diff --git a/Docker/docker-compose Update.sh b/Docker/docker-compose Update.sh new file mode 100644 index 0000000..58923af --- /dev/null +++ b/Docker/docker-compose Update.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Check if user is root +# +if [ $(id -u) != "0" ]; then + echo "Error: You must be root to run this script, please use the root user to install the software." + exit 1 +fi + +if [ ! -f /etc/debian_version ]; then + echo "Unsupported Linux Distribution. Prepared for Debian" + exit 1 +fi +################################################################################ +# +# docker-compose Update +# +################################################################################ +# +apt install -y curl +curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose +chmod +x /usr/local/bin/docker-compose diff --git a/LXC-Debian/LXC_Debian_secure_SSH-Server.sh b/LXC-Debian/LXC_Debian_secure_SSH-Server.sh new file mode 100644 index 0000000..94c1368 --- /dev/null +++ b/LXC-Debian/LXC_Debian_secure_SSH-Server.sh @@ -0,0 +1,152 @@ +#!/bin/sh +# +# Check if user is root +# +if [ $(id -u) != "0" ]; then + echo "Error: You must be root to run this script, please use the root user to install the software." + exit 1 +fi + +if [ ! -f /etc/debian_version ]; then + echo "Unsupported Linux Distribution. Prepared for Debian" + exit 1 +fi + +# + + +# Sicherheitskopie der SSH-Serverkonfiguration erstellen +mv /etc/ssh/{sshd_config,sshd_config.orig} + + +# SSH-Key erstellen +ssh-keygen -o -a 100 -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key -C "$(whoami)@$(hostname)-$(date -I)" + +cat > /etc/ssh/sshd_config <<"EOF" +#----------------------------------------------------------- +# General - /etc/ssh/sshd_config +#----------------------------------------------------------- +Port 22 # Custom SSH Port +Protocol 2 # The one and only Protocol + +AddressFamily any # IPv4 and IPv6 Net. Use inet for only IPv4 + +#----------------------------------------------------------- +# HostKey - Only the curvy one +#----------------------------------------------------------- +HostKey /etc/ssh/ssh_host_ed25519_key # Allow only the vely vely secure ECDSA Pub-Key Authentication + +#----------------------------------------------------------- +# Ciphers - Only the ultramodern ones +#----------------------------------------------------------- +KexAlgorithms curve25519-sha256@libssh.org # Key exchange methods to generate per-connection keys +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 # Message authentication codes used to detect traffic modification +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Allow only sexy Encrypt-Ciphers. For Android-Connection add aes256-ctr +HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Accepted Pub-Key algorithms for the SSH-Server to authenticate to a SSH-Client + +#----------------------------------------------------------- +# Logging +#----------------------------------------------------------- +LogLevel INFO # VERBOSE for more like key fingerprint logging +SyslogFacility AUTHPRIV # Logging Authentication Commands + +#----------------------------------------------------------- +# Authentication: +#----------------------------------------------------------- +MaxSessions 2 # Maximum allowed User Sessions +MaxAuthTries 3 # Maximum allowed Auth Attempts + +StrictModes yes # Prevents Configuration Errors +LoginGraceTime 60 # Login Period Time to authenticate +PermitRootLogin yes # Disable direct root Login + +PubkeyAuthentication yes # Allow Pub-Key Authentication +PasswordAuthentication no # Allow Password Authentication. Disable if no need + +IgnoreRhosts yes # Disable User Rhost Files +PermitEmptyPasswords no # Disable Empty Passwords +HostbasedAuthentication no # Disable Host-based Authentication +ChallengeResponseAuthentication no + +TCPKeepAlive yes # Prevent from dropping the Connection +ClientAliveCountMax 2 # Sends 2 times ClientAlive Message till drop +ClientAliveInterval 1800 # Kills Connection after 30 Min inactivity + +#----------------------------------------------------------- +# Security +#----------------------------------------------------------- +UsePAM yes # Allow PAM Authentication +Compression no # Disable Compression for better Security + +AllowUsers manager root # Allow special Users. +# AllowGroups sshuser # Allow special Group. + +# RekeyLimit 1G 1H # Limiting amount of data transmitted with a single session key + +Banner none # Disable Banner +DebianBanner no # Disable Banner for Debian-based Systems +VersionAddendum none # Disable SSH Protocol Banner + +PrintMotd no # Disable Message of the Day +PrintLastLog yes # Enable Date and Time of the last user login + +PermitTunnel no # Disable tun Device forwarding. Only SSH Connections! +PermitUserRC no # Disable User RC Files +PermitUserEnvironment no # Disable User Environment Files + +# Disable Forwarding +GatewayPorts no # Disable Remote Port Forwarding +X11Forwarding no # Disable X11 Forwarding/Tunneling (GUI) +AllowTcpForwarding no # Disable TCP Forwarding/Tunneling +AllowAgentForwarding no # Disable Agent Forwarding/Tunneling + +# Disable Kerberos Authentication # Disable Kerberos Authentication +KerberosOrLocalPasswd no +KerberosAuthentication no +KerberosTicketCleanup yes +GSSAPIAuthentication no +GSSAPICleanupCredentials yes + +AuthorizedKeysFile %h/.ssh/authorized_keys # Set AuthorizedKeysFile in a controlled manner + +#----------------------------------------------------------- +# Misc +#----------------------------------------------------------- +UseDNS no # Disables DSN-Lookup for the Love of Speed +AcceptEnv LANG LC_* # Allow locale environment variables for Clients + +#----------------------------------------------------------- +# SFTP +#----------------------------------------------------------- +# SFTP - Enable if need +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO + +# Set special stuff to special SFTP-Users - Enable if you use SFTP +# Match Group sftp-pimps +# ChrootDirectory /home/%u +# PermitTunnel no +# X11Forwarding no +# AllowTcpForwarding no +# AllowAgentForwarding no +# ForceCommand internal-sftp + +#----------------------------------------------------------- +# Set special SSH-User/Group options +#----------------------------------------------------------- + +# Match User manager +# PasswordAuthentication yes +# AllowTcpForwarding yes + +# Match Group sshuser +# PasswordAuthentication yes +# AllowTcpForwarding yes + +#----------------------------------------------------------- +# Documentation +#----------------------------------------------------------- +# https://man7.org/linux/man-pages/man1/ssh-keygen.1.html +# https://man7.org/linux/man-pages/man5/sshd_config.5.html +EOF + +apt autoremove && apt autoclean && apt clean diff --git a/LXC-Debian/PVE01_LXC_Debian_Apt-Cache.sh b/LXC-Debian/PVE01_LXC_Debian_Apt-Cache.sh index 385c942..862ecc4 100644 --- a/LXC-Debian/PVE01_LXC_Debian_Apt-Cache.sh +++ b/LXC-Debian/PVE01_LXC_Debian_Apt-Cache.sh @@ -27,11 +27,6 @@ fi # ################################################################################ # -# root pass: master_user@apt-cacher#01 -# admin pass: admin_user@apt-cacer#01 -# -################################################################################ - apt install -y \ avahi-daemon \ apt-cacher-ng \ diff --git a/LXC-Debian/PVE01_LXC_Debian_Fileserver01.sh b/LXC-Debian/PVE01_LXC_Debian_Fileserver01.sh index cf5f158..8225a92 100644 --- a/LXC-Debian/PVE01_LXC_Debian_Fileserver01.sh +++ b/LXC-Debian/PVE01_LXC_Debian_Fileserver01.sh @@ -25,10 +25,6 @@ fi # ################################################################################ # -# root pass: master_user@apt-cacher#01 -# -################################################################################ -# # echo 'mp0: /storage01/fileserver,mp=/mnt/storage01' >> /etc/pve/nodes/pve01/lxc/119.conf # echo 'mp1: /storage02/fileserver,mp=/mnt/storage02' >> /etc/pve/nodes/pve01/lxc/119.conf # diff --git a/LXC-Debian/PVE01_LXC_Debian_Freshrss.sh b/LXC-Debian/PVE01_LXC_Debian_Freshrss.sh index cab64bc..dfb3ea0 100644 --- a/LXC-Debian/PVE01_LXC_Debian_Freshrss.sh +++ b/LXC-Debian/PVE01_LXC_Debian_Freshrss.sh @@ -28,12 +28,6 @@ fi # Node: PVE01 # ################################################################################ -# -# root pass: master_user#01@vmnets.de -# -# Admin pass: admin_user#01@vmnets.de -# -################################################################################ # # systemctl [start | stop | reload | restart | status] nginx # diff --git a/LXC-Debian/PVE01_LXC_Debian_Gitea.sh b/LXC-Debian/PVE01_LXC_Debian_Gitea.sh index 16ddd46..8c31268 100644 --- a/LXC-Debian/PVE01_LXC_Debian_Gitea.sh +++ b/LXC-Debian/PVE01_LXC_Debian_Gitea.sh @@ -26,10 +26,6 @@ fi # Node: PVE01 # ################################################################################ -# -# root pass: master_user@vm-net#01 -# -################################################################################ # # systemctl [start | stop | reload | restart | status] gitea.service # diff --git a/LXC-Debian/PVE01_LXC_Debian_Jellyfin.sh b/LXC-Debian/PVE01_LXC_Debian_Jellyfin.sh index 3ee1764..cb51f91 100644 --- a/LXC-Debian/PVE01_LXC_Debian_Jellyfin.sh +++ b/LXC-Debian/PVE01_LXC_Debian_Jellyfin.sh @@ -29,11 +29,8 @@ fi # ################################################################################ # -# root pass: master_user#01@vm-net -# # Admin pass: master_user@jellyfin#01 # -# ################################################################################ # # systemctl [start | stop | reload | restart | status] jellyfin diff --git a/LXC-Debian/PVE01_LXC_Debian_MariaDB.sh b/LXC-Debian/PVE01_LXC_Debian_MariaDB.sh index f4d7f37..8793a54 100644 --- a/LXC-Debian/PVE01_LXC_Debian_MariaDB.sh +++ b/LXC-Debian/PVE01_LXC_Debian_MariaDB.sh @@ -25,10 +25,6 @@ fi # ################################################################################ # -# -# -################################################################################ - apt install -y mariadb-server systemctl stop mysql @@ -102,8 +98,7 @@ systemctl restart mysql.service echo -e '\033[33m------Secure MariaDB installation-----\033[33m' echo -e "\033[0m" -# master_user@mariaDB#01 mysql_secure_installation -apt autoremove && apt autoclean && apt clean \ No newline at end of file +apt autoremove && apt autoclean && apt clean diff --git a/LXC-Debian/PVE01_LXC_Debian_Seedbox.sh b/LXC-Debian/PVE01_LXC_Debian_Seedbox.sh index 152ace0..fecc31a 100644 --- a/LXC-Debian/PVE01_LXC_Debian_Seedbox.sh +++ b/LXC-Debian/PVE01_LXC_Debian_Seedbox.sh @@ -34,8 +34,6 @@ fi # qbittorrent Username is admin. Default password is “adminadmin” # Config: /home/qbittorrent-nox/.config/qBittorrent/qBittorrent.conf # -# root pass: master_user#01@vmnets.de -# ################################################################################ # # @@ -63,7 +61,7 @@ echo "03.Install Jackett" echo "" echo " x. Exit" echo "" -echo -n " Please enter option [01 - 04]" +echo -n " Please enter option [01 - 03]" read opt case $opt in ################################################################################## diff --git a/LXC-Debian/PVE01_LXC_Debian_Syncthing.sh b/LXC-Debian/PVE01_LXC_Debian_Syncthing.sh index 506ed22..4bdc468 100644 --- a/LXC-Debian/PVE01_LXC_Debian_Syncthing.sh +++ b/LXC-Debian/PVE01_LXC_Debian_Syncthing.sh @@ -29,10 +29,6 @@ fi # ################################################################################ # -# -# -################################################################################ -# # echo 'mp0: /storage01/fileserver/syncthing,mp=/srv/syncthing' >> /etc/pve/nodes/pve01/lxc/105.conf # ################################################################################ @@ -103,4 +99,4 @@ cp /home/syncthing/.config/syncthing/config.xml /home/syncthing/.config/syncthin systemctl start syncthing@syncthing.service -apt autoremove && apt autoclean && apt clean \ No newline at end of file +apt autoremove && apt autoclean && apt clean diff --git a/LXC-Debian/PVE01_LXC_Debian_jDownloader.sh b/LXC-Debian/PVE01_LXC_Debian_jDownloader.sh index 0d03ee7..494f76c 100644 --- a/LXC-Debian/PVE01_LXC_Debian_jDownloader.sh +++ b/LXC-Debian/PVE01_LXC_Debian_jDownloader.sh @@ -25,10 +25,6 @@ fi # ################################################################################ # -# root pass: master_user#01@vmnets.de -# -################################################################################ -# # echo 'mp0: /srv/fileserver_data/downloads/jdownloader,mp=/opt/jdownloader/Downloads' >> /etc/pve/nodes/pve01/lxc/116.conf # ################################################################################ diff --git a/Proxmox/Proxmox_PVE01.sh b/Proxmox/Proxmox_PVE01.sh new file mode 100644 index 0000000..b724155 --- /dev/null +++ b/Proxmox/Proxmox_PVE01.sh @@ -0,0 +1,576 @@ +#!/bin/sh +# +# Check if user is root +# +if [ $(id -u) != "0" ]; then + echo "Error: You must be root to run this script, please use the root user to install the software." + exit 1 +fi + +if [ ! -f /etc/debian_version ]; then + echo "Unsupported Linux Distribution. Prepared for Debian" + exit 1 +fi +################################################################################ +# +# post-installation script for Proxmox@PVE02 +# +################################################################################ +# +# Assumptions: proxmox 8.X installed +# +################################################################################ +# +# root pass: +# +################################################################################ +# +while : +do +clear +echo "" +echo "\033[1m I N S T A L L Proxmox 8.X @ PVE01 " +echo " -----------------------------------------" +echo "\033[0m" +echo "01.Install System" +echo "02.Enable AMD pci passthrough" +echo "03.Enable INTEL pci passthrough" +echo "04.Setup ZFS" +echo "05.Install Cockpit" +echo "06.Install fail2ban" +echo "07.Disable-IPv6" +echo "" +echo " x. Exit" +echo "" +echo -n " Please enter option [01 - 08]" +read opt +case $opt in +################################################################################## +01) echo "************ Install System **********************"; +################################################################################## +echo -e '\033[33m------Setup Locales to en_US.UTF-8------\033[33m' +echo -e "\033[0m" +sleep 2 +dpkg-reconfigure locales && update-locale LANG=en_US.UTF-8 && locale-gen --purge --no-archive && update-initramfs -u -k all + +echo -e '\033[33m----Setup Apt-Sources and Upgrade System----\033[33m' +echo -e "\033[0m" +sleep 2 +## Remove enterprise proxmox repo +rm -rf /etc/apt/sources.list.d/pve-enterprise.list +rm -rf /etc/apt/sources.list.d/ceph.list + + +echo -e '\033[33m------Setup Apt-Sources and Upgrade System------\033[33m' +echo -e "\033[0m" +sleep 2 +mv /etc/apt/sources.list /etc/apt/sources.list.default +cat > /etc/apt/sources.list <<"EOF" +deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware +deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware +deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware + +# proxmox public repo +deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription +EOF + +echo -e '\033[33m----Update proxmox and install various system utils----\033[33m' +echo -e "\033[0m" +sleep 2 +apt update && apt dist-upgrade -y && pveam update + +echo -e '\033[33m----Install common system utilities----\033[33m' +echo -e "\033[0m" +sleep 2 +apt install -y \ + acpi \ + acpid \ + acpi-support \ + cpufrequtils \ + pve-headers \ + apt-listchanges \ + curl \ + git \ + wget \ + net-tools \ + screen \ + saidar \ + unzip \ + htop \ + iptraf \ + iotop \ + iftop \ + lshw \ + mc \ + powertop \ + unattended-upgrades \ + smartmontools \ + ethtool + +# sysbench sshfs make nfs-kernel-server portmap pv + +echo -e '\033[33m------Setup Unattended-Upgrades------\033[33m' +echo -e "\033[0m" +sleep 2 +dpkg-reconfigure -plow unattended-upgrades +echo "Unattended-Upgrade::Mail "root";" >> /etc/apt/apt.conf.d/50unattended-upgrades +echo "APT::Periodic::Verbose "2";" >> /etc/apt/apt.conf.d/20auto-upgrades + + +echo -e '\033[33m----Install apticron----\033[33m' +echo -e "\033[0m" +apt install -y apticron + +cat > /etc/apticron/apticron.conf <<"EOF" +EMAIL="root" +# DIFF_ONLY="1" +LISTCHANGES_PROFILE="apticron" +ALL_FQDNS="1" +SYSTEM="pve01.home.lan +# IPADDRESSNUM="1" +IPADDRESSES="192.168.10.50" +# NOTIFY_HOLDS="0" +NOTIFY_NEW="1" +CUSTOM_SUBJECT="System updates." +CUSTOM_NO_UPDATES_SUBJECT="System updates - no updates." +# CUSTOM_FROM="" +EOF + +cp /etc/cron.d/apticron /etc/cron.daily/apticron + +echo -e '\033[33m----Setup SystemD Service----\033[33m' +echo -e "\033[0m" +sleep 2 +# Remove conflicting utilities +apt purge -y ntp openntpd chrony + +## tmp.mount +cp /usr/share/systemd/tmp.mount /etc/systemd/system/ && systemctl enable tmp.mount && systemctl start tmp.mount + +## fstrim timer +systemctl enable --now fstrim.timer + +## journald +echo "SystemMaxUse=100M " >> /etc/systemd/journald.conf + +## Set Timezone and enable NTP +timedatectl set-timezone Europe/Berlin + +apt install -y systemd-timesyncd + +cp /etc/systemd/timesyncd.conf /etc/systemd/timesyncd.default +cat > /etc/systemd/timesyncd.conf <<"EOF" +[Time] +NTP=192.168.10.1 192.168.10.254 +#NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org +FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org +RootDistanceMaxSec=5 +PollIntervalMinSec=32 +PollIntervalMaxSec=2048 +EOF +systemctl restart systemd-timesyncd && timedatectl set-ntp true + +# timedatectl status + +## Disable portmapper / rpcbind (security) +systemctl disable rpcbind && systemctl stop rpcbind + + +echo -e '\033[33m----Optimise tcp ip----\033[33m' +echo -e "\033[0m" +sleep 2 +mv /etc/sysctl.conf /etc/sysctl.conf.default +cat > /etc/sysctl.conf <<"EOF" +############################# +## CPU tweaks # +############################# +# +## Queue size modifications +net.core.optmem_max=20480 +net.unix.max_dgram_qlen=50 +# +## Net Core Settings +## Location: /proc/sys/net/core +net.core.wmem_max=524288 +net.core.rmem_max=524288 +net.core.rmem_default=256960 +net.core.wmem_default=256960 +# +############################# +## VM & Filesystem tweaks # +############################# +fs.lease-break-time=10 +fs.file-max = 262140 +vm.overcommit_memory=1 +vm.oom_dump_tasks=1 +vm.page-cluster=0 +vm.swappiness = 10 +vm.vfs_cache_pressure = 10000 +vm.dirty_ratio = 10 +vm.dirty_background_ratio = 5 +# +############################# +## Net Speed tweaks # +############################# +# +## UnderUtilized Networking Tweaks below as recommended by avgjoemomma (from XDA) +net.core.default_qdisc=fq +net.ipv4.tcp_congestion_control=bbr +#net.ipv4.tcp_congestion_control=cubic +# +net.core.netdev_max_backlog = 100000 +net.core.netdev_budget = 50000 +net.core.netdev_budget_usecs = 5000 +net.core.somaxconn = 1024 +net.core.rmem_default = 1048576 +net.core.rmem_max = 16777216 +net.core.wmem_default = 1048576 +net.core.wmem_max = 16777216 +net.core.optmem_max = 65536 +net.ipv4.tcp_rmem = 4096 1048576 2097152 +net.ipv4.tcp_wmem = 4096 65536 16777216 +net.ipv4.udp_rmem_min = 8192 +net.ipv4.udp_wmem_min = 8192 +net.ipv4.tcp_fastopen = 3 +# +# TCP keepalive parameters +#net.ipv4.tcp_keepalive_time = 60 +net.ipv4.tcp_keepalive_intvl = 10 +net.ipv4.tcp_keepalive_probes = 6 +# +# # Hardening the TCP/IP stack to SYN attacks +net.ipv4.tcp_syncookies=1 +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.tcp_synack_retries=2 +net.ipv4.tcp_syn_retries=2 +net.ipv4.tcp_max_syn_backlog=1024 +net.ipv4.tcp_max_tw_buckets=16384 +#net.ipv4.icmp_echo_ignore_all=1 +#net.ipv4.icmp_ignore_bogus_error_responses=1 +net.ipv4.tcp_no_metrics_save=1 +net.ipv4.tcp_fin_timeout=15 +net.ipv4.tcp_keepalive_time=1800 +net.ipv4.tcp_moderate_rcvbuf=1 +net.ipv4.route.flush=1 +net.ipv4.udp_rmem_min=6144 +net.ipv4.udp_wmem_min=6144 +net.ipv4.tcp_rfc1337=1 +net.ipv4.ip_no_pmtu_disc=0 +net.ipv4.tcp_ecn=0 +net.ipv4.tcp_sack=1 +net.ipv4.tcp_fack=1 +# +# Don't accept source routing +net.ipv4.conf.default.accept_source_route=0 +net.ipv4.conf.all.accept_source_route=0 +# +# Don't accept redirects +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 +# +net.ipv4.ip_forward=1 +net.ipv6.conf.all.forwarding=1 +EOF +/sbin/sysctl -p + + +echo -e '\033[33m----Setup Grub----\033[33m' +echo -e "\033[0m" +sleep 2 +cp /etc/default/grub /etc/default/grub.old + +# GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 acpi=force pcie_aspm=force nmi_watchdog=0" +sed -i 's/#GRUB_GFXMODE=640x480/GRUB_GFXMODE=1920x1080x32/g' /etc/default/grub +# sed -i 's/GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub +update-grub + + +echo -e '\033[33m----Increase vzdump backup speed----\033[33m' +echo -e "\033[0m" +sleep 2 +sed -i "s/#bwlimit: KBPS/bwlimit: 10240000/" /etc/vzdump.conf + + +echo -e '\033[33m----Increase max user watches / BUG FIX : No space left on device ----\033[33m' +echo -e "\033[0m" +sleep 2 +echo 1048576 > /proc/sys/fs/inotify/max_user_watches +echo "fs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf +sysctl -p /etc/sysctl.conf + + +echo -e '\033[33m----Increase max FD limit / ulimit----\033[33m' +echo -e "\033[0m" +sleep 2 +cat <<'EOF' >> /etc/security/limits.conf +* soft nproc 131072 +* hard nproc 131072 +* soft nofile 131072 +* hard nofile 131072 +root soft nproc 131072 +root hard nproc 131072 +root soft nofile 131072 +root hard nofile 131072 +EOF + + +echo -e '\033[33m----Increase kernel max Key limit----\033[33m' +echo -e "\033[0m" +sleep 2 +cat <<'EOF' > /etc/sysctl.d/60-maxkeys.conf +kernel.keys.root_maxkeys=1000000 +kernel.keys.maxkeys=1000000 +EOF + + +echo -e '\033[33m----Remove Subscription-Banner----\033[33m' +echo -e "\033[0m" +sleep 2 +cat > /root/subscription_banner.sh <> /etc/crontab + + +echo -e '\033[33m----Install log2ram----\033[33m' +echo -e "\033[0m" +sleep 2 +echo "deb [signed-by=/usr/share/keyrings/azlux-archive-keyring.gpg] http://packages.azlux.fr/debian/ bookworm main" | tee /etc/apt/sources.list.d/azlux.list +wget -O /usr/share/keyrings/azlux-archive-keyring.gpg https://azlux.fr/repo.gpg +apt update && apt -y install log2ram + +sed -i "s/SIZE=128M/SIZE=1024M/g" /etc/log2ram.conf + +systemctl restart log2ram + + +echo -e '\033[33m----Install ZSWAP---\033[33m' +echo -e "\033[0m" +sleep 2 +swapoff --all && free +# grep swap /etc/fstab + +apt install -y zram-tools && zramswap stop + +mv /etc/default/zramswap /etc/default/zramswap.default + +cat > /etc/default/zramswap <<"EOF" +# Compression algorithm selection +# speed: lz4 > zstd > lzo +# compression: zstd > lzo > lz4 +# This is not inclusive of all that is available in latest kernels +# See /sys/block/zram0/comp_algorithm (when zram module is loaded) to see +# what is currently set and available for your kernel[1] +# [1] https://github.com/torvalds/linux/blob/master/Documentation/blockdev/zram.txt#L86 +ALGO=lz4 + +# Specifies the amount of RAM that should be used for zram +# based on a percentage the total amount of available memory +# This takes precedence and overrides SIZE below +# PERCENT=5 + +# Specifies a static amount of RAM that should be used for +# the ZRAM devices, this is in MiB +SIZE=1024 + +# Specifies the priority for the swap devices, see swapon(2) +# for more details. Higher number = higher priority +# This should probably be higher than hdd/ssd swaps. +PRIORITY=100 +EOF + +zramswap start && zramswap status + +# cat /proc/swaps + + +echo -e '\033[33m------secure SSH-Server------\033[33m' +echo -e "\033[0m" +sleep 2 +echo "sshd: ALL EXCEPT LOCAL" >> /etc/hosts.deny +echo "sshd: 192.168.10.0/255.255.255.0" >> /etc/hosts.allow + + +echo -e '\033[33m----Remove no longer required packages and purge old cached updates----\033[33m' +echo -e "\033[0m" +sleep 2 +apt autoremove -y && apt autoclean -y +;; + +################################################################################## +02) echo "************ Enable AMD pci passthrough ****************"; +################################################################################## +apt install -y amd64-microcode + +echo "vfio" >> /etc/modules +echo "vfio_iommu_type1" >> /etc/modules +echo "vfio_pci" >> /etc/modules +echo "vfio_virqfd" >> /etc/modules +# Test +# dmesg | grep -e DMAR -e IOMMU + +sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet"/GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on iommu=pt"/g' /etc/default/grub +update-grub +;; + +################################################################################## +03) echo "************ Enable INTEL pci passthrough *****************"; +################################################################################## +apt install -y intel-microcode + +echo "vfio" >> /etc/modules +echo "vfio_iommu_type1" >> /etc/modules +echo "vfio_pci" >> /etc/modules +echo "vfio_virqfd" >> /etc/modules +# Test +# dmesg | grep -e DMAR -e IOMMU + +sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet"/GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt"/g' /etc/default/grub +update-grub +;; + +################################################################################## +04) echo "************ Setup ZFS ******************"; +################################################################################## +# zpool set autotrim=on rpool +# zpool set autotrim=on storage01 +# zpool set autotrim=on storage02 + + +cat > /etc/modprobe.d/zfs.conf <<"EOF" +# yes you really DO have to specify zfs_arc_max IN BYTES ONLY! +# 16GB=17179869184, 8GB=8589934592, 7GB=7516192768 ,6GB=6442450944, +# 4GB=4294967296, 2GB=2147483648, 1GB=1073741824 +# +options zfs zfs_arc_min=4294967296 +options zfs zfs_arc_max=17179869184 + +# ZFS File level prefetch tuning +options zfs zfs_prefetch_disable=0 + +# ZFS Device level prefetch tuning +options zfs zfs_vdev_cache_size=1310720 +options zfs zfs_vdev_cache_max=131072 +options zfs zfs_vdev_cache_bshift=17 + +# Chunk size tuning +options zfs zfs_read_chunk_size=1310720 + +# increase them so scrub/resilver is more quickly at the cost of other work +options zfs zfs_vdev_scrub_min_active=24 +options zfs zfs_vdev_scrub_max_active=64 + +# sync write +options zfs zfs_vdev_sync_write_min_active=8 +options zfs zfs_vdev_sync_write_max_active=32 + +# sync reads (normal) +options zfs zfs_vdev_sync_read_min_active=8 +options zfs zfs_vdev_sync_read_max_active=32 + +# async reads : prefetcher +options zfs zfs_vdev_async_read_min_active=8 +options zfs zfs_vdev_async_read_max_active=32 + +# async write : bulk writes +options zfs zfs_vdev_async_write_min_active=8 +options zfs zfs_vdev_async_write_max_active=32 + +# zfs_dirty_data_max_percent (Default is 10%) +options zfs zfs_dirty_data_max_percent=40 + +# zfs_top_maxinflight (Maximum number of scrub I/O ,default 32) +options zfs zfs_top_maxinflight=320 + +# zfs_txg_timeout +# There is a time before async writes are written to disk, this makes it possible +# for ZFS to write a larger piece. (default 30 seconds) +options zfs zfs_txg_timeout=15 + +# zfs_vdev_scheduler (default : noop) +# options zfs zfs_vdev_scheduler=deadline +EOF + +update-initramfs -u +;; + +################################################################################## +05) echo "************ Install Cockpit **************************"; +################################################################################## +# apt install -y cockpit cockpit-bridge cockpit-system cockpit-networkmanager cockpit-packagekit cockpit-storaged +# apt install -y nfs-kernel-server samba +# echo -e "portmap: ALL" >> /etc/hosts.deny +# echo -e "portmap: 192.168.10.0/24" >> /etc/hosts.allow + +apt -t bookworm-backports install cockpit --no-install-recommends + +#apt install -y tuned tuned-utils tuned-utils-systemtap + +git clone https://github.com/optimans/cockpit-zfs-manager.git +cp -r cockpit-zfs-manager/zfs /usr/share/cockpit +;; + +################################################################################## +06) echo "************ Install fail2ban **************************"; +################################################################################## +apt install fail2ban -y + +cat > /etc/fail2ban/jail.local <<"EOF" +[sshd] +enabled = true +port = ssh +logpath = %(sshd_log)s +maxretry = 3 +# 1 hour +bantime = 3600 + +[proxmox] +enabled = true +port = https,http,8006 +filter = proxmox +logpath = /var/log/daemon.log +maxretry = 3 +# 1 hour +bantime = 3600 +EOF + +cat > /etc/fail2ban/filter.d/proxmox.conf <<"EOF" +[Definition] +failregex = pvedaemon\[.*authentication failure; rhost= user=.* msg=.* +ignoreregex = +EOF + +systemctl restart fail2ban + +# fail2ban-client status sshd +# fail2ban-client status proxmox +;; + + +################################################################################## +07) echo "************ Disable-IPv6 **************************"; +################################################################################## +cat > /etc/sysctl.d/70-disable-ipv6.conf <<"EOF" +net.ipv6.conf.all.disable_ipv6 = 1 +EOF +sysctl -p -f /etc/sysctl.d/70-disable-ipv6.conf + +# Remove IPv6 hosts: +sed -i '/::/s%^%#%g' /etc/hosts + +## ip addr show | grep inet6 +;; + +x) echo ""; +exit 1;; +*) echo " Press [enter] key to continue. . ."; +read enterKey;; +esac +done