max write speed to l2arc
# tradeoff between write/read and durability of ssd (?)
# default : 8 * 1024 * 1024
# setting here : 500 * 1024 * 1024
options zfs l2arc_write_max=524288000
EOF
fi

# propagate the setting into the kernel
update-initramfs -u -k all

timedatectl set-timezone Europe/Madrid

#Securizando el SSH
sed -i 's/#Port 22/Port 7850/g' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
/etc/init.d/ssh restart

#Firewall CSF
apt-get install unzip > /dev/null
cd /tmp
wget http://download.configserver.com/csf.tgz
tar xzf csf.tgz
cd csf
sh install.sh
sed -i 's/TESTING = "1"/TESTING = "0"/g' /etc/csf/csf.conf
sed -i 's/"20,21,22,25,53,80,110,143,443,465,587,993,995,7850"/"20,21,25,53,80,110,143,443,465,587,993,995,5666,7850,8006"/g' /etc/csf/csf.conf
sed -i 's/"20,21,22,25,53,80,110,113,443,587,993,995"/"20,21,22,25,53,80,110,113,443,587,993,995"/g' /etc/csf/csf.conf
sed -i 's/"20,21,53,113,123"/"20,21,53,113,123"/g' /etc/csf/csf.conf
sed -i 's/LF_ALERT_TO = ""/LF_ALERT_TO = "csf@tecneca.com"/g' /etc/csf/csf.conf
sed -i 's/RESTRICT_SYSLOG = "0"/RESTRICT_SYSLOG = "3"/g' /etc/csf/csf.conf
sed -i 's/PT_USERPROC = "10"/PT_USERPROC = "0"/g' /etc/csf/csf.conf
sed -i 's/PT_USERMEM = "512"/PT_USERMEM = "0"/g' /etc/csf/csf.conf
sed -i 's/PT_USERRSS = "256"/PT_USERRSS = "0"/g' /etc/csf/csf.conf
sed -i 's/PT_USERTIME = "1800"/PT_USERTIME = "0"/g' /etc/csf/csf.conf
csf -x
csf -e

apt-get install htop vim > /dev/null
apt-get install logwatch > /dev/null
sed -i 's/--output mail/--output mail --mailto sysadmin@tecneca.com --detail high/g' /etc/cron.daily/00logwatch

## Script Finish
echo -e '\033[1;33m Finished....please restart the system \033[0m'
	#!/usr/bin/env bash
	################################################################################
	# This is property of eXtremeSHOK.com
	# You are free to use, modify and distribute, however you may not remove this notice.
	# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
	################################################################################
	#
	# Script updates can be found at: https://github.com/extremeshok/xshok-proxmox
	#
	# post-installation script for Proxmox
	#
	# License: BSD (Berkeley Software Distribution)
	#
	################################################################################
	#
	# Assumptions: proxmox installed
	#
	# Notes:
	# to disable the MOTD banner, set the env NO_MOTD_BANNER to true (export NO_MOTD_BANNER=true)
	#
	################################################################################
	#
	# THERE ARE NO USER CONFIGURABLE OPTIONS IN THIS SCRIPT
	#
	################################################################################

	# Set the local
	export LANG="es_ES.UTF-8"
	export LC_ALL="C"

	## Force APT to use IPv4
	echo -e "Acquire::ForceIPv4 \"true\";\\n" > /etc/apt/apt.conf.d/99force-ipv4

	## disable enterprise proxmox repo
	if [ -f /etc/apt/sources.list.d/pve-enterprise.list ]; then
	echo -e "#deb https://enterprise.proxmox.com/debian stretch pve-enterprise\\n" > /etc/apt/sources.list.d/pve-enterprise.list
	fi
	## enable public proxmox repo
	if [ ! -f /etc/apt/sources.list.d/proxmox.list ] && [ ! -f /etc/apt/sources.list.d/pve-public-repo.list ] && [ ! -f /etc/apt/sources.list.d/pve-install-repo.list ] ; then
	echo -e "deb http://download.proxmox.com/debian stretch pve-no-subscription\\n" > /etc/apt/sources.list.d/pve-public-repo.list
	fi

	## Add non-free to sources
	sed -i "s/main contrib/main non-free contrib/g" /etc/apt/sources.list

	## Add the latest ceph provided by proxmox
	echo "deb http://download.proxmox.com/debian/ceph-luminous stretch main" > /etc/apt/sources.list.d/ceph.list

	## Refresh the package lists
	apt-get update > /dev/null

	## Remove conflicting utilities
	/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' purge ntp openntpd chrony ksm-control-daemon

	## Fix no public key error for debian repo
	/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install debian-archive-keyring

	## Update proxmox and install various system utils
	/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' dist-upgrade
	pveam update

	## Fix no public key error for debian repo
	/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install debian-archive-keyring

	## Install openvswitch for a virtual internal network
	/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install openvswitch-switch

	## Install zfs support, appears to be missing on some Proxmox installs.
	/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install zfsutils

	## Install zfs-auto-snapshot
	/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install zfs-auto-snapshot
	# make 5min snapshots , keep 12 5min snapshots
	if [ -f "/etc/cron.d/zfs-auto-snapshot" ] ; then
	sed -i 's\|--keep=[0-9]*\|--keep=5\|g' /etc/cron.d/zfs-auto-snapshot
	sed -i 's\|/[0-9]\|*/5\|g' /etc/cron.d/zfs-auto-snapshot
	fi
	# keep 24 hourly snapshots
	if [ -f "/etc/cron.hourly/zfs-auto-snapshot" ] ; then
	sed -i 's\|--keep=[0-9]*\|--keep=12\|g' /etc/cron.hourly/zfs-auto-snapshot
	fi
	# keep 7 daily snapshots
	if [ -f "/etc/cron.daily/zfs-auto-snapshot" ] ; then
	sed -i 's\|--keep=[0-9]*\|--keep=7\|g' /etc/cron.daily/zfs-auto-snapshot
	fi
	# keep 4 weekly snapshots
	if [ -f "/etc/cron.weekly/zfs-auto-snapshot" ] ; then
	sed -i 's\|--keep=[0-9]*\|--keep=1\|g' /etc/cron.weekly/zfs-auto-snapshot
	fi
	# keep 3 monthly snapshots
	if [ -f "/etc/cron.monthly/zfs-auto-snapshot" ] ; then
	sed -i 's\|--keep=[0-9]*\|--keep=1\|g' /etc/cron.monthly/zfs-auto-snapshot
	fi

	## Install missing ksmtuned
	/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install ksmtuned
	systemctl enable ksmtuned
	systemctl enable ksm

	## Install ceph support
	echo "Y" \| pveceph install

	## Install common system utilities
	/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install whois omping tmux sshpass wget axel nano pigz net-tools htop iptraf iotop iftop iperf vim vim-nox unzip zip software-properties-common aptitude curl dos2unix dialog mlocate build-essential git ipset
	#snmpd snmp-mibs-downloader


	## Install kexec, allows for quick reboots into the latest updated kernel set as primary in the boot-loader.
	# use command 'reboot-quick'
	echo "kexec-tools kexec-tools/load_kexec boolean false" \| debconf-set-selections
	/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install kexec-tools

	cat <<'EOF' > /etc/systemd/system/kexec-pve.service
	[Unit]
	Description=boot into into the latest pve kernel set as primary in the boot-loader
	Documentation=man:kexec(8)
	DefaultDependencies=no
	Before=shutdown.target umount.target final.target

	[Service]
	Type=oneshot
	ExecStart=/sbin/kexec -l /boot/pve/vmlinuz --initrd=/boot/pve/initrd.img --reuse-cmdline

	[Install]
	WantedBy=kexec.target
	EOF
	systemctl enable kexec-pve.service
	echo "alias reboot-quick='systemctl kexec'" >> /root/.bash_profile

	## Remove no longer required packages and purge old cached updates
	/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' autoremove
	/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' autoclean

	## Disable portmapper / rpcbind (security)
	systemctl disable rpcbind
	systemctl stop rpcbind

	## Set Timezone to UTC and enable NTP
	timedatectl set-timezone UTC
	cat <<EOF > /etc/systemd/timesyncd.conf
	[Time]
	NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
	FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
	RootDistanceMaxSec=5
	PollIntervalMinSec=32
	PollIntervalMaxSec=2048
	EOF
	service systemd-timesyncd start
	timedatectl set-ntp true

	## Set pigz to replace gzip, 2x faster gzip compression
	cat <<EOF > /bin/pigzwrapper
	#!/bin/sh
	PATH=/bin:\$PATH
	GZIP="-1"
	exec /usr/bin/pigz "\$@"
	EOF
	mv -f /bin/gzip /bin/gzip.original
	cp -f /bin/pigzwrapper /bin/gzip
	chmod +x /bin/pigzwrapper
	chmod +x /bin/gzip

	## Detect if this is an OVH server by getting the global IP and checking the ASN
	if [ "$(whois -h v4.whois.cymru.com " -t $(curl ipinfo.io/ip 2> /dev/null)" \| tail -n 1 \| cut -d'\|' -f3 \| grep -i "ovh")" != "" ] ; then
	echo "Deteted OVH Server, installing OVH RTM (real time monitoring)"
	#http://help.ovh.co.uk/RealTimeMonitoring
	wget ftp://ftp.ovh.net/made-in-ovh/rtm/install_rtm.sh -c -O install_rtm.sh && bash install_rtm.sh && rm install_rtm.sh
	fi

	## Protect the web interface with fail2ban
	/usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install fail2ban
	# shellcheck disable=1117
	cat <<EOF > /etc/fail2ban/filter.d/proxmox.conf
	[Definition]
	failregex = pvedaemon\[.authentication failure; rhost=<HOST> user=. msg=.*
	ignoreregex =
	EOF
	cat <<EOF > /etc/fail2ban/jail.d/proxmox.conf
	[proxmox]
	enabled = true
	port = https,http,8006
	filter = proxmox
	logpath = /var/log/daemon.log
	maxretry = 3
	# 1 hour
	bantime = 3600
	EOF
	cat <<EOF > /etc/fail2ban/jail.local
	[DEFAULT]
	banaction = iptables-ipset-proto4
	EOF
	systemctl enable fail2ban
	##testing
	#fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf

	## Increase vzdump backup speed, enable pigz and fix ionice
	sed -i "s/#bwlimit:.*/bwlimit: 0/" /etc/vzdump.conf
	sed -i "s/#pigz:.*/pigz: 1/" /etc/vzdump.conf
	sed -i "s/#ionice:.*/ionice: 5/" /etc/vzdump.conf

	## Bugfix: pve 5.1 high swap usage with low memory usage
	echo "vm.swappiness=10" >> /etc/sysctl.conf
	sysctl -p

	## Bugfix: reserve 512MB memory for system
	echo "vm.min_free_kbytes = 524288" >> /etc/sysctl.conf
	sysctl -p

	## Remove subscription banner
	if [ -f "/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js" ] ; then
	sed -i "s/data.status !== 'Active'/false/g" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
	# create a daily cron to make sure the banner does not re-appear
	cat <<'EOF' > /etc/cron.daily/proxmox-nosub
	#!/bin/sh
	sed -i "s/data.status !== 'Active'/false/g" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
	EOF
	chmod 755 /etc/cron.daily/proxmox-nosub
	fi


	## Increase max user watches
	# BUG FIX : No space left on device
	echo 1048576 > /proc/sys/fs/inotify/max_user_watches
	echo "fs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf
	sysctl -p /etc/sysctl.conf

	## Increase max FD limit / ulimit
	cat <<EOF >> /etc/security/limits.conf
	# eXtremeSHOK.com Increase max FD limit / ulimit
	* soft nproc 256000
	* hard nproc 256000
	* soft nofile 256000
	* hard nofile 256000
	root soft nproc 256000
	root hard nproc 256000
	root soft nofile 256000
	root hard nofile 256000
	EOF

	## Enable TCP BBR congestion control
	cat <<EOF > /etc/sysctl.d/10-kernel-bbr.conf
	# eXtremeSHOK.com
	# TCP BBR congestion control
	net.core.default_qdisc=fq
	net.ipv4.tcp_congestion_control=bbr
	EOF

	## Increase kernel max Key limit
	cat <<EOF > /etc/sysctl.d/60-maxkeys.conf
	# eXtremeSHOK.com
	# Increase kernel max Key limit
	kernel.keys.root_maxkeys=1000000
	kernel.keys.maxkeys=1000000
	EOF

	## Set systemd ulimits
	echo "DefaultLimitNOFILE=256000" >> /etc/systemd/system.conf
	echo "DefaultLimitNOFILE=256000" >> /etc/systemd/user.conf
	echo 'session required pam_limits.so' \| tee -a /etc/pam.d/common-session-noninteractive
	echo 'session required pam_limits.so' \| tee -a /etc/pam.d/common-session
	echo 'session required pam_limits.so' \| tee -a /etc/pam.d/runuser-l

	## Set ulimit for the shell user
	cd ~ && echo "ulimit -n 256000" >> .bashrc ; echo "ulimit -n 256000" >> .profile

	## Optimise ZFS arc size
	if [ "$(command -v zfs)" != "" ] ; then
	RAM_SIZE_GB=$(( $(vmstat -s \| grep -i "total memory" \| xargs \| cut -d" " -f 1) / 1024 / 1000))
	if [[ RAM_SIZE_GB -lt 16 ]] ; then
	# 1GB/1GB
	MY_ZFS_ARC_MIN=1073741824
	MY_ZFS_ARC_MAX=1073741824
	else
	MY_ZFS_ARC_MIN=$((RAM_SIZE_GB * 1073741824 / 16))
	MY_ZFS_ARC_MAX=$((RAM_SIZE_GB * 1073741824 / 8))
	fi
	# Enforce the minimum, incase of a faulty vmstat
	if [[ MY_ZFS_ARC_MIN -lt 1073741824 ]] ; then
	MY_ZFS_ARC_MIN=1073741824
	fi
	if [[ MY_ZFS_ARC_MAX -lt 1073741824 ]] ; then
	MY_ZFS_ARC_MAX=1073741824
	fi
	cat <<EOF > /etc/modprobe.d/zfs.conf

	# Use 1/16 RAM for MAX cache, 1/8 RAM for MIN cache, or 1GB
	options zfs zfs_arc_min=$MY_ZFS_ARC_MIN
	options zfs zfs_arc_max=$MY_ZFS_ARC_MAX

	# use the prefetch method
	options zfs l2arc_noprefetch=0

	# max write speed to l2arc
	# tradeoff between write/read and durability of ssd (?)
	# default : 8 * 1024 * 1024
	# setting here : 500 * 1024 * 1024
	options zfs l2arc_write_max=524288000
	EOF
	fi

	# propagate the setting into the kernel
	update-initramfs -u -k all

	timedatectl set-timezone Europe/Madrid

	#Securizando el SSH
	sed -i 's/#Port 22/Port 7850/g' /etc/ssh/sshd_config
	sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
	sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
	/etc/init.d/ssh restart

	#Firewall CSF
	apt-get install unzip > /dev/null
	cd /tmp
	wget http://download.configserver.com/csf.tgz
	tar xzf csf.tgz
	cd csf
	sh install.sh
	sed -i 's/TESTING = "1"/TESTING = "0"/g' /etc/csf/csf.conf
	sed -i 's/"20,21,22,25,53,80,110,143,443,465,587,993,995,7850"/"20,21,25,53,80,110,143,443,465,587,993,995,5666,7850,8006"/g' /etc/csf/csf.conf
	sed -i 's/"20,21,22,25,53,80,110,113,443,587,993,995"/"20,21,22,25,53,80,110,113,443,587,993,995"/g' /etc/csf/csf.conf
	sed -i 's/"20,21,53,113,123"/"20,21,53,113,123"/g' /etc/csf/csf.conf
	sed -i 's/LF_ALERT_TO = ""/LF_ALERT_TO = "csf@tecneca.com"/g' /etc/csf/csf.conf
	sed -i 's/RESTRICT_SYSLOG = "0"/RESTRICT_SYSLOG = "3"/g' /etc/csf/csf.conf
	sed -i 's/PT_USERPROC = "10"/PT_USERPROC = "0"/g' /etc/csf/csf.conf
	sed -i 's/PT_USERMEM = "512"/PT_USERMEM = "0"/g' /etc/csf/csf.conf
	sed -i 's/PT_USERRSS = "256"/PT_USERRSS = "0"/g' /etc/csf/csf.conf
	sed -i 's/PT_USERTIME = "1800"/PT_USERTIME = "0"/g' /etc/csf/csf.conf
	csf -x
	csf -e

	apt-get install htop vim > /dev/null
	apt-get install logwatch > /dev/null
	sed -i 's/--output mail/--output mail --mailto sysadmin@tecneca.com --detail high/g' /etc/cron.daily/00logwatch

	## Script Finish
	echo -e '\033[1;33m Finished....please restart the system \033[0m'