sugoidogo/0-pve.sh

## 0-pve.sh
#!/usr/bin/env bash
# wget -qO 0-pve.sh https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/ && bash 0-pve.sh
set -e
export DEBIAN_FRONTEND=noninteractive
export APT_LISTCHANGES_FRONTEND=none
function download { wget $* || curl -fLO $*; }
function stream { wget -qO- $* || curl -fsSL $*; }
function package { apt $* || dnf $*; }
echo "This script will download and run the installation script in a screen session"
echo "The installation script will download post-installation scripts to $HOME and reboot the system upon successful installation"
read -p "Press enter to continue"
echo "removing pve-enterprise repo"
rm /etc/apt/sources.list.d/pve-enterprise.list || true
echo "updating repos"
package update
echo "installing required packages"
package install gnupg sed screen curl -y
echo "downloading install script"
download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/1-install.sh
echo "executing install script in screen session"
screen -dm sh -c "bash 1-install.sh 2>&1 | tee install.log" # this line hurts me, someone help
sleep 1
tail -f install.log &
wait $(cat install.pid)
kill %1

## 1-install.sh
#!/usr/bin/env bash
set -e
echo $$ > install.pid
export DEBIAN_FRONTEND=noninteractive
export APT_LISTCHANGES_FRONTEND=none
function download { wget $* || curl -fLO $*; }
function stream { wget -qO- $* || curl -fsSL $*; }
function package { apt $* || dnf $*; }
echo "upgrading system to stable+backports"
wget -qO- https://gist.github.com/sugoidogo/1df06591d9dc4a8852fcbe2dd9757985/raw/ | bash
source /etc/os-release
echo "installing proxmox GPG key"
stream http://download.proxmox.com/debian/proxmox-release-$VERSION_CODENAME.gpg | apt-key add -
echo "installing proxmox repo"
mkdir -p /etc/apt/sources.list.d && cd /etc/apt/sources.list.d
echo "deb http://download.proxmox.com/debian/pve $VERSION_CODENAME pve-no-subscription" > pve-no-subscription.list
echo "installing preferences: proxmox 1500 (always prioritise proxmox packages, even downgrades)"
mkdir -p /etc/apt/preferences.d && cd /etc/apt/preferences.d
download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/proxmox.pref
echo "updating repos"
package update
echo "changing hostname entry in /etc/hosts"
sed -i s/127.0.1.1/0.0.0.0/g /etc/hosts
echo "installing proxmox and firewalld"
echo "this step may cause temporary network loss"
package install proxmox-ve firewalld -y || systemctl restart networking && package install proxmox-ve -y
echo "removing unused packages"
package remove os-prober linux-image-amd64* -y
echo "removing pve-enterprise repo"
rm /etc/apt/sources.list.d/pve-enterprise.list || true
echo "setting tuned profile"
tuned-adm profile virtual-host
echo "allowing services through firewalld"
firewall-cmd --add-service ssh --permanent
firewall-cmd --add-port=8006/tcp --permanent
echo "enabling mdns and tuned - change your default firewalld zone to home to allow mdns"
systemctl enable avahi-daemon
systemctl enable tuned
echo "downloading post-setup scripts - check your home folder after reboot"
cd ~
download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/2-bridge.sh
download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/2-nat.sh
download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/3-user.sh
download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/3-shared-mount.sh
echo "Installation complete! rebooting"
reboot

## 2-bridge.sh
#!/usr/bin/env bash
set -e
export DEBIAN_FRONTEND=noninteractive
export APT_LISTCHANGES_FRONTEND=none
function download { wget $* || curl -fLO $*; }
function stream { wget -qO- $* || curl -fsSL $*; }
function package { apt $* || dnf $*; }
interfaces=$(grep dhcp /etc/network/interfaces | sed -e 's/iface//g;s/inet//g;s/dhcp//g' | xargs)
sed -i s/dhcp/manual/g /etc/network/interfaces
echo "
auto vmbr0
iface vmbr0 inet dhcp
    bridge-ports $interfaces
    pre-up brctl addif vmbr0
    # Bridge Guest Network
" >> /etc/network/interfaces
ifup vmbr0

## 2-nat.sh
#!/usr/bin/env bash
set -e
export DEBIAN_FRONTEND=noninteractive
export APT_LISTCHANGES_FRONTEND=none
function download { wget $* || curl -fLO $*; }
function stream { wget -qO- $* || curl -fsSL $*; }
function package { apt $* || dnf $*; }

package install dnsmasq -y

X=$(( ( $RANDOM % 9 ) + 1 ))$(( $RANDOM % 10 ))
Y=$(( ( $RANDOM % 9 ) + 1 ))$(( $RANDOM % 10 ))

echo "
auto vmbr0
iface vmbr0 inet static
    address 10.$X.$Y.10/24
    pre-up brctl addbr vmbr0
    # NAT Geust Network
" >> /etc/network/interfaces

cd /etc
mv resolvconf.conf resolvconf.conf.example || true
download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/resolvconf.conf
sed -i "s/{X}/$X/g;s/{Y}/$Y/g" resolvconf.conf
mv dnsmasq.conf dnsmasq.conf.example || true
download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/dnsmasq.conf
sed -i "s/{X}/$X/g;s/{Y}/$Y/g" dnsmasq.conf
cd dnsmasq.d
download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/cloudflare-dns.conf
download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/google-dns.conf
download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/quad9-dns.conf
download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/domain.conf
sed -i "s/{X}/$X/g;s/{Y}/$Y/g;s/{HOSTNAME}/$HOSTNAME/g" domain.conf

package install openresolv -y

ifup vmbr0
firewall-cmd --add-masquerade
firewall-cmd --zone=internal --add-interface vmbr0
firewall-cmd --zone=internal --add-masquerade
firewall-cmd --zone=internal --add-service dhcp
firewall-cmd --zone=internal --add-service dns
firewall-cmd --runtime-to-permanent
systemctl restart dnsmasq

## 3-shared-mount.sh
#!/usr/bin/env bash
set -e

echo "This script adds a bind mount to be shared by all containers and host"
read -p "mount path: /" MOUNT
mkdir -p /$MOUNT
chmod 777 /$MOUNT
cd /usr/share/lxc/config/common.conf.d/
echo "lxc.mount.entry = /$MOUNT $MOUNT none bind,create=dir 0 0
" >> shared-mount.conf
echo "any containers started now will share the /$MOUNT directory with the host"

## 3-user.sh
#!/usr/bin/env bash
set -e
export DEBIAN_FRONTEND=noninteractive
export APT_LISTCHANGES_FRONTEND=none

apt install sudo -y

read -p 'New Username: ' NEWUSER
adduser --ingroup sudo $NEWUSER

pveum group add admin -comment "System Administrators"
pveum acl modify / -group admin -role Administrator
pveum user add $NEWUSER@pam
pveum user modify $NEWUSER@pam -group admin

passwd -l root

echo "The root account is now locked, user $NEWUSER may become root with sudo"

## cloudflare-dns.conf
server=1.1.1.1
server=1.0.0.1
server=2606:4700:4700::1111
server=2606:4700:4700::1001

## dnsmasq.conf
# https://github.com/imp/dnsmasq/blob/master/dnsmasq.conf.example

# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# unnecessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link unnecessarily.

# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv

# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
no-resolv

# Read configuration generated by openresolv
conf-file=/etc/dnsmasq-conf.conf
resolv-file=/etc/dnsmasq-resolv.conf

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=vmbr0

# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=10.{X}.{Y}.11,10.{X}.{Y}.99

# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
# hosts. Use the DHCPv4 lease to derive the name, network segment and
# MAC address and assume that the host will also have an
# IPv6 address calculated using the SLAAC algorithm.
dhcp-range={X}{Y}::, ra-names

# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
dhcp-option=252,"\n"

# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
dhcp-option=vendor:MSFT,2,1i

# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
dhcp-authoritative

# Include all files in a directory which end in .conf
conf-dir=/etc/dnsmasq.d/,*.conf

# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore

## domain.conf
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
#     as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
#    domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
domain={HOSTNAME}
address=/{HOSTNAME}/10.{X}.{Y}.10

## google-dns.conf
server=8.8.8.8
server=8.8.4.4
server=2001:4860:4860::8888
server=2001:4860:4860::8844

## proxmox.pref
Package: *
Pin: release o=Proxmox
Pin-Priority: 1500

## quad9-dns.conf
server=9.9.9.10
server=149.112.112.10
server=2620:fe::10
server=2620:fe::fe:10

## resolvconf.conf
# Use the local name server
name_servers="10.{X}.{Y}.11"
resolv_conf_options="trust-ad"

# Write out dnsmasq extended configuration and resolv files
dnsmasq_conf=/etc/dnsmasq-conf.conf
dnsmasq_resolv=/etc/dnsmasq-resolv.conf
	#!/usr/bin/env bash
	# wget -qO 0-pve.sh https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/ && bash 0-pve.sh
	set -e
	export DEBIAN_FRONTEND=noninteractive
	export APT_LISTCHANGES_FRONTEND=none
	function download { wget $* \|\| curl -fLO $*; }
	function stream { wget -qO- $* \|\| curl -fsSL $*; }
	function package { apt $* \|\| dnf $*; }
	echo "This script will download and run the installation script in a screen session"
	echo "The installation script will download post-installation scripts to $HOME and reboot the system upon successful installation"
	read -p "Press enter to continue"
	echo "removing pve-enterprise repo"
	rm /etc/apt/sources.list.d/pve-enterprise.list \|\| true
	echo "updating repos"
	package update
	echo "installing required packages"
	package install gnupg sed screen curl -y
	echo "downloading install script"
	download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/1-install.sh
	echo "executing install script in screen session"
	screen -dm sh -c "bash 1-install.sh 2>&1 \| tee install.log" # this line hurts me, someone help
	sleep 1
	tail -f install.log &
	wait $(cat install.pid)
	kill %1
	#!/usr/bin/env bash
	set -e
	echo $$ > install.pid
	export DEBIAN_FRONTEND=noninteractive
	export APT_LISTCHANGES_FRONTEND=none
	function download { wget $* \|\| curl -fLO $*; }
	function stream { wget -qO- $* \|\| curl -fsSL $*; }
	function package { apt $* \|\| dnf $*; }
	echo "upgrading system to stable+backports"
	wget -qO- https://gist.github.com/sugoidogo/1df06591d9dc4a8852fcbe2dd9757985/raw/ \| bash
	source /etc/os-release
	echo "installing proxmox GPG key"
	stream http://download.proxmox.com/debian/proxmox-release-$VERSION_CODENAME.gpg \| apt-key add -
	echo "installing proxmox repo"
	mkdir -p /etc/apt/sources.list.d && cd /etc/apt/sources.list.d
	echo "deb http://download.proxmox.com/debian/pve $VERSION_CODENAME pve-no-subscription" > pve-no-subscription.list
	echo "installing preferences: proxmox 1500 (always prioritise proxmox packages, even downgrades)"
	mkdir -p /etc/apt/preferences.d && cd /etc/apt/preferences.d
	download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/proxmox.pref
	echo "updating repos"
	package update
	echo "changing hostname entry in /etc/hosts"
	sed -i s/127.0.1.1/0.0.0.0/g /etc/hosts
	echo "installing proxmox and firewalld"
	echo "this step may cause temporary network loss"
	package install proxmox-ve firewalld -y \|\| systemctl restart networking && package install proxmox-ve -y
	echo "removing unused packages"
	package remove os-prober linux-image-amd64* -y
	echo "removing pve-enterprise repo"
	rm /etc/apt/sources.list.d/pve-enterprise.list \|\| true
	echo "setting tuned profile"
	tuned-adm profile virtual-host
	echo "allowing services through firewalld"
	firewall-cmd --add-service ssh --permanent
	firewall-cmd --add-port=8006/tcp --permanent
	echo "enabling mdns and tuned - change your default firewalld zone to home to allow mdns"
	systemctl enable avahi-daemon
	systemctl enable tuned
	echo "downloading post-setup scripts - check your home folder after reboot"
	cd ~
	download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/2-bridge.sh
	download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/2-nat.sh
	download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/3-user.sh
	download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/3-shared-mount.sh
	echo "Installation complete! rebooting"
	reboot
	#!/usr/bin/env bash
	set -e

	echo "This script adds a bind mount to be shared by all containers and host"
	read -p "mount path: /" MOUNT
	mkdir -p /$MOUNT
	chmod 777 /$MOUNT
	cd /usr/share/lxc/config/common.conf.d/
	echo "lxc.mount.entry = /$MOUNT $MOUNT none bind,create=dir 0 0
	" >> shared-mount.conf
	echo "any containers started now will share the /$MOUNT directory with the host"
	server=1.1.1.1
	server=1.0.0.1
	server=2606:4700:4700::1111
	server=2606:4700:4700::1001
	# https://github.com/imp/dnsmasq/blob/master/dnsmasq.conf.example

	# The following two options make you a better netizen, since they
	# tell dnsmasq to filter out queries which the public DNS cannot
	# answer, and which load the servers (especially the root servers)
	# unnecessarily. If you have a dial-on-demand link they also stop
	# these requests from bringing up the link unnecessarily.

	# Never forward plain names (without a dot or domain part)
	domain-needed
	# Never forward addresses in the non-routed address spaces.
	bogus-priv

	# If you don't want dnsmasq to read /etc/resolv.conf or any other
	# file, getting its servers from this file instead (see below), then
	# uncomment this.
	no-resolv

	# Read configuration generated by openresolv
	conf-file=/etc/dnsmasq-conf.conf
	resolv-file=/etc/dnsmasq-resolv.conf

	# If you want dnsmasq to listen for DHCP and DNS requests only on
	# specified interfaces (and the loopback) give the name of the
	# interface (eg eth0) here.
	# Repeat the line for more than one interface.
	interface=vmbr0

	# Uncomment this to enable the integrated DHCP server, you need
	# to supply the range of addresses available for lease and optionally
	# a lease time. If you have more than one network, you will need to
	# repeat this for each network on which you want to supply DHCP
	# service.
	dhcp-range=10.{X}.{Y}.11,10.{X}.{Y}.99

	# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
	# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
	# hosts. Use the DHCPv4 lease to derive the name, network segment and
	# MAC address and assume that the host will also have an
	# IPv6 address calculated using the SLAAC algorithm.
	dhcp-range={X}{Y}::, ra-names

	# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
	dhcp-option=252,"\n"

	# Send microsoft-specific option to tell windows to release the DHCP lease
	# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
	# value as a four-byte integer - that's what microsoft wants. See
	# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
	dhcp-option=vendor:MSFT,2,1i

	# Set the DHCP server to authoritative mode. In this mode it will barge in
	# and take over the lease for any client which broadcasts on the network,
	# whether it has a record of the lease or not. This avoids long timeouts
	# when a machine wakes up on a new network. DO NOT enable this if there's
	# the slightest chance that you might end up accidentally configuring a DHCP
	# server for your campus/company accidentally. The ISC server uses
	# the same option, and this URL provides more information:
	# http://www.isc.org/files/auth.html
	dhcp-authoritative

	# Include all files in a directory which end in .conf
	conf-dir=/etc/dnsmasq.d/,*.conf

	# If a DHCP client claims that its name is "wpad", ignore that.
	# This fixes a security hole. see CERT Vulnerability VU#598349
	dhcp-name-match=set:wpad-ignore,wpad
	dhcp-ignore-names=tag:wpad-ignore
	# Set the domain for dnsmasq. this is optional, but if it is set, it
	# does the following things.
	# 1) Allows DHCP hosts to have fully qualified domain names, as long
	# as the domain part matches this setting.
	# 2) Sets the "domain" DHCP option thereby potentially setting the
	# domain of all systems configured by DHCP
	# 3) Provides the domain part for "expand-hosts"
	domain={HOSTNAME}
	address=/{HOSTNAME}/10.{X}.{Y}.10
	server=8.8.8.8
	server=8.8.4.4
	server=2001:4860:4860::8888
	server=2001:4860:4860::8844
	server=9.9.9.10
	server=149.112.112.10
	server=2620:fe::10
	server=2620:fe::fe:10
	# Use the local name server
	name_servers="10.{X}.{Y}.11"
	resolv_conf_options="trust-ad"

	# Write out dnsmasq extended configuration and resolv files
	dnsmasq_conf=/etc/dnsmasq-conf.conf
	dnsmasq_resolv=/etc/dnsmasq-resolv.conf