| # copy and paste oneliner below to run | |
| # curl -s https://gist.githubusercontent.com/ilude/32aec45964bc1207810f7e6e49544064/raw/%21proxmox_setup.sh?$(date +%s) | /bin/bash -s | |
| # Disable Commercial Repo | |
| sed -i "s/^deb/\#deb/" /etc/apt/sources.list.d/pve-enterprise.list | |
| # Add PVE Community Repo | |
| echo "deb http://download.proxmox.com/debian/pve $(grep "VERSION=" /etc/os-release | sed -n 's/.*(\(.*\)).*/\1/p') pve-no-subscription" > /etc/apt/sources.list.d/pve-no-enterprise.list | |
| # setup no nag script to run on upgrade | |
| echo "DPkg::Post-Invoke { \"dpkg -V proxmox-widget-toolkit | grep -q '/proxmoxlib\.js$'; if [ \$? -eq 1 ]; then { echo 'Removing subscription nag from UI...'; sed -i '/data.status/{s/\!//;s/Active/NoMoreNagging/}' /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js; }; fi\"; };" > /etc/apt/apt.conf.d/99-proxmox-no-nag-script | |
| # setup dark-theme to reinstall on upgrade | |
| THEME_APT_SCRIPT_FILE=/etc/apt/apt.conf.d/99-proxmox-dark-theme | |
| if [ ! -f "$THEME_APT_SCRIPT_FILE" ]; then | |
| tee -a "$THEME_APT_SCRIPT_FILE" >/dev/null <<'EOF' | |
| DPkg::Post-Invoke { "wget https://raw.githubusercontent.com/Weilbyte/PVEDiscordDark/master/PVEDiscordDark.sh && bash PVEDiscordDark.sh install || true"; }; | |
| EOF | |
| fi | |
| apt-get update | |
| apt-get dist-upgrade -y | |
| # disable kerbose authentication for sshd, this will speed up logins | |
| sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config | |
| systemctl restart ssh | |
| # force post-invoke scripts to run | |
| apt --reinstall install proxmox-widget-toolkit | |
| # keep a record of when the system was setup | |
| if ! [[ -f /etc/birth_certificate ]]; then | |
| echo "Creating /etc/birth_certificate" | |
| date > /etc/birth_certificate | |
| fi | |
| # check if reboot is required | |
| if [ -f /var/run/reboot-required ]; then | |
| sudo reboot | |
| fi |
| # offer to fetch and store github public keys in authorized_keys file | |
| fetch_github_key() | |
| { | |
| mkdir -p ~/.ssh | |
| if ! [[ -f ~/.ssh/authorized_keys ]]; then | |
| touch ~/.ssh/authorized_keys | |
| fi | |
| chmod 700 ~/.ssh | |
| chmod 600 ~/.ssh/* | |
| read -p "Enter Github Username: " github_username | |
| curl -s https://github.com/${github_username}.keys >> ~/.ssh/authorized_keys | |
| } | |
| read -t 10 -p "Download github public key for ssh? (Y/n): " REPLY | |
| if [ $? -gt 128 ]; then | |
| echo "Timed out waiting for input. Defaulting to N!" | |
| break | |
| fi | |
| case $REPLY in | |
| [yY]*) | |
| fetch_github_key | |
| ;; | |
| *) | |
| ;; | |
| esac | |
| # offer to setup gmail for outgoing smtp messages | |
| # https://geekistheway.com/2021/03/07/configuring-e-mail-alerts-on-your-proxmox/ | |
| setup_smtp_to_gmail() | |
| { | |
| apt update | |
| apt install -y libsasl2-modules | |
| echo "You will need to go to https://security.google.com/settings/security/apppasswords to generate an app password!" | |
| echo "" | |
| read -p 'Gmail username (without @gmail.com): ' YOUR_GMAIL_USERNAME | |
| read -sp 'Gmail App Password: ' YOUR_GMAIL_APP_PASSWORD | |
| echo "smtp.gmail.com $YOUR_GMAIL_USERNAME@gmail.com:$YOUR_GMAIL_APP_PASSWORD" > /etc/postfix/sasl_passwd | |
| postmap hash:/etc/postfix/sasl_passwd | |
| chmod 600 /etc/postfix/sasl_passwd | |
| sed -i 's/relayhost\ =/relayhost\ =\ smtp.gmail.com:587/g' /etc/postfix/main.cf | |
| tee -a /etc/postfix/main.cf >/dev/null <<'EOF' | |
| smtp_use_tls = yes | |
| smtp_sasl_auth_enable = yes | |
| smtp_sasl_security_options = | |
| smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd | |
| smtp_tls_CAfile = /etc/ssl/certs/Entrust_Root_Certification_Authority.pem | |
| smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache | |
| smtp_tls_session_cache_timeout = 3600s | |
| EOF | |
| postfix reload | |
| echo "Proxmox test message $(date)" | mail -s "Proxmox Test from $(hostname)" $YOUR_GMAIL_USERNAME@gmail.com | |
| } | |
| read -t 10 -p "Setup gmail for outgoing smtp mail messages? (Y/n): " REPLY | |
| if [ $? -gt 128 ]; then | |
| echo "Timed out waiting for input. Defaulting to N!" | |
| break | |
| fi | |
| case $REPLY in | |
| [yY]*) | |
| setup_smtp_to_gmail | |
| ;; | |
| *) | |
| ;; | |
| esac |
| ############################################################## | |
| # zfs samba file sharing | |
| # https://forum.level1techs.com/t/how-to-create-a-nas-using-zfs-and-proxmox-with-pictures/117375 | |
| # On the root proxmox server: | |
| apt-get update | |
| apt-get install samba | |
| # add root as a samba user and create a password | |
| smbpasswd | |
| # It would also be nice to not have to connect as root to the server every time. | |
| # Lets create a new user and give them samba permissions. | |
| # To create a new Unix user: | |
| useradd -m mike | |
| passwd mike | |
| # This adds the new user to Samba. | |
| smbpasswd -a mike | |
| nano /etc/samba/smb.conf | |
| service smbd stop | |
| service smbd start | |
| # Test for errors. | |
| testparm |
| # https://blog.tim.kent.id.au/2018/11/hardening-samba.html | |
| # | |
| # https://wiki.archlinux.org/title/samba#Restrict_protocols_for_better_security | |
| [global] | |
| server role = standalone server | |
| obey pam restrictions = yes | |
| create mask = 0766 | |
| directory mask = 0777 | |
| server string = Samba | |
| disable netbios = Yes | |
| server min protocol = SMB3_00 | |
| smb ports = 445 | |
| server signing = required | |
| restrict anonymous = 2 | |
| server smb encrypt = desired | |
| use sendfile = yes | |
| load printers = no | |
| printing = bsd | |
| printcap name = /dev/null | |
| disable spoolss = yes | |
| show add printer wizard = no | |
| [pool] | |
| comment = Pool Share | |
| browseable = yes | |
| path = /pool/share | |
| guest ok = no | |
| read only = no | |
| [homes] | |
| comment = Home Directories | |
| browseable = no |
| zfs set atime=off <pool_name> | |
| zfs set compression=lz4 <pool_name> | |
| zpool add <pool_name> cache <device_name_from_lsblk> | |
| zpool add <pool_name> log mirror c4t1d0 c4t2d0 | |
| zfs create pool/share | |
| zfs create pool/share/apps | |
| zfs create pool/share/iso | |
| zfs create pool/share/media | |
| zfs create pool/vmstorage | |
| zfs list | |
| NAME USED AVAIL REFER MOUNTPOINT | |
| pool 24.4G 8.19T 192K /pool | |
| pool/share 24.4G 8.19T 224K /pool/share | |
| pool/share/apps 23.0G 8.19T 23.0G /pool/share/apps | |
| pool/share/iso 1.37G 8.19T 1.37G /pool/share/iso | |
| pool/share/media 192K 8.19T 192K /pool/share/media | |
| pool/vmstorage 304K 8.19T 192K /pool/vmstorage | |
| Back in GUI land… | |
| Click on “Datacenter” | |
| “Storage” | |
| “Add” | |
| “Directory” | |
| ID: iso | |
| Directory: /storage/share/iso | |
| Content: make sure only “ISO image” and “Container template” are selected. | |
| “Add” | |
| And again… | |
| “Add” | |
| “ZFS” | |
| ID: vmstorage | |
| ZFS Pool: /storage/vmstorage | |
https://forum.proxmox.com/threads/mount-host-directory-into-lxc-container.66555/
pct set 103 -mp0 /host/dir,mp=/container/mount/point
sudo apt-get install -y nfs-common nfs-kernel-server
sudo echo "/pool/share 192.168.16.0/24(rw,fsid=0,insecure,no_subtree_check,async)" > /etc/export
systemctl start nfs-kernel-server.service
https://wiki.debian.org/UnattendedUpgrades
https://geekistheway.com/2021/03/07/configuring-e-mail-alerts-on-your-proxmox/
| # barrowed from https://github.com/DeadlockState/Proxmox-prepare/blob/master/proxmox_prepare.sh | |
| apt-get install -y fail2ban > /dev/null 2>&1 | |
| cd /etc/fail2ban/ | |
| touch jail.local | |
| echo "[proxmox] | |
| enabled = true | |
| port = http,https,8006 | |
| filter = proxmox | |
| logpath = /var/log/daemon.log | |
| maxretry = 4 | |
| bantime = 43200" > jail.local | |
| cd filter.d/ | |
| touch proxmox.conf | |
| echo "[Definition] | |
| failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* | |
| ignoreregex =" > proxmox.conf | |
| service fail2ban restart |