├── .gitignore
├── README.md
└── postinstall
/.gitignore:
--------------------------------------------------------------------------------
1 | ZPOOL_SIZE_SUM_BYTES
2 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # proxmox-zfs-postinstall
2 |
3 | This script installs and configures basic tools for running a new Proxmox Server (Version 8+).
4 | Following settings are made:
5 | - Install and configure zfs-auto-snapshot
6 | - Switch pve-enterprise/pve-no-subscription/pvetest repo
7 | - Switch ceph repo between quincy/reef and enterprise/no-subscription/test or remove it
8 | - Disable "No subscription message" in webinterface in no-subscription mode
9 | - Add pve-enterprise subscription key
10 | - Update system to the latest version
11 | - Install common tools
12 | - Install Proxmox SDN Extensions
13 | - Configure automatic backup of /etc Folder
14 | - Configure locales
15 | - SSH server hardening
16 | - Install checkzfs
17 | - Install bashclub-zsync
18 | - Install virtio-win ISO
19 | - Create zfspool storage for swap disks if not exists
20 | - Adjust default volblocksize for Proxmox zfspool storage
21 | - Configure proxmox mail delivery proxmox notifications (pve8)
22 |
23 | # Usage
24 |
25 | Just download and execute the script, all settings are made interactively.
26 | ```
27 | wget -O ./postinstall --no-cache https://github.com/bashclub/proxmox-zfs-postinstall/raw/main/postinstall
28 | bash ./postinstall
29 | ```
30 |
31 | # Author
32 | ### Thorsten Spille
33 | [
](https://ko-fi.com/thorakel)
34 |
--------------------------------------------------------------------------------
/postinstall:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | # This script configures basic settings and install standard tools on your Proxmox VE Server with ZFS storage
4 | #
5 | # Features:
6 | # + Configure ZFS ARC Cache
7 | # + Configure vm.swappiness
8 | # + Install and configure zfs-auto-snapshot
9 | # + Switch pve-enterprise/pve-no-subscription/pvetest repo
10 | # + Switch ceph repo between quincy/reef and enterprise/no-subscription/test or remove
11 | # + Disable "No subscription message" in webinterface in no-subscription mode
12 | # + Add pve-enterprise subscription key
13 | # + Update system to the latest version
14 | # + Install common tools
15 | # + Install Proxmox SDN Extensions
16 | # + Configure automatic backup of /etc Folder
17 | # + Configure locales
18 | # + SSH server hardening
19 | # + Install checkzfs
20 | # + Install bashclub-zsync
21 | # + Create zfspool storage for swap disks if not exists
22 | # + Adjust default volblocksize for Proxmox zfspool storages
23 | # + Configure proxmox mail delivery with postfix
24 | # + Daily check (and download) for new stable virtio-win iso and prune old (unused) versions
25 | #
26 | #
27 | # Author: (C) 2023 Thorsten Spille
28 |
29 | set -uo pipefail
30 |
31 | #### INITIAL VARIABLES ####
32 | PROG=$(basename "$0")
33 |
34 | # Required tools for usage in postinstall
35 | REQUIRED_TOOLS="curl ifupdown2 git gron ipmitool libsasl2-modules lsb-release libpve-network-perl postfix ssl-cert systemd-boot"
36 |
37 | # Optional tools to install
38 | OPTIONAL_TOOLS="dnsutils ethtool htop iftop jq lshw lsscsi mc net-tools nvme-cli rpl screen smartmontools sudo sysstat tmux unzip vim"
39 |
40 | # Settings for Backup of /etc folder
41 | PVE_CONF_BACKUP_TARGET=rpool/pveconf
42 | PVE_CONF_BACKUP_CRON_TIMER="3,18,33,48 * * * *"
43 |
44 | # Round factor to set L1ARC cache (Megabytes)
45 | ROUND_FACTOR=512
46 |
47 | # get total size of all zpools
48 | ZPOOL_SIZE_SUM_BYTES=0
49 | for line in $(zpool list -o size -Hp); do ZPOOL_SIZE_SUM_BYTES=$(($ZPOOL_SIZE_SUM_BYTES+$line)); done
50 |
51 | # get information about available ram
52 | MEM_TOTAL_BYTES=$(($(awk '/MemTotal/ {print $2}' /proc/meminfo) * 1024))
53 |
54 | # get values if defaults are set
55 | ARC_MAX_DEFAULT_BYTES=$(($MEM_TOTAL_BYTES / 2))
56 | ARC_MIN_DEFAULT_BYTES=$(($MEM_TOTAL_BYTES / 32))
57 |
58 | # get current settings
59 | ARC_MIN_CUR_BYTES=$(cat /sys/module/zfs/parameters/zfs_arc_min)
60 | ARC_MAX_CUR_BYTES=$(cat /sys/module/zfs/parameters/zfs_arc_max)
61 |
62 | # get vm.swappiness
63 | SWAPPINESS=$(cat /proc/sys/vm/swappiness)
64 |
65 | # zfs-auto-snapshot default values
66 | declare -A auto_snap_keep=( ["frequent"]="12" ["hourly"]="96" ["daily"]="14" ["weekly"]="6" ["monthly"]="3" )
67 |
68 | setblocksize=0
69 | volblocksize=16k
70 |
71 | # gather proxmox subscription info
72 | serverid=$(pvesubscription get | grep serverid | cut -d' ' -f2)
73 | sub_status=$(pvesubscription get | grep status | cut -d' ' -f2)
74 |
75 | # get notification address
76 | recipientaddress=$(pvesh get access/users/root@pam --output-format yaml| grep email | cut -d' ' -f2)
77 |
78 | #### FUNCTIONS ####
79 |
80 | log(){
81 | echo "$(date) $1"
82 | }
83 |
84 | roundup(){
85 | echo $(((($1 + $ROUND_FACTOR) / $ROUND_FACTOR) * $ROUND_FACTOR))
86 | }
87 |
88 | roundoff(){
89 | echo $((($1 / $ROUND_FACTOR) * $ROUND_FACTOR))
90 | }
91 |
92 | isnumber(){
93 | re='^[0-9]+$'
94 | if ! [[ $1 =~ $re ]] ; then
95 | return 1
96 | else
97 | return 0
98 | fi
99 | }
100 |
101 | inputbox_int(){
102 | cancel=0
103 | while true; do
104 | if ! out=$(whiptail --title "$1" --backtitle "$PROG" --inputbox "$2" $3 76 $4 3>&1 1>&2 2>&3) ; then
105 | cancel=1 ; break
106 | fi
107 | if isnumber $out; then
108 | break
109 | fi
110 | done
111 | echo $out
112 | return $cancel
113 | }
114 |
115 | cancel_dialog() {
116 | whiptail --title "CANCEL POSTINSTALL" --backtitle $PROG --msgbox "Postinstall was cancelled by user interaction" 8 76 3>&1 1>&2 2>&3
117 | exit 127
118 | }
119 |
120 | arc_suggestion(){
121 | if [ $ARC_MIN_DEFAULT_BYTES -lt 33554432 ]; then ARC_MIN_DEFAULT_MB="32" ; else ARC_MIN_DEFAULT_MB="$(($ARC_MIN_DEFAULT_BYTES / 1024 / 1024))" ; fi
122 |
123 | ZFS_ARC_MAX_MEGABYTES=$(roundup $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024 / 1024)))
124 | ZFS_ARC_MIN_MEGABYTES=$(roundoff $(($ZPOOL_SIZE_SUM_BYTES / 2048 / 1024 / 1024)))
125 | if [ $ZFS_ARC_MIN_MEGABYTES -eq 0 ]; then
126 | ZFS_ARC_MIN_MEGABYTES=$(($ZFS_ARC_MAX_MEGABYTES / 2))
127 | if [ $ARC_MIN_DEFAULT_MB -gt $ZFS_ARC_MAX_MEGABYTES ]; then
128 | ZFS_ARC_MIN_MEGABYTES=$ARC_MIN_DEFAULT_MB
129 | fi
130 | fi
131 |
132 | if [ $ARC_MIN_CUR_BYTES -gt 0 ]; then ARC_MIN_CURRENT_MB="$(($ARC_MIN_CUR_BYTES / 1024 / 1024))" ; else ARC_MIN_CURRENT_MB="0" ; fi
133 | if [ $ARC_MAX_CUR_BYTES -gt 0 ]; then ARC_MAX_CURRENT_MB="$(($ARC_MAX_CUR_BYTES / 1024 / 1024))" ; else ARC_MAX_CURRENT_MB="0" ; fi
134 |
135 | if ! whiptail --title "CONFIGURE ZFS L1ARC SIZE" \
136 | --backtitle $PROG \
137 | --yes-button "Accept" \
138 | --no-button "Edit" \
139 | --yesno " Summary: \n \
140 | System Memory: $(($MEM_TOTAL_BYTES / 1024 / 1024)) MB\n \
141 | Zpool size (sum): $(($ZPOOL_SIZE_SUM_BYTES / 1024 / 1024)) MB\n \
142 | \n \
143 | Note: zfs_arc_min must always be lower than zfs_arc_max! \n\n \
144 | The L1ARC cache suggestion is calculated by size of all zpools \n\n \
145 | Suggested values: \n \
146 | zfs_arc_min: $(($ZFS_ARC_MIN_MEGABYTES)) MB (default: $ARC_MIN_DEFAULT_MB MB, current: $ARC_MIN_CURRENT_MB MB)\n \
147 | zfs_arc_max: $(($ZFS_ARC_MAX_MEGABYTES)) MB (default: $(($ARC_MAX_DEFAULT_BYTES / 1024 / 1024)) MB, current: $ARC_MAX_CURRENT_MB MB)\n" 17 76; then
148 | arc_set_manual
149 | fi
150 | }
151 |
152 | arc_set_manual() {
153 | if [ $ARC_MIN_CURRENT_MB -gt 0 ]; then MIN_VALUE=$ARC_MIN_CURRENT_MB; else MIN_VALUE=$ZFS_ARC_MIN_MEGABYTES; fi
154 | if [ $ARC_MAX_CURRENT_MB -gt 0 ]; then MAX_VALUE=$ARC_MAX_CURRENT_MB; else MAX_VALUE=$ZFS_ARC_MAX_MEGABYTES; fi
155 |
156 | if ! ZFS_ARC_MIN_MEGABYTES=$(inputbox_int 'CONFIGURE ZFS L1ARC MIN SIZE' 'Please enter zfs_arc_min in MB' 7 $MIN_VALUE) ; then cancel_dialog ; fi
157 | if ! ZFS_ARC_MAX_MEGABYTES=$(inputbox_int 'CONFIGURE ZFS L1ARC MAX SIZE' 'Please enter zfs_arc_max in MB' 7 $MAX_VALUE) ; then cancel_dialog ; fi
158 | }
159 |
160 | vm_swappiness () {
161 | if ! SWAPPINESS=$(inputbox_int "CONFIGURE SWAPPINESS" "Please enter percentage of free RAM to start swapping" 8 $SWAPPINESS) ; then cancel_dialog ; fi
162 | }
163 |
164 | auto_snapshot(){
165 | install_zas=0
166 | if whiptail --title "INSTALL ZFS-AUTO-SNAPSHOT" \
167 | --backtitle "$PROG" \
168 | --yes-button "INSTALL" \
169 | --no-button "SKIP" \
170 | --yesno "Do you want to install and configure zfs-auto-snapshot?" 9 76 ; then
171 | install_zas=1
172 |
173 | if dpkg -l zfs-auto-snapshot > /dev/null 2>&1 ; then
174 | for interval in "${!auto_snap_keep[@]}"; do
175 | if [[ "$interval" == "frequent" ]]; then
176 | auto_snap_keep[$interval]=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2)
177 | else
178 | auto_snap_keep[$interval]=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2)
179 | fi
180 | done
181 | fi
182 | for interval in "${!auto_snap_keep[@]}"; do
183 | if ! auto_snap_keep[$interval]=$(inputbox_int "CONFIGURE ZFS-AUTO-SNAPSHOT" "Please set number of $interval snapshots to keep" 7 ${auto_snap_keep[$interval]}) ; then cancel_dialog ; fi
184 | done
185 |
186 | fi
187 | }
188 |
189 | select_subscription(){
190 | suppress_warning=0
191 | if [[ $sub_status == "notfound" ]] || [[ $sub_status == "invalid" ]]; then
192 | if [[ $repo_selection == "pve-enterprise" ]]; then
193 | if whiptail --title "NO PROXMOX SUBSCRIPTION FOUND" \
194 | --backtitle $PROG \
195 | --yes-button "ADD" \
196 | --no-button "SKIP" \
197 | --yesno "Server ID: $serverid\n\nDo you want to add a subscription key?" 9 76 ; then
198 | input_subscription
199 | fi
200 | else
201 | if whiptail --title "NO PROXMOX SUBSCRIPTION FOUND" \
202 | --backtitle $PROG \
203 | --yes-button "SUPPRESS WARNING" \
204 | --no-button "SKIP" \
205 | --yesno "Do you want to suppress the no subscription warning in WebGUI?" 9 76 ; then
206 | suppress_warning=1
207 | fi
208 | fi
209 | fi
210 | }
211 |
212 | ask_locales(){
213 | if ! locales=$(whiptail --title "SET LOCALES" --backtitle "$PROG" --inputbox "Please enter a space separated list of locales to generate." 9 76 "$(echo $(grep -vE '#|^$' /etc/locale.gen | cut -d ' ' -f1))" 3>&1 1>&2 2>&3); then cancel_dialog ; fi
214 | }
215 |
216 | ask_ssh_hardening(){
217 | ssh_hardening=0
218 | if whiptail --title "HARDEN SSH SERVER" \
219 | --backtitle "$PROG" \
220 | --yes-button "HARDEN SSH SERVER" \
221 | --no-button "SKIP" \
222 | --yesno "Do you want to apply the SSH hardening profile?\nHost-Keys will be changed and root-Login with password will be disabled." 9 76 ; then
223 | ssh_hardening=1
224 | fi
225 | }
226 |
227 | input_subscription(){
228 | key=""
229 | cancel=0
230 | while [[ $key == "" ]]; do
231 | if ! key=$(whiptail --title "ADD PROXMOX SUBSCRIPTION KEY" --backtitle "$PROG" \
232 | --inputbox "Server ID: $serverid\n\nAdd your subscription key" 9 76 3>&1 1>&2 2>&3) ; then
233 | cancel=1 ; break
234 | fi
235 | done
236 | if [ $cancel -eq 0 ]; then
237 | set_subscription $key
238 | fi
239 | return $cancel
240 | }
241 |
242 | set_subscription(){
243 | log "Setting subscription key $1"
244 | if ! pvesubscription set $1; then
245 | input_subscription
246 | elif [[ $(pvesubscription get | grep status | cut -d' ' -f2) == "invalid" ]]; then
247 | input_subscription
248 | fi
249 | }
250 |
251 | suppress_no_subscription_warning(){
252 | if [ $suppress_warning -gt 0 ]; then
253 | # remove old no-sub-hack
254 | if [ -f /opt/bashclub/no-sub-hack.sh ] ; then rm -r /opt/bashclub ; fi
255 | if [ -f /etc/apt/apt.conf.d/80bashclubapthook ] ; then rm /etc/apt/apt.conf.d/80bashclubapthook ; fi
256 |
257 | wget -q --no-cache -O /usr/local/bin/suppress_no_subscription_warning https://github.com/bashclub/no-sub-hack/raw/main/no-sub-hack.sh
258 | chmod +x /usr/local/bin/suppress_no_subscription_warning
259 | /usr/local/bin/suppress_no_subscription_warning
260 | cat << EOF > /etc/apt/apt.conf.d/80-suppress_no_subscription_warning
261 | DPkg::Post-Invoke {"/usr/local/bin/suppress_no_subscription_warning";};
262 | EOF
263 | fi
264 | }
265 |
266 | select_pve_repo(){
267 | pveenterprise=OFF
268 | pvenosubscription=OFF
269 | pvetest=OFF
270 | if [ -f /etc/apt/sources.list.d/pve-enterprise.list ]; then
271 | if grep -v '#' /etc/apt/sources.list.d/pve-enterprise.list | grep "pve-enterprise" > /dev/null ; then
272 | pveenterprise=ON
273 | else
274 | if [ -f /etc/apt/sources.list ]; then
275 | if grep -v '#' /etc/apt/sources.list | grep "pve-no-subscription" > /dev/null ; then
276 | pvenosubscription=ON
277 | elif grep -v '#' /etc/apt/sources.list | grep "pvetest" > /dev/null ; then
278 | pvetest=ON
279 | else
280 | pveenterprise=ON
281 | fi
282 | fi
283 | fi
284 | fi
285 | repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \
286 | --radiolist "Choose Proxmox VE repository" 20 76 4 \
287 | "pve-enterprise" "Proxmox VE Enterprise repository" "$pveenterprise" \
288 | "pve-no-subscription" "Proxmox VE No Subscription repository" "$pvenosubscription" \
289 | "pvetest" "Proxmox VE Testing repository" "$pvetest" 3>&1 1>&2 2>&3)
290 |
291 | }
292 |
293 | ask_bashclub_repo(){
294 |
295 | bashclub_repo=0
296 | install_zsync=0
297 | install_virtio=0
298 | if whiptail --title "INSTALL BASHCLUB REPOSITORY" \
299 | --backtitle "$PROG" \
300 | --yes-button "INSTALL" \
301 | --no-button "SKIP" \
302 | --yesno "Do you want to install the bashclub apt repository?" 9 76 ; then
303 | bashclub_repo=1
304 | if whiptail --title "INSTALL CHECKZFS AND ZSYNC" \
305 | --backtitle "$PROG" \
306 | --yes-button "INSTALL" \
307 | --no-button "SKIP" \
308 | --yesno "Do you want to install checkzfs and bashclub-zsync?" 9 76 ; then
309 | install_zsync=1
310 | fi
311 | if whiptail --title "INSTALL VIRTIO-WIN-ISO" \
312 | --backtitle "$PROG" \
313 | --yes-button "INSTALL" \
314 | --no-button "SKIP" \
315 | --yesno "Do you want to install current stable virtio-win iso?" 9 76 ; then
316 | install_virtio=1
317 | fi
318 | fi
319 | }
320 |
321 | select_ceph_repo(){
322 | none=OFF
323 | quincyenterprise=OFF
324 | quincynosubscription=OFF
325 | quincytest=OFF
326 | reefenterprise=OFF
327 | reefnosubscription=OFF
328 | reeftest=OFF
329 | if [ -f /etc/apt/sources.list.d/ceph.list ]; then
330 | if grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "enterprise" > /dev/null ; then
331 | quincyenterprise=ON
332 | elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "enterprise" > /dev/null ; then
333 | reefenterprise=ON
334 | elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "no-subscription" > /dev/null ; then
335 | quincynosubscription=ON
336 | elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "no-subscription" > /dev/null ; then
337 | reefnosubscription=ON
338 | elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "quincy" | grep "test" > /dev/null ; then
339 | quincytest=ON
340 | elif grep -v '#' /etc/apt/sources.list.d/ceph.list | grep "reef" | grep "test" > /dev/null ; then
341 | reeftest=ON
342 | else
343 | none=ON
344 | fi
345 | else
346 | none=ON
347 | fi
348 | ceph_repo_selection=$(whiptail --title "SELECT PVE REPOSITORY" --backtitle "$PROG" \
349 | --radiolist "Choose Ceph repository" 20 76 7 \
350 | "none" "No Ceph repository" "$none" \
351 | "quincyenterprise" "Ceph Quincy Enterprise repository" "$quincyenterprise" \
352 | "quincynosubscription" "Ceph Quincy No Subscription repository" "$quincynosubscription" \
353 | "quincytest" "Ceph Quincy Testing repository" "$quincytest" \
354 | "reefenterprise" "Ceph Reef Enterprise repository" "$reefenterprise" \
355 | "reefnosubscription" "Ceph Reef No Subscription repository" "$reefnosubscription" \
356 | "reeftest" "Ceph Reef Testing repository" "$reeftest" 3>&1 1>&2 2>&3)
357 | }
358 |
359 | set_locales(){
360 | log "Setting locales"
361 | for locale in $locales; do
362 | line=$(grep $locale /etc/locale.gen)
363 | if echo $line | grep "#" > /dev/null 2>&1 ; then
364 | sed -i "s/$line/$(echo $line | cut -d' ' -f2-)/" /etc/locale.gen
365 | fi
366 | done
367 | locale-gen > /dev/null 2>&1
368 | }
369 |
370 | set_ceph_repo(){
371 | log "Setting Ceph package repositories to $ceph_repo_selection"
372 | if [[ "$ceph_repo_selection" != "none" ]]; then
373 | if [[ "$ceph_repo_selection" == *"quincy"* ]]; then
374 | generation=quincy
375 | elif [[ "$ceph_repo_selection" == *"reef"* ]]; then
376 | generation=reef
377 | fi
378 | if [[ "$ceph_repo_selection" == *"enterprise"* ]]; then
379 | selection=enterprise
380 | server=https://enterprise.proxmox.com
381 | elif [[ "$ceph_repo_selection" == *"nosubscription"* ]]; then
382 | selection=no-subscription
383 | server=http://download.proxmox.com
384 | elif [[ "$ceph_repo_selection" == *"test"* ]]; then
385 | selection=test
386 | server=http://download.proxmox.com
387 | fi
388 | echo "deb ${server}/debian/ceph-${generation} $(lsb_release -cs 2>/dev/null) ${selection}" > /etc/apt/sources.list.d/ceph.list
389 | else
390 | rm -f /etc/apt/sources.list.d/ceph.list
391 | fi
392 | }
393 |
394 | set_pve_repo(){
395 | log "Setting Proxmox package repositories to $repo_selection"
396 | nosub=$(grep pve-no-subscription /etc/apt/sources.list)
397 | enterprise=$(grep pve-enterprise /etc/apt/sources.list.d/pve-enterprise.list)
398 | test=$(grep pvetest /etc/apt/sources.list)
399 | if [[ $repo_selection == "pve-enterprise" ]]; then
400 | echo "deb https://enterprise.proxmox.com/debian/pve $VERSION_CODENAME pve-enterprise" > /etc/apt/sources.list.d/pve-enterprise.list
401 | if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then
402 | sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list
403 | fi
404 | if [[ $test != "" ]] && [[ $test != *"#"* ]]; then
405 | sed -i "s|$test|# $test|g" /etc/apt/sources.list
406 | fi
407 | elif [[ $repo_selection == "pve-no-subscription" ]]; then
408 | if [[ $nosub == "" ]]; then
409 | echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pve-no-subscription\n" >> /etc/apt/sources.list
410 | elif [[ $nosub == *"#"* ]]; then
411 | sed -i "s|$nosub|$(echo $nosub | cut -d' ' -f2-)|" /etc/apt/sources.list
412 | fi
413 | if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then
414 | sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list
415 | fi
416 | if [[ $test != "" ]] && [[ $test != *"#"* ]]; then
417 | sed -i "s|$test|# $test|g" /etc/apt/sources.list
418 | fi
419 | elif [[ $repo_selection == "pvetest" ]]; then
420 | if [[ $test == "" ]]; then
421 | echo -e "\ndeb http://download.proxmox.com/debian/pve $VERSION_CODENAME pvetest\n" >> /etc/apt/sources.list
422 | elif [[ $test == *"#"* ]]; then
423 | sed -i "s|$test|$(echo $test | cut -d' ' -f2-)|" /etc/apt/sources.list
424 | fi
425 | if [[ $nosub != "" ]] && [[ $nosub != *"#"* ]]; then
426 | sed -i "s|$nosub|# $nosub|g" /etc/apt/sources.list
427 | fi
428 | if [[ $enterprise != "" ]] && [[ $enterprise != *"#"* ]]; then
429 | sed -i "s|$enterprise|# $enterprise|g" /etc/apt/sources.list.d/pve-enterprise.list
430 | fi
431 | fi
432 | }
433 |
434 | set_bashclub_repo (){
435 | if [ $bashclub_repo -gt 0 ]; then
436 | log "Configuring bashclub apt repositories"
437 | echo "deb [signed-by=/usr/share/keyrings/bashclub-archive-keyring.gpg] https://apt.bashclub.org/release bookworm main" > /etc/apt/sources.list.d/bashclub.list
438 | wget -q -O- https://apt.bashclub.org/gpg/bashclub.pub | gpg --dearmor > /usr/share/keyrings/bashclub-archive-keyring.gpg
439 | fi
440 | }
441 |
442 | update_system(){
443 | log "Downloading latest package lists"
444 | apt update > /dev/null 2>&1
445 | log "Upgrading system to latest version - Depending on your version this could take a while..."
446 | DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade > /dev/null 2>&1
447 | }
448 |
449 | install_tools(){
450 | log "Installing toolset - Depending on your version this could take a while..."
451 | if [ $install_zas -gt 0 ]; then
452 | OPTIONAL_TOOLS="zfs-auto-snapshot $OPTIONAL_TOOLS"
453 | fi
454 | if [ $install_zsync -gt 0 ]; then
455 | OPTIONAL_TOOLS="bashclub-zsync $OPTIONAL_TOOLS"
456 | fi
457 | if [ $install_virtio -gt 0 ]; then
458 | OPTIONAL_TOOLS="virtio-win-iso $OPTIONAL_TOOLS"
459 | fi
460 | DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install $REQUIRED_TOOLS $OPTIONAL_TOOLS > /dev/null 2>&1
461 | }
462 |
463 | enable_sdn(){
464 | log "Enabling SDN features"
465 | q=$(cat /etc/network/interfaces | grep "source /etc/network/interfaces.d/*")
466 | if [ $? -gt 0 ]; then
467 | echo "source /etc/network/interfaces.d/*" >> /etc/network/interfaces
468 | fi
469 | }
470 |
471 | set_arc_cache(){
472 | log "Adjusting ZFS level 1 arc (Min: $ZFS_ARC_MIN_MEGABYTES, Max: $ZFS_ARC_MAX_MEGABYTES)"
473 | ZFS_ARC_MIN_BYTES=$((ZFS_ARC_MIN_MEGABYTES * 1024 *1024))
474 | ZFS_ARC_MAX_BYTES=$((ZFS_ARC_MAX_MEGABYTES * 1024 *1024))
475 | echo $ZFS_ARC_MIN_BYTES > /sys/module/zfs/parameters/zfs_arc_min
476 | echo $ZFS_ARC_MAX_BYTES > /sys/module/zfs/parameters/zfs_arc_max
477 | cat << EOF > /etc/modprobe.d/zfs.conf
478 | options zfs zfs_arc_max=$ZFS_ARC_MAX_BYTES
479 | options zfs zfs_arc_min=$ZFS_ARC_MIN_BYTES
480 | EOF
481 | }
482 |
483 | set_auto_snapshot(){
484 |
485 | if [ $install_zas -gt 0 ]; then
486 | # configure zfs-auto-snapshot
487 | for interval in "${!auto_snap_keep[@]}"; do
488 | log "Setting zfs-auto-snapshot retention: $interval = ${auto_snap_keep[$interval]}"
489 | if [[ "$interval" == "frequent" ]]; then
490 | CURRENT=$(cat /etc/cron.d/zfs-auto-snapshot | grep keep | cut -d' ' -f19 | cut -d '=' -f2)
491 | if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then
492 | rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.d/zfs-auto-snapshot > /dev/null 2>&1
493 | fi
494 | else
495 | CURRENT=$(cat /etc/cron.$interval/zfs-auto-snapshot | grep keep | cut -d' ' -f6 | cut -d'=' -f2)
496 | if [[ "${auto_snap_keep[$interval]}" != "$CURRENT" ]]; then
497 | rpl "keep=$CURRENT" "keep=${auto_snap_keep[$interval]}" /etc/cron.$interval/zfs-auto-snapshot > /dev/null 2>&1
498 | fi
499 | fi
500 | done
501 | fi
502 | }
503 |
504 | set_swappiness(){
505 | log "Setting swappiness to $SWAPPINESS %"
506 | echo "vm.swappiness=$SWAPPINESS" > /etc/sysctl.d/swappiness.conf
507 | sysctl -w vm.swappiness=$SWAPPINESS > /dev/null
508 | }
509 |
510 | pve_conf_backup(){
511 | log "Configuring pve-conf-backup"
512 | zfs list $PVE_CONF_BACKUP_TARGET > /dev/null 2>&1
513 | if [ $? -ne 0 ]; then
514 | zfs create $PVE_CONF_BACKUP_TARGET
515 | fi
516 |
517 | if [[ "$(df -h -t zfs | grep /$ | cut -d ' ' -f1)" == "rpool/ROOT/pve-1" ]] ; then
518 | echo "$PVE_CONF_BACKUP_CRON_TIMER root rsync -va --delete /etc /$PVE_CONF_BACKUP_TARGET > /$PVE_CONF_BACKUP_TARGET/pve-conf-backup.log" > /etc/cron.d/pve-conf-backup
519 | fi
520 | }
521 |
522 | harden_ssh(){
523 | if [ $ssh_hardening -gt 0 ]; then
524 | log "Hardening ssh server"
525 | rm /etc/ssh/ssh_host_*
526 | log "Creating new SSH host keys"
527 | ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" > /dev/null 2>&1
528 | ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" > /dev/null 2>&1
529 | log "Creating new SSH moduli"
530 | awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
531 | mv /etc/ssh/moduli.safe /etc/ssh/moduli
532 |
533 | log "Writing hardened SSH config"
534 | if [[ $VERSION_CODENAME == "bookworm" ]]; then
535 | echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
536 | elif [[ $VERSION_CODENAME == "bullseye" ]]; then
537 | sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
538 | echo -e echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
539 | fi
540 | systemctl restart ssh.service
541 | fi
542 | }
543 |
544 | ask_mail_config(){
545 | mailconfig=0
546 | smtpauth=0
547 | displayname=""
548 | recipientaddress=""
549 | smtpmode=""
550 | recipientaddress=""
551 | senderaddress=""
552 | username=""
553 | password=""
554 | smtphost=""
555 | if whiptail --title "MAIL DELIVERY" \
556 | --backtitle "$PROG" \
557 | --yes-button "MAIL CONFIG" \
558 | --no-button "SKIP" \
559 | --yesno "Do you want to configure notifications for root@pam(OVERWRITES CURRENT CONFIG)?" 9 76 ; then
560 | mailconfig=1
561 | if ! displayname=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender display name." 9 76 $(hostname -f) 3>&1 1>&2 2>&3); then cancel_dialog; fi
562 | if ! recipientaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the email address to receive notifications." 9 76 $recipientaddress 3>&1 1>&2 2>&3); then cancel_dialog; fi
563 | if ! smtphost=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the servername of your smarthost." 9 76 "" 3>&1 1>&2 2>&3); then cancel_dialog; fi
564 | smtpmode=$(whiptail --title "SELECT SMTP MODE" --backtitle "$PROG" \
565 | --radiolist "Choose SMTP mode" 20 76 7 \
566 | "insecure" "insecure (tcp/25)" "OFF" \
567 | "tls" "TLS (tcp/465)" "OFF" \
568 | "starttls" "StartTLS (tcp/587)" "ON" 3>&1 1>&2 2>&3)
569 | if ! senderaddress=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter your sender email address." 9 76 "root@$(hostname -f)" 3>&1 1>&2 2>&3); then cancel_dialog; fi
570 | if whiptail --title "MAIL DELIVERY" \
571 | --backtitle "$PROG" \
572 | --yes-button "CONFIGURE AUTH" \
573 | --no-button "SKIP" \
574 | --yesno "Do you want to configure authentication against your smarthost?" 9 76 ; then
575 | smtpauth=1
576 | if ! username=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --inputbox "Please enter the username for authentication." 9 76 "" 3>&1 1>&2 2>&3); then cancel_dialog; fi
577 | if ! password=$(whiptail --title "MAIL DELIVERY" --backtitle "$PROG" --passwordbox "Please enter the passsword for authentication." 9 76 "" 3>&1 1>&2 2>&3); then cancel_dialog; fi
578 | fi
579 | fi
580 | }
581 |
582 | set_notification() {
583 | if [ $mailconfig -gt 0 ]; then
584 | cat << EOF > /etc/pve/notifications.cfg
585 | matcher: default-matcher
586 | comment Route all notifications to mail-to-root
587 | mode all
588 | target smtp-notification
589 |
590 | smtp: smtp-notification
591 | mailto-user root@pam
592 | mailto $recipientaddress
593 | author $displayname
594 | from-address $senderaddress
595 | server $smtphost
596 | mode $smtpmode
597 | EOF
598 | if [ $smtpauth -gt 0 ];then
599 | cat << EOF >> /etc/pve/notifications.cfg
600 | username $username
601 |
602 | EOF
603 |
604 | cat << EOF > /etc/pve/priv/notifications.cfg
605 | smtp: smtp-notification
606 | password $password
607 | EOF
608 | fi
609 |
610 | pvesh set access/users/root@pam -email $recipientaddress
611 |
612 | fi
613 | }
614 |
615 | create_swap_pool(){
616 | log "Configuring swap storage"
617 | if ! pvesm status | grep swap > /dev/null; then
618 | if ! zfs list rpool/swap > /dev/null 2>&1 ; then
619 | zfs create -o com.sun:auto-snapshot:frequent=false -o com.sun:auto-snapshot:hourly=false -o com.sun:auto-snapshot:daily=false -o com.sun:auto-snapshot:weekly=false -o com.sun:auto-snapshot:monthly=false rpool/swap
620 | else
621 | zfs set com.sun:auto-snapshot:frequent=false com.sun:auto-snapshot:hourly=false com.sun:auto-snapshot:daily=false com.sun:auto-snapshot:weekly=false com.sun:auto-snapshot:monthly=false rpool/swap
622 | zfs inherit com.sun:auto-snapshot rpool/swap
623 | fi
624 | pvesm add zfspool swap --content images,rootdir --pool rpool/swap
625 | fi
626 | }
627 |
628 | ask_volblocksize(){
629 | if whiptail --title "SET DEFAULT BLOCKSIZE" \
630 | --backtitle "$PROG" \
631 | --yes-button "SET BLOCKSIZE" \
632 | --no-button "SKIP" \
633 | --yesno "Do you want to adjust the default blocksize on all zfspool storages?" 9 76 ; then
634 | setblocksize=1
635 | if ! volblocksize=$(whiptail --title "SET DEFAULT BLOCKSIZE" --backtitle "$PROG" --inputbox "Please enter the desired blocksize for your zfspool storages." 9 76 $volblocksize 3>&1 1>&2 2>&3); then cancel_dialog; fi
636 | fi
637 | }
638 |
639 | set_default_volblocksize(){
640 | if [ $setblocksize -gt 0 ]; then
641 | log "Setting default volblocksize=16k to all zfspool storages"
642 | for storage in $(pvesm status | grep zfspool | cut -d' ' -f1); do
643 | pvesm set $storage --blocksize $volblocksize
644 | done
645 | fi
646 | }
647 |
648 | remove_virtiowin_updater() {
649 | log "Removing virtio-win updater if exists"
650 | if [ -f /usr/local/bin/virtio-win-updater ]; then
651 | rm -f /usr/local/bin/virtio-win-updater
652 | fi
653 | if [ -f /etc/cron.daily/virtio-win-updater ]; then
654 | rm -f /etc/cron.daily/virtio-win-updater
655 | fi
656 | }
657 |
658 | installation_task(){
659 | log "Starting Installation"
660 |
661 | set_locales
662 | set_pve_repo
663 | set_ceph_repo
664 | set_bashclub_repo
665 | update_system
666 | install_tools
667 | enable_sdn
668 | set_arc_cache
669 | set_swappiness
670 | set_auto_snapshot
671 | pve_conf_backup
672 | suppress_no_subscription_warning
673 | harden_ssh
674 | set_notification
675 | create_swap_pool
676 | set_default_volblocksize
677 | remove_virtiowin_updater
678 |
679 | log "Updating initramfs - This will take some time..."
680 | update-initramfs -u -k all > /dev/null 2>&1
681 |
682 | }
683 |
684 | summary(){
685 | autosnap=""
686 | for interval in "${!auto_snap_keep[@]}"; do
687 | autosnap="${interval}=${auto_snap_keep[$interval]} ${autosnap}"
688 | done
689 |
690 | if whiptail --title "POSTINSTALL SUMMARY" \
691 | --backtitle $PROG \
692 | --yes-button "INSTALL" \
693 | --no-button "ABORT & EXIT" \
694 | --yesno "Summary: \n\
695 | zfs_arc_min: $ZFS_ARC_MIN_MEGABYTES MB\n\
696 | zfs_arc_max: $ZFS_ARC_MAX_MEGABYTES MB\n\
697 | swappiness: $SWAPPINESS %\n\
698 | locales: $locales\n\
699 | repository: $repo_selection \n\
700 | subscription: $(pvesubscription get | grep status | cut -d' ' -f2)\n\
701 | suppress subscription warning: $suppress_warning\n\
702 | install auto-snapshot: $install_zas ($autosnap)\n\
703 | ssh-hardening: $ssh_hardening\n\
704 | mail delivery: $mailconfig
705 | sender email: $senderaddress
706 | sender display name: $displayname
707 | notification address: $recipientaddress
708 | smarthost: $smtphost
709 | smarthost mode: $smtpmode
710 | smarthost auth: $smtpauth
711 | smarthost username: $username
712 | set blocksize: $setblocksize
713 | volblocksize: $volblocksize
714 | " 30 76 ; then
715 | installation_task
716 | else
717 | cancel_dialog
718 | fi
719 | }
720 |
721 | source /etc/os-release
722 |
723 | # Calculate and suggest values for ZFS L1ARC cache
724 | arc_suggestion
725 |
726 | # Set swapping behaviour
727 | vm_swappiness
728 |
729 | # Ask for additional locales
730 | ask_locales
731 |
732 | # Ask for ssh hardening
733 | ask_ssh_hardening
734 |
735 | # Configure count per interval of zfs-auto-snapshot
736 | auto_snapshot
737 |
738 | # Select proxmox repository
739 | select_pve_repo
740 |
741 | # Select Ceoh repository
742 | select_ceph_repo
743 |
744 | # Ask for adding bashclub repo
745 | ask_bashclub_repo
746 |
747 | # subscription related actions
748 | select_subscription
749 |
750 | # mail delivery config
751 | ask_mail_config
752 |
753 | # set volblocksize
754 | ask_volblocksize
755 |
756 | summary
757 |
758 | log "Proxmox postinstallation finished!"
759 |
--------------------------------------------------------------------------------