2025.04.11-11:50

This commit is contained in:
2025-04-11 11:47:25 +02:00
parent 182023b312
commit e47962aeaa
12 changed files with 753 additions and 40 deletions

View File

@ -0,0 +1,22 @@
#!/bin/sh
#
# Check if user is root
#
if [ $(id -u) != "0" ]; then
echo "Error: You must be root to run this script, please use the root user to install the software."
exit 1
fi
if [ ! -f /etc/debian_version ]; then
echo "Unsupported Linux Distribution. Prepared for Debian"
exit 1
fi
################################################################################
#
# docker-compose Update
#
################################################################################
#
apt install -y curl
curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

View File

@ -0,0 +1,152 @@
#!/bin/sh
#
# Check if user is root
#
if [ $(id -u) != "0" ]; then
echo "Error: You must be root to run this script, please use the root user to install the software."
exit 1
fi
if [ ! -f /etc/debian_version ]; then
echo "Unsupported Linux Distribution. Prepared for Debian"
exit 1
fi
#
# Sicherheitskopie der SSH-Serverkonfiguration erstellen
mv /etc/ssh/{sshd_config,sshd_config.orig}
# SSH-Key erstellen
ssh-keygen -o -a 100 -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key -C "$(whoami)@$(hostname)-$(date -I)"
cat > /etc/ssh/sshd_config <<"EOF"
#-----------------------------------------------------------
# General - /etc/ssh/sshd_config
#-----------------------------------------------------------
Port 22 # Custom SSH Port
Protocol 2 # The one and only Protocol
AddressFamily any # IPv4 and IPv6 Net. Use inet for only IPv4
#-----------------------------------------------------------
# HostKey - Only the curvy one
#-----------------------------------------------------------
HostKey /etc/ssh/ssh_host_ed25519_key # Allow only the vely vely secure ECDSA Pub-Key Authentication
#-----------------------------------------------------------
# Ciphers - Only the ultramodern ones
#-----------------------------------------------------------
KexAlgorithms curve25519-sha256@libssh.org # Key exchange methods to generate per-connection keys
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 # Message authentication codes used to detect traffic modification
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Allow only sexy Encrypt-Ciphers. For Android-Connection add aes256-ctr
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Accepted Pub-Key algorithms for the SSH-Server to authenticate to a SSH-Client
#-----------------------------------------------------------
# Logging
#-----------------------------------------------------------
LogLevel INFO # VERBOSE for more like key fingerprint logging
SyslogFacility AUTHPRIV # Logging Authentication Commands
#-----------------------------------------------------------
# Authentication:
#-----------------------------------------------------------
MaxSessions 2 # Maximum allowed User Sessions
MaxAuthTries 3 # Maximum allowed Auth Attempts
StrictModes yes # Prevents Configuration Errors
LoginGraceTime 60 # Login Period Time to authenticate
PermitRootLogin yes # Disable direct root Login
PubkeyAuthentication yes # Allow Pub-Key Authentication
PasswordAuthentication no # Allow Password Authentication. Disable if no need
IgnoreRhosts yes # Disable User Rhost Files
PermitEmptyPasswords no # Disable Empty Passwords
HostbasedAuthentication no # Disable Host-based Authentication
ChallengeResponseAuthentication no
TCPKeepAlive yes # Prevent from dropping the Connection
ClientAliveCountMax 2 # Sends 2 times ClientAlive Message till drop
ClientAliveInterval 1800 # Kills Connection after 30 Min inactivity
#-----------------------------------------------------------
# Security
#-----------------------------------------------------------
UsePAM yes # Allow PAM Authentication
Compression no # Disable Compression for better Security
AllowUsers manager root # Allow special Users.
# AllowGroups sshuser # Allow special Group.
# RekeyLimit 1G 1H # Limiting amount of data transmitted with a single session key
Banner none # Disable Banner
DebianBanner no # Disable Banner for Debian-based Systems
VersionAddendum none # Disable SSH Protocol Banner
PrintMotd no # Disable Message of the Day
PrintLastLog yes # Enable Date and Time of the last user login
PermitTunnel no # Disable tun Device forwarding. Only SSH Connections!
PermitUserRC no # Disable User RC Files
PermitUserEnvironment no # Disable User Environment Files
# Disable Forwarding
GatewayPorts no # Disable Remote Port Forwarding
X11Forwarding no # Disable X11 Forwarding/Tunneling (GUI)
AllowTcpForwarding no # Disable TCP Forwarding/Tunneling
AllowAgentForwarding no # Disable Agent Forwarding/Tunneling
# Disable Kerberos Authentication # Disable Kerberos Authentication
KerberosOrLocalPasswd no
KerberosAuthentication no
KerberosTicketCleanup yes
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
AuthorizedKeysFile %h/.ssh/authorized_keys # Set AuthorizedKeysFile in a controlled manner
#-----------------------------------------------------------
# Misc
#-----------------------------------------------------------
UseDNS no # Disables DSN-Lookup for the Love of Speed
AcceptEnv LANG LC_* # Allow locale environment variables for Clients
#-----------------------------------------------------------
# SFTP
#-----------------------------------------------------------
# SFTP - Enable if need
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
# Set special stuff to special SFTP-Users - Enable if you use SFTP
# Match Group sftp-pimps
# ChrootDirectory /home/%u
# PermitTunnel no
# X11Forwarding no
# AllowTcpForwarding no
# AllowAgentForwarding no
# ForceCommand internal-sftp
#-----------------------------------------------------------
# Set special SSH-User/Group options
#-----------------------------------------------------------
# Match User manager
# PasswordAuthentication yes
# AllowTcpForwarding yes
# Match Group sshuser
# PasswordAuthentication yes
# AllowTcpForwarding yes
#-----------------------------------------------------------
# Documentation
#-----------------------------------------------------------
# https://man7.org/linux/man-pages/man1/ssh-keygen.1.html
# https://man7.org/linux/man-pages/man5/sshd_config.5.html
EOF
apt autoremove && apt autoclean && apt clean

View File

@ -27,11 +27,6 @@ fi
# #
################################################################################ ################################################################################
# #
# root pass: master_user@apt-cacher#01
# admin pass: admin_user@apt-cacer#01
#
################################################################################
apt install -y \ apt install -y \
avahi-daemon \ avahi-daemon \
apt-cacher-ng \ apt-cacher-ng \

View File

@ -25,10 +25,6 @@ fi
# #
################################################################################ ################################################################################
# #
# root pass: master_user@apt-cacher#01
#
################################################################################
#
# echo 'mp0: /storage01/fileserver,mp=/mnt/storage01' >> /etc/pve/nodes/pve01/lxc/119.conf # echo 'mp0: /storage01/fileserver,mp=/mnt/storage01' >> /etc/pve/nodes/pve01/lxc/119.conf
# echo 'mp1: /storage02/fileserver,mp=/mnt/storage02' >> /etc/pve/nodes/pve01/lxc/119.conf # echo 'mp1: /storage02/fileserver,mp=/mnt/storage02' >> /etc/pve/nodes/pve01/lxc/119.conf
# #

View File

@ -29,12 +29,6 @@ fi
# #
################################################################################ ################################################################################
# #
# root pass: master_user#01@vmnets.de
#
# Admin pass: admin_user#01@vmnets.de
#
################################################################################
#
# systemctl [start | stop | reload | restart | status] nginx # systemctl [start | stop | reload | restart | status] nginx
# #
# systemctl [start | stop | reload | restart | status] php8.2-fpm # systemctl [start | stop | reload | restart | status] php8.2-fpm

View File

@ -27,10 +27,6 @@ fi
# #
################################################################################ ################################################################################
# #
# root pass: master_user@vm-net#01
#
################################################################################
#
# systemctl [start | stop | reload | restart | status] gitea.service # systemctl [start | stop | reload | restart | status] gitea.service
# #
# #

View File

@ -29,11 +29,8 @@ fi
# #
################################################################################ ################################################################################
# #
# root pass: master_user#01@vm-net
#
# Admin pass: master_user@jellyfin#01 # Admin pass: master_user@jellyfin#01
# #
#
################################################################################ ################################################################################
# #
# systemctl [start | stop | reload | restart | status] jellyfin # systemctl [start | stop | reload | restart | status] jellyfin

View File

@ -25,10 +25,6 @@ fi
# #
################################################################################ ################################################################################
# #
#
#
################################################################################
apt install -y mariadb-server apt install -y mariadb-server
systemctl stop mysql systemctl stop mysql
@ -102,7 +98,6 @@ systemctl restart mysql.service
echo -e '\033[33m------Secure MariaDB installation-----\033[33m' echo -e '\033[33m------Secure MariaDB installation-----\033[33m'
echo -e "\033[0m" echo -e "\033[0m"
# master_user@mariaDB#01
mysql_secure_installation mysql_secure_installation

View File

@ -34,8 +34,6 @@ fi
# qbittorrent Username is admin. Default password is “adminadmin” # qbittorrent Username is admin. Default password is “adminadmin”
# Config: /home/qbittorrent-nox/.config/qBittorrent/qBittorrent.conf # Config: /home/qbittorrent-nox/.config/qBittorrent/qBittorrent.conf
# #
# root pass: master_user#01@vmnets.de
#
################################################################################ ################################################################################
# #
# #
@ -63,7 +61,7 @@ echo "03.Install Jackett"
echo "" echo ""
echo " x. Exit" echo " x. Exit"
echo "" echo ""
echo -n " Please enter option [01 - 04]" echo -n " Please enter option [01 - 03]"
read opt read opt
case $opt in case $opt in
################################################################################## ##################################################################################

View File

@ -29,10 +29,6 @@ fi
# #
################################################################################ ################################################################################
# #
#
#
################################################################################
#
# echo 'mp0: /storage01/fileserver/syncthing,mp=/srv/syncthing' >> /etc/pve/nodes/pve01/lxc/105.conf # echo 'mp0: /storage01/fileserver/syncthing,mp=/srv/syncthing' >> /etc/pve/nodes/pve01/lxc/105.conf
# #
################################################################################ ################################################################################

View File

@ -25,10 +25,6 @@ fi
# #
################################################################################ ################################################################################
# #
# root pass: master_user#01@vmnets.de
#
################################################################################
#
# echo 'mp0: /srv/fileserver_data/downloads/jdownloader,mp=/opt/jdownloader/Downloads' >> /etc/pve/nodes/pve01/lxc/116.conf # echo 'mp0: /srv/fileserver_data/downloads/jdownloader,mp=/opt/jdownloader/Downloads' >> /etc/pve/nodes/pve01/lxc/116.conf
# #
################################################################################ ################################################################################

576
Proxmox/Proxmox_PVE01.sh Normal file
View File

@ -0,0 +1,576 @@
#!/bin/sh
#
# Check if user is root
#
if [ $(id -u) != "0" ]; then
echo "Error: You must be root to run this script, please use the root user to install the software."
exit 1
fi
if [ ! -f /etc/debian_version ]; then
echo "Unsupported Linux Distribution. Prepared for Debian"
exit 1
fi
################################################################################
#
# post-installation script for Proxmox@PVE02
#
################################################################################
#
# Assumptions: proxmox 8.X installed
#
################################################################################
#
# root pass:
#
################################################################################
#
while :
do
clear
echo ""
echo "\033[1m I N S T A L L Proxmox 8.X @ PVE01 "
echo " -----------------------------------------"
echo "\033[0m"
echo "01.Install System"
echo "02.Enable AMD pci passthrough"
echo "03.Enable INTEL pci passthrough"
echo "04.Setup ZFS"
echo "05.Install Cockpit"
echo "06.Install fail2ban"
echo "07.Disable-IPv6"
echo ""
echo " x. Exit"
echo ""
echo -n " Please enter option [01 - 08]"
read opt
case $opt in
##################################################################################
01) echo "************ Install System **********************";
##################################################################################
echo -e '\033[33m------Setup Locales to en_US.UTF-8------\033[33m'
echo -e "\033[0m"
sleep 2
dpkg-reconfigure locales && update-locale LANG=en_US.UTF-8 && locale-gen --purge --no-archive && update-initramfs -u -k all
echo -e '\033[33m----Setup Apt-Sources and Upgrade System----\033[33m'
echo -e "\033[0m"
sleep 2
## Remove enterprise proxmox repo
rm -rf /etc/apt/sources.list.d/pve-enterprise.list
rm -rf /etc/apt/sources.list.d/ceph.list
echo -e '\033[33m------Setup Apt-Sources and Upgrade System------\033[33m'
echo -e "\033[0m"
sleep 2
mv /etc/apt/sources.list /etc/apt/sources.list.default
cat > /etc/apt/sources.list <<"EOF"
deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
# proxmox public repo
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
EOF
echo -e '\033[33m----Update proxmox and install various system utils----\033[33m'
echo -e "\033[0m"
sleep 2
apt update && apt dist-upgrade -y && pveam update
echo -e '\033[33m----Install common system utilities----\033[33m'
echo -e "\033[0m"
sleep 2
apt install -y \
acpi \
acpid \
acpi-support \
cpufrequtils \
pve-headers \
apt-listchanges \
curl \
git \
wget \
net-tools \
screen \
saidar \
unzip \
htop \
iptraf \
iotop \
iftop \
lshw \
mc \
powertop \
unattended-upgrades \
smartmontools \
ethtool
# sysbench sshfs make nfs-kernel-server portmap pv
echo -e '\033[33m------Setup Unattended-Upgrades------\033[33m'
echo -e "\033[0m"
sleep 2
dpkg-reconfigure -plow unattended-upgrades
echo "Unattended-Upgrade::Mail "root";" >> /etc/apt/apt.conf.d/50unattended-upgrades
echo "APT::Periodic::Verbose "2";" >> /etc/apt/apt.conf.d/20auto-upgrades
echo -e '\033[33m----Install apticron----\033[33m'
echo -e "\033[0m"
apt install -y apticron
cat > /etc/apticron/apticron.conf <<"EOF"
EMAIL="root"
# DIFF_ONLY="1"
LISTCHANGES_PROFILE="apticron"
ALL_FQDNS="1"
SYSTEM="pve01.home.lan
# IPADDRESSNUM="1"
IPADDRESSES="192.168.10.50"
# NOTIFY_HOLDS="0"
NOTIFY_NEW="1"
CUSTOM_SUBJECT="System updates."
CUSTOM_NO_UPDATES_SUBJECT="System updates - no updates."
# CUSTOM_FROM=""
EOF
cp /etc/cron.d/apticron /etc/cron.daily/apticron
echo -e '\033[33m----Setup SystemD Service----\033[33m'
echo -e "\033[0m"
sleep 2
# Remove conflicting utilities
apt purge -y ntp openntpd chrony
## tmp.mount
cp /usr/share/systemd/tmp.mount /etc/systemd/system/ && systemctl enable tmp.mount && systemctl start tmp.mount
## fstrim timer
systemctl enable --now fstrim.timer
## journald
echo "SystemMaxUse=100M " >> /etc/systemd/journald.conf
## Set Timezone and enable NTP
timedatectl set-timezone Europe/Berlin
apt install -y systemd-timesyncd
cp /etc/systemd/timesyncd.conf /etc/systemd/timesyncd.default
cat > /etc/systemd/timesyncd.conf <<"EOF"
[Time]
NTP=192.168.10.1 192.168.10.254
#NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
RootDistanceMaxSec=5
PollIntervalMinSec=32
PollIntervalMaxSec=2048
EOF
systemctl restart systemd-timesyncd && timedatectl set-ntp true
# timedatectl status
## Disable portmapper / rpcbind (security)
systemctl disable rpcbind && systemctl stop rpcbind
echo -e '\033[33m----Optimise tcp ip----\033[33m'
echo -e "\033[0m"
sleep 2
mv /etc/sysctl.conf /etc/sysctl.conf.default
cat > /etc/sysctl.conf <<"EOF"
#############################
## CPU tweaks #
#############################
#
## Queue size modifications
net.core.optmem_max=20480
net.unix.max_dgram_qlen=50
#
## Net Core Settings
## Location: /proc/sys/net/core
net.core.wmem_max=524288
net.core.rmem_max=524288
net.core.rmem_default=256960
net.core.wmem_default=256960
#
#############################
## VM & Filesystem tweaks #
#############################
fs.lease-break-time=10
fs.file-max = 262140
vm.overcommit_memory=1
vm.oom_dump_tasks=1
vm.page-cluster=0
vm.swappiness = 10
vm.vfs_cache_pressure = 10000
vm.dirty_ratio = 10
vm.dirty_background_ratio = 5
#
#############################
## Net Speed tweaks #
#############################
#
## UnderUtilized Networking Tweaks below as recommended by avgjoemomma (from XDA)
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
#net.ipv4.tcp_congestion_control=cubic
#
net.core.netdev_max_backlog = 100000
net.core.netdev_budget = 50000
net.core.netdev_budget_usecs = 5000
net.core.somaxconn = 1024
net.core.rmem_default = 1048576
net.core.rmem_max = 16777216
net.core.wmem_default = 1048576
net.core.wmem_max = 16777216
net.core.optmem_max = 65536
net.ipv4.tcp_rmem = 4096 1048576 2097152
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192
net.ipv4.tcp_fastopen = 3
#
# TCP keepalive parameters
#net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 6
#
# # Hardening the TCP/IP stack to SYN attacks
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_syn_retries=2
net.ipv4.tcp_max_syn_backlog=1024
net.ipv4.tcp_max_tw_buckets=16384
#net.ipv4.icmp_echo_ignore_all=1
#net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_fin_timeout=15
net.ipv4.tcp_keepalive_time=1800
net.ipv4.tcp_moderate_rcvbuf=1
net.ipv4.route.flush=1
net.ipv4.udp_rmem_min=6144
net.ipv4.udp_wmem_min=6144
net.ipv4.tcp_rfc1337=1
net.ipv4.ip_no_pmtu_disc=0
net.ipv4.tcp_ecn=0
net.ipv4.tcp_sack=1
net.ipv4.tcp_fack=1
#
# Don't accept source routing
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_source_route=0
#
# Don't accept redirects
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
#
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
EOF
/sbin/sysctl -p
echo -e '\033[33m----Setup Grub----\033[33m'
echo -e "\033[0m"
sleep 2
cp /etc/default/grub /etc/default/grub.old
# GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 acpi=force pcie_aspm=force nmi_watchdog=0"
sed -i 's/#GRUB_GFXMODE=640x480/GRUB_GFXMODE=1920x1080x32/g' /etc/default/grub
# sed -i 's/GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub
update-grub
echo -e '\033[33m----Increase vzdump backup speed----\033[33m'
echo -e "\033[0m"
sleep 2
sed -i "s/#bwlimit: KBPS/bwlimit: 10240000/" /etc/vzdump.conf
echo -e '\033[33m----Increase max user watches / BUG FIX : No space left on device ----\033[33m'
echo -e "\033[0m"
sleep 2
echo 1048576 > /proc/sys/fs/inotify/max_user_watches
echo "fs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
echo -e '\033[33m----Increase max FD limit / ulimit----\033[33m'
echo -e "\033[0m"
sleep 2
cat <<'EOF' >> /etc/security/limits.conf
* soft nproc 131072
* hard nproc 131072
* soft nofile 131072
* hard nofile 131072
root soft nproc 131072
root hard nproc 131072
root soft nofile 131072
root hard nofile 131072
EOF
echo -e '\033[33m----Increase kernel max Key limit----\033[33m'
echo -e "\033[0m"
sleep 2
cat <<'EOF' > /etc/sysctl.d/60-maxkeys.conf
kernel.keys.root_maxkeys=1000000
kernel.keys.maxkeys=1000000
EOF
echo -e '\033[33m----Remove Subscription-Banner----\033[33m'
echo -e "\033[0m"
sleep 2
cat > /root/subscription_banner.sh <<EOF
#!/bin/sh
sed -i.bak 's/if (res === null.*/if (false) {/g; /.data.status.toLowerCase()/d' /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
EOF
chmod +x /root/subscription_banner.sh
cp /etc/crontab /etc/crontab.default
echo "0 1,13 * * * root /root/subscription_banner.sh" >> /etc/crontab
echo -e '\033[33m----Install log2ram----\033[33m'
echo -e "\033[0m"
sleep 2
echo "deb [signed-by=/usr/share/keyrings/azlux-archive-keyring.gpg] http://packages.azlux.fr/debian/ bookworm main" | tee /etc/apt/sources.list.d/azlux.list
wget -O /usr/share/keyrings/azlux-archive-keyring.gpg https://azlux.fr/repo.gpg
apt update && apt -y install log2ram
sed -i "s/SIZE=128M/SIZE=1024M/g" /etc/log2ram.conf
systemctl restart log2ram
echo -e '\033[33m----Install ZSWAP---\033[33m'
echo -e "\033[0m"
sleep 2
swapoff --all && free
# grep swap /etc/fstab
apt install -y zram-tools && zramswap stop
mv /etc/default/zramswap /etc/default/zramswap.default
cat > /etc/default/zramswap <<"EOF"
# Compression algorithm selection
# speed: lz4 > zstd > lzo
# compression: zstd > lzo > lz4
# This is not inclusive of all that is available in latest kernels
# See /sys/block/zram0/comp_algorithm (when zram module is loaded) to see
# what is currently set and available for your kernel[1]
# [1] https://github.com/torvalds/linux/blob/master/Documentation/blockdev/zram.txt#L86
ALGO=lz4
# Specifies the amount of RAM that should be used for zram
# based on a percentage the total amount of available memory
# This takes precedence and overrides SIZE below
# PERCENT=5
# Specifies a static amount of RAM that should be used for
# the ZRAM devices, this is in MiB
SIZE=1024
# Specifies the priority for the swap devices, see swapon(2)
# for more details. Higher number = higher priority
# This should probably be higher than hdd/ssd swaps.
PRIORITY=100
EOF
zramswap start && zramswap status
# cat /proc/swaps
echo -e '\033[33m------secure SSH-Server------\033[33m'
echo -e "\033[0m"
sleep 2
echo "sshd: ALL EXCEPT LOCAL" >> /etc/hosts.deny
echo "sshd: 192.168.10.0/255.255.255.0" >> /etc/hosts.allow
echo -e '\033[33m----Remove no longer required packages and purge old cached updates----\033[33m'
echo -e "\033[0m"
sleep 2
apt autoremove -y && apt autoclean -y
;;
##################################################################################
02) echo "************ Enable AMD pci passthrough ****************";
##################################################################################
apt install -y amd64-microcode
echo "vfio" >> /etc/modules
echo "vfio_iommu_type1" >> /etc/modules
echo "vfio_pci" >> /etc/modules
echo "vfio_virqfd" >> /etc/modules
# Test
# dmesg | grep -e DMAR -e IOMMU
sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet"/GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on iommu=pt"/g' /etc/default/grub
update-grub
;;
##################################################################################
03) echo "************ Enable INTEL pci passthrough *****************";
##################################################################################
apt install -y intel-microcode
echo "vfio" >> /etc/modules
echo "vfio_iommu_type1" >> /etc/modules
echo "vfio_pci" >> /etc/modules
echo "vfio_virqfd" >> /etc/modules
# Test
# dmesg | grep -e DMAR -e IOMMU
sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet"/GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt"/g' /etc/default/grub
update-grub
;;
##################################################################################
04) echo "************ Setup ZFS ******************";
##################################################################################
# zpool set autotrim=on rpool
# zpool set autotrim=on storage01
# zpool set autotrim=on storage02
cat > /etc/modprobe.d/zfs.conf <<"EOF"
# yes you really DO have to specify zfs_arc_max IN BYTES ONLY!
# 16GB=17179869184, 8GB=8589934592, 7GB=7516192768 ,6GB=6442450944,
# 4GB=4294967296, 2GB=2147483648, 1GB=1073741824
#
options zfs zfs_arc_min=4294967296
options zfs zfs_arc_max=17179869184
# ZFS File level prefetch tuning
options zfs zfs_prefetch_disable=0
# ZFS Device level prefetch tuning
options zfs zfs_vdev_cache_size=1310720
options zfs zfs_vdev_cache_max=131072
options zfs zfs_vdev_cache_bshift=17
# Chunk size tuning
options zfs zfs_read_chunk_size=1310720
# increase them so scrub/resilver is more quickly at the cost of other work
options zfs zfs_vdev_scrub_min_active=24
options zfs zfs_vdev_scrub_max_active=64
# sync write
options zfs zfs_vdev_sync_write_min_active=8
options zfs zfs_vdev_sync_write_max_active=32
# sync reads (normal)
options zfs zfs_vdev_sync_read_min_active=8
options zfs zfs_vdev_sync_read_max_active=32
# async reads : prefetcher
options zfs zfs_vdev_async_read_min_active=8
options zfs zfs_vdev_async_read_max_active=32
# async write : bulk writes
options zfs zfs_vdev_async_write_min_active=8
options zfs zfs_vdev_async_write_max_active=32
# zfs_dirty_data_max_percent (Default is 10%)
options zfs zfs_dirty_data_max_percent=40
# zfs_top_maxinflight (Maximum number of scrub I/O ,default 32)
options zfs zfs_top_maxinflight=320
# zfs_txg_timeout
# There is a time before async writes are written to disk, this makes it possible
# for ZFS to write a larger piece. (default 30 seconds)
options zfs zfs_txg_timeout=15
# zfs_vdev_scheduler (default : noop)
# options zfs zfs_vdev_scheduler=deadline
EOF
update-initramfs -u
;;
##################################################################################
05) echo "************ Install Cockpit **************************";
##################################################################################
# apt install -y cockpit cockpit-bridge cockpit-system cockpit-networkmanager cockpit-packagekit cockpit-storaged
# apt install -y nfs-kernel-server samba
# echo -e "portmap: ALL" >> /etc/hosts.deny
# echo -e "portmap: 192.168.10.0/24" >> /etc/hosts.allow
apt -t bookworm-backports install cockpit --no-install-recommends
#apt install -y tuned tuned-utils tuned-utils-systemtap
git clone https://github.com/optimans/cockpit-zfs-manager.git
cp -r cockpit-zfs-manager/zfs /usr/share/cockpit
;;
##################################################################################
06) echo "************ Install fail2ban **************************";
##################################################################################
apt install fail2ban -y
cat > /etc/fail2ban/jail.local <<"EOF"
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 3
# 1 hour
bantime = 3600
[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
# 1 hour
bantime = 3600
EOF
cat > /etc/fail2ban/filter.d/proxmox.conf <<"EOF"
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
EOF
systemctl restart fail2ban
# fail2ban-client status sshd
# fail2ban-client status proxmox
;;
##################################################################################
07) echo "************ Disable-IPv6 **************************";
##################################################################################
cat > /etc/sysctl.d/70-disable-ipv6.conf <<"EOF"
net.ipv6.conf.all.disable_ipv6 = 1
EOF
sysctl -p -f /etc/sysctl.d/70-disable-ipv6.conf
# Remove IPv6 hosts:
sed -i '/::/s%^%#%g' /etc/hosts
## ip addr show | grep inet6
;;
x) echo "";
exit 1;;
*) echo " Press [enter] key to continue. . .";
read enterKey;;
esac
done