2025.04.11-11:50
This commit is contained in:
22
Docker/docker-compose Update.sh
Normal file
22
Docker/docker-compose Update.sh
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# Check if user is root
|
||||||
|
#
|
||||||
|
if [ $(id -u) != "0" ]; then
|
||||||
|
echo "Error: You must be root to run this script, please use the root user to install the software."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f /etc/debian_version ]; then
|
||||||
|
echo "Unsupported Linux Distribution. Prepared for Debian"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
################################################################################
|
||||||
|
#
|
||||||
|
# docker-compose Update
|
||||||
|
#
|
||||||
|
################################################################################
|
||||||
|
#
|
||||||
|
apt install -y curl
|
||||||
|
curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
|
||||||
|
chmod +x /usr/local/bin/docker-compose
|
152
LXC-Debian/LXC_Debian_secure_SSH-Server.sh
Normal file
152
LXC-Debian/LXC_Debian_secure_SSH-Server.sh
Normal file
@ -0,0 +1,152 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# Check if user is root
|
||||||
|
#
|
||||||
|
if [ $(id -u) != "0" ]; then
|
||||||
|
echo "Error: You must be root to run this script, please use the root user to install the software."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f /etc/debian_version ]; then
|
||||||
|
echo "Unsupported Linux Distribution. Prepared for Debian"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
# Sicherheitskopie der SSH-Serverkonfiguration erstellen
|
||||||
|
mv /etc/ssh/{sshd_config,sshd_config.orig}
|
||||||
|
|
||||||
|
|
||||||
|
# SSH-Key erstellen
|
||||||
|
ssh-keygen -o -a 100 -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key -C "$(whoami)@$(hostname)-$(date -I)"
|
||||||
|
|
||||||
|
cat > /etc/ssh/sshd_config <<"EOF"
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
# General - /etc/ssh/sshd_config
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
Port 22 # Custom SSH Port
|
||||||
|
Protocol 2 # The one and only Protocol
|
||||||
|
|
||||||
|
AddressFamily any # IPv4 and IPv6 Net. Use inet for only IPv4
|
||||||
|
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
# HostKey - Only the curvy one
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key # Allow only the vely vely secure ECDSA Pub-Key Authentication
|
||||||
|
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
# Ciphers - Only the ultramodern ones
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
KexAlgorithms curve25519-sha256@libssh.org # Key exchange methods to generate per-connection keys
|
||||||
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 # Message authentication codes used to detect traffic modification
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Allow only sexy Encrypt-Ciphers. For Android-Connection add aes256-ctr
|
||||||
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Accepted Pub-Key algorithms for the SSH-Server to authenticate to a SSH-Client
|
||||||
|
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
# Logging
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
LogLevel INFO # VERBOSE for more like key fingerprint logging
|
||||||
|
SyslogFacility AUTHPRIV # Logging Authentication Commands
|
||||||
|
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
# Authentication:
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
MaxSessions 2 # Maximum allowed User Sessions
|
||||||
|
MaxAuthTries 3 # Maximum allowed Auth Attempts
|
||||||
|
|
||||||
|
StrictModes yes # Prevents Configuration Errors
|
||||||
|
LoginGraceTime 60 # Login Period Time to authenticate
|
||||||
|
PermitRootLogin yes # Disable direct root Login
|
||||||
|
|
||||||
|
PubkeyAuthentication yes # Allow Pub-Key Authentication
|
||||||
|
PasswordAuthentication no # Allow Password Authentication. Disable if no need
|
||||||
|
|
||||||
|
IgnoreRhosts yes # Disable User Rhost Files
|
||||||
|
PermitEmptyPasswords no # Disable Empty Passwords
|
||||||
|
HostbasedAuthentication no # Disable Host-based Authentication
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
|
||||||
|
TCPKeepAlive yes # Prevent from dropping the Connection
|
||||||
|
ClientAliveCountMax 2 # Sends 2 times ClientAlive Message till drop
|
||||||
|
ClientAliveInterval 1800 # Kills Connection after 30 Min inactivity
|
||||||
|
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
# Security
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
UsePAM yes # Allow PAM Authentication
|
||||||
|
Compression no # Disable Compression for better Security
|
||||||
|
|
||||||
|
AllowUsers manager root # Allow special Users.
|
||||||
|
# AllowGroups sshuser # Allow special Group.
|
||||||
|
|
||||||
|
# RekeyLimit 1G 1H # Limiting amount of data transmitted with a single session key
|
||||||
|
|
||||||
|
Banner none # Disable Banner
|
||||||
|
DebianBanner no # Disable Banner for Debian-based Systems
|
||||||
|
VersionAddendum none # Disable SSH Protocol Banner
|
||||||
|
|
||||||
|
PrintMotd no # Disable Message of the Day
|
||||||
|
PrintLastLog yes # Enable Date and Time of the last user login
|
||||||
|
|
||||||
|
PermitTunnel no # Disable tun Device forwarding. Only SSH Connections!
|
||||||
|
PermitUserRC no # Disable User RC Files
|
||||||
|
PermitUserEnvironment no # Disable User Environment Files
|
||||||
|
|
||||||
|
# Disable Forwarding
|
||||||
|
GatewayPorts no # Disable Remote Port Forwarding
|
||||||
|
X11Forwarding no # Disable X11 Forwarding/Tunneling (GUI)
|
||||||
|
AllowTcpForwarding no # Disable TCP Forwarding/Tunneling
|
||||||
|
AllowAgentForwarding no # Disable Agent Forwarding/Tunneling
|
||||||
|
|
||||||
|
# Disable Kerberos Authentication # Disable Kerberos Authentication
|
||||||
|
KerberosOrLocalPasswd no
|
||||||
|
KerberosAuthentication no
|
||||||
|
KerberosTicketCleanup yes
|
||||||
|
GSSAPIAuthentication no
|
||||||
|
GSSAPICleanupCredentials yes
|
||||||
|
|
||||||
|
AuthorizedKeysFile %h/.ssh/authorized_keys # Set AuthorizedKeysFile in a controlled manner
|
||||||
|
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
# Misc
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
UseDNS no # Disables DSN-Lookup for the Love of Speed
|
||||||
|
AcceptEnv LANG LC_* # Allow locale environment variables for Clients
|
||||||
|
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
# SFTP
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
# SFTP - Enable if need
|
||||||
|
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
||||||
|
|
||||||
|
# Set special stuff to special SFTP-Users - Enable if you use SFTP
|
||||||
|
# Match Group sftp-pimps
|
||||||
|
# ChrootDirectory /home/%u
|
||||||
|
# PermitTunnel no
|
||||||
|
# X11Forwarding no
|
||||||
|
# AllowTcpForwarding no
|
||||||
|
# AllowAgentForwarding no
|
||||||
|
# ForceCommand internal-sftp
|
||||||
|
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
# Set special SSH-User/Group options
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
|
||||||
|
# Match User manager
|
||||||
|
# PasswordAuthentication yes
|
||||||
|
# AllowTcpForwarding yes
|
||||||
|
|
||||||
|
# Match Group sshuser
|
||||||
|
# PasswordAuthentication yes
|
||||||
|
# AllowTcpForwarding yes
|
||||||
|
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
# Documentation
|
||||||
|
#-----------------------------------------------------------
|
||||||
|
# https://man7.org/linux/man-pages/man1/ssh-keygen.1.html
|
||||||
|
# https://man7.org/linux/man-pages/man5/sshd_config.5.html
|
||||||
|
EOF
|
||||||
|
|
||||||
|
apt autoremove && apt autoclean && apt clean
|
@ -27,11 +27,6 @@ fi
|
|||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
#
|
#
|
||||||
# root pass: master_user@apt-cacher#01
|
|
||||||
# admin pass: admin_user@apt-cacer#01
|
|
||||||
#
|
|
||||||
################################################################################
|
|
||||||
|
|
||||||
apt install -y \
|
apt install -y \
|
||||||
avahi-daemon \
|
avahi-daemon \
|
||||||
apt-cacher-ng \
|
apt-cacher-ng \
|
||||||
|
@ -25,10 +25,6 @@ fi
|
|||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
#
|
#
|
||||||
# root pass: master_user@apt-cacher#01
|
|
||||||
#
|
|
||||||
################################################################################
|
|
||||||
#
|
|
||||||
# echo 'mp0: /storage01/fileserver,mp=/mnt/storage01' >> /etc/pve/nodes/pve01/lxc/119.conf
|
# echo 'mp0: /storage01/fileserver,mp=/mnt/storage01' >> /etc/pve/nodes/pve01/lxc/119.conf
|
||||||
# echo 'mp1: /storage02/fileserver,mp=/mnt/storage02' >> /etc/pve/nodes/pve01/lxc/119.conf
|
# echo 'mp1: /storage02/fileserver,mp=/mnt/storage02' >> /etc/pve/nodes/pve01/lxc/119.conf
|
||||||
#
|
#
|
||||||
|
@ -29,12 +29,6 @@ fi
|
|||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
#
|
#
|
||||||
# root pass: master_user#01@vmnets.de
|
|
||||||
#
|
|
||||||
# Admin pass: admin_user#01@vmnets.de
|
|
||||||
#
|
|
||||||
################################################################################
|
|
||||||
#
|
|
||||||
# systemctl [start | stop | reload | restart | status] nginx
|
# systemctl [start | stop | reload | restart | status] nginx
|
||||||
#
|
#
|
||||||
# systemctl [start | stop | reload | restart | status] php8.2-fpm
|
# systemctl [start | stop | reload | restart | status] php8.2-fpm
|
||||||
|
@ -27,10 +27,6 @@ fi
|
|||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
#
|
#
|
||||||
# root pass: master_user@vm-net#01
|
|
||||||
#
|
|
||||||
################################################################################
|
|
||||||
#
|
|
||||||
# systemctl [start | stop | reload | restart | status] gitea.service
|
# systemctl [start | stop | reload | restart | status] gitea.service
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
@ -29,11 +29,8 @@ fi
|
|||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
#
|
#
|
||||||
# root pass: master_user#01@vm-net
|
|
||||||
#
|
|
||||||
# Admin pass: master_user@jellyfin#01
|
# Admin pass: master_user@jellyfin#01
|
||||||
#
|
#
|
||||||
#
|
|
||||||
################################################################################
|
################################################################################
|
||||||
#
|
#
|
||||||
# systemctl [start | stop | reload | restart | status] jellyfin
|
# systemctl [start | stop | reload | restart | status] jellyfin
|
||||||
|
@ -25,10 +25,6 @@ fi
|
|||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
#
|
#
|
||||||
#
|
|
||||||
#
|
|
||||||
################################################################################
|
|
||||||
|
|
||||||
apt install -y mariadb-server
|
apt install -y mariadb-server
|
||||||
|
|
||||||
systemctl stop mysql
|
systemctl stop mysql
|
||||||
@ -102,7 +98,6 @@ systemctl restart mysql.service
|
|||||||
|
|
||||||
echo -e '\033[33m------Secure MariaDB installation-----\033[33m'
|
echo -e '\033[33m------Secure MariaDB installation-----\033[33m'
|
||||||
echo -e "\033[0m"
|
echo -e "\033[0m"
|
||||||
# master_user@mariaDB#01
|
|
||||||
|
|
||||||
mysql_secure_installation
|
mysql_secure_installation
|
||||||
|
|
||||||
|
@ -34,8 +34,6 @@ fi
|
|||||||
# qbittorrent Username is admin. Default password is “adminadmin”
|
# qbittorrent Username is admin. Default password is “adminadmin”
|
||||||
# Config: /home/qbittorrent-nox/.config/qBittorrent/qBittorrent.conf
|
# Config: /home/qbittorrent-nox/.config/qBittorrent/qBittorrent.conf
|
||||||
#
|
#
|
||||||
# root pass: master_user#01@vmnets.de
|
|
||||||
#
|
|
||||||
################################################################################
|
################################################################################
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
@ -63,7 +61,7 @@ echo "03.Install Jackett"
|
|||||||
echo ""
|
echo ""
|
||||||
echo " x. Exit"
|
echo " x. Exit"
|
||||||
echo ""
|
echo ""
|
||||||
echo -n " Please enter option [01 - 04]"
|
echo -n " Please enter option [01 - 03]"
|
||||||
read opt
|
read opt
|
||||||
case $opt in
|
case $opt in
|
||||||
##################################################################################
|
##################################################################################
|
||||||
|
@ -29,10 +29,6 @@ fi
|
|||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
#
|
#
|
||||||
#
|
|
||||||
#
|
|
||||||
################################################################################
|
|
||||||
#
|
|
||||||
# echo 'mp0: /storage01/fileserver/syncthing,mp=/srv/syncthing' >> /etc/pve/nodes/pve01/lxc/105.conf
|
# echo 'mp0: /storage01/fileserver/syncthing,mp=/srv/syncthing' >> /etc/pve/nodes/pve01/lxc/105.conf
|
||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
|
@ -25,10 +25,6 @@ fi
|
|||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
#
|
#
|
||||||
# root pass: master_user#01@vmnets.de
|
|
||||||
#
|
|
||||||
################################################################################
|
|
||||||
#
|
|
||||||
# echo 'mp0: /srv/fileserver_data/downloads/jdownloader,mp=/opt/jdownloader/Downloads' >> /etc/pve/nodes/pve01/lxc/116.conf
|
# echo 'mp0: /srv/fileserver_data/downloads/jdownloader,mp=/opt/jdownloader/Downloads' >> /etc/pve/nodes/pve01/lxc/116.conf
|
||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
|
576
Proxmox/Proxmox_PVE01.sh
Normal file
576
Proxmox/Proxmox_PVE01.sh
Normal file
@ -0,0 +1,576 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# Check if user is root
|
||||||
|
#
|
||||||
|
if [ $(id -u) != "0" ]; then
|
||||||
|
echo "Error: You must be root to run this script, please use the root user to install the software."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f /etc/debian_version ]; then
|
||||||
|
echo "Unsupported Linux Distribution. Prepared for Debian"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
################################################################################
|
||||||
|
#
|
||||||
|
# post-installation script for Proxmox@PVE02
|
||||||
|
#
|
||||||
|
################################################################################
|
||||||
|
#
|
||||||
|
# Assumptions: proxmox 8.X installed
|
||||||
|
#
|
||||||
|
################################################################################
|
||||||
|
#
|
||||||
|
# root pass:
|
||||||
|
#
|
||||||
|
################################################################################
|
||||||
|
#
|
||||||
|
while :
|
||||||
|
do
|
||||||
|
clear
|
||||||
|
echo ""
|
||||||
|
echo "\033[1m I N S T A L L Proxmox 8.X @ PVE01 "
|
||||||
|
echo " -----------------------------------------"
|
||||||
|
echo "\033[0m"
|
||||||
|
echo "01.Install System"
|
||||||
|
echo "02.Enable AMD pci passthrough"
|
||||||
|
echo "03.Enable INTEL pci passthrough"
|
||||||
|
echo "04.Setup ZFS"
|
||||||
|
echo "05.Install Cockpit"
|
||||||
|
echo "06.Install fail2ban"
|
||||||
|
echo "07.Disable-IPv6"
|
||||||
|
echo ""
|
||||||
|
echo " x. Exit"
|
||||||
|
echo ""
|
||||||
|
echo -n " Please enter option [01 - 08]"
|
||||||
|
read opt
|
||||||
|
case $opt in
|
||||||
|
##################################################################################
|
||||||
|
01) echo "************ Install System **********************";
|
||||||
|
##################################################################################
|
||||||
|
echo -e '\033[33m------Setup Locales to en_US.UTF-8------\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
dpkg-reconfigure locales && update-locale LANG=en_US.UTF-8 && locale-gen --purge --no-archive && update-initramfs -u -k all
|
||||||
|
|
||||||
|
echo -e '\033[33m----Setup Apt-Sources and Upgrade System----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
## Remove enterprise proxmox repo
|
||||||
|
rm -rf /etc/apt/sources.list.d/pve-enterprise.list
|
||||||
|
rm -rf /etc/apt/sources.list.d/ceph.list
|
||||||
|
|
||||||
|
|
||||||
|
echo -e '\033[33m------Setup Apt-Sources and Upgrade System------\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
mv /etc/apt/sources.list /etc/apt/sources.list.default
|
||||||
|
cat > /etc/apt/sources.list <<"EOF"
|
||||||
|
deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
|
||||||
|
deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
|
||||||
|
deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
|
||||||
|
|
||||||
|
# proxmox public repo
|
||||||
|
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
|
||||||
|
EOF
|
||||||
|
|
||||||
|
echo -e '\033[33m----Update proxmox and install various system utils----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
apt update && apt dist-upgrade -y && pveam update
|
||||||
|
|
||||||
|
echo -e '\033[33m----Install common system utilities----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
apt install -y \
|
||||||
|
acpi \
|
||||||
|
acpid \
|
||||||
|
acpi-support \
|
||||||
|
cpufrequtils \
|
||||||
|
pve-headers \
|
||||||
|
apt-listchanges \
|
||||||
|
curl \
|
||||||
|
git \
|
||||||
|
wget \
|
||||||
|
net-tools \
|
||||||
|
screen \
|
||||||
|
saidar \
|
||||||
|
unzip \
|
||||||
|
htop \
|
||||||
|
iptraf \
|
||||||
|
iotop \
|
||||||
|
iftop \
|
||||||
|
lshw \
|
||||||
|
mc \
|
||||||
|
powertop \
|
||||||
|
unattended-upgrades \
|
||||||
|
smartmontools \
|
||||||
|
ethtool
|
||||||
|
|
||||||
|
# sysbench sshfs make nfs-kernel-server portmap pv
|
||||||
|
|
||||||
|
echo -e '\033[33m------Setup Unattended-Upgrades------\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
dpkg-reconfigure -plow unattended-upgrades
|
||||||
|
echo "Unattended-Upgrade::Mail "root";" >> /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
|
echo "APT::Periodic::Verbose "2";" >> /etc/apt/apt.conf.d/20auto-upgrades
|
||||||
|
|
||||||
|
|
||||||
|
echo -e '\033[33m----Install apticron----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
apt install -y apticron
|
||||||
|
|
||||||
|
cat > /etc/apticron/apticron.conf <<"EOF"
|
||||||
|
EMAIL="root"
|
||||||
|
# DIFF_ONLY="1"
|
||||||
|
LISTCHANGES_PROFILE="apticron"
|
||||||
|
ALL_FQDNS="1"
|
||||||
|
SYSTEM="pve01.home.lan
|
||||||
|
# IPADDRESSNUM="1"
|
||||||
|
IPADDRESSES="192.168.10.50"
|
||||||
|
# NOTIFY_HOLDS="0"
|
||||||
|
NOTIFY_NEW="1"
|
||||||
|
CUSTOM_SUBJECT="System updates."
|
||||||
|
CUSTOM_NO_UPDATES_SUBJECT="System updates - no updates."
|
||||||
|
# CUSTOM_FROM=""
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cp /etc/cron.d/apticron /etc/cron.daily/apticron
|
||||||
|
|
||||||
|
echo -e '\033[33m----Setup SystemD Service----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
# Remove conflicting utilities
|
||||||
|
apt purge -y ntp openntpd chrony
|
||||||
|
|
||||||
|
## tmp.mount
|
||||||
|
cp /usr/share/systemd/tmp.mount /etc/systemd/system/ && systemctl enable tmp.mount && systemctl start tmp.mount
|
||||||
|
|
||||||
|
## fstrim timer
|
||||||
|
systemctl enable --now fstrim.timer
|
||||||
|
|
||||||
|
## journald
|
||||||
|
echo "SystemMaxUse=100M " >> /etc/systemd/journald.conf
|
||||||
|
|
||||||
|
## Set Timezone and enable NTP
|
||||||
|
timedatectl set-timezone Europe/Berlin
|
||||||
|
|
||||||
|
apt install -y systemd-timesyncd
|
||||||
|
|
||||||
|
cp /etc/systemd/timesyncd.conf /etc/systemd/timesyncd.default
|
||||||
|
cat > /etc/systemd/timesyncd.conf <<"EOF"
|
||||||
|
[Time]
|
||||||
|
NTP=192.168.10.1 192.168.10.254
|
||||||
|
#NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
|
||||||
|
FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
|
||||||
|
RootDistanceMaxSec=5
|
||||||
|
PollIntervalMinSec=32
|
||||||
|
PollIntervalMaxSec=2048
|
||||||
|
EOF
|
||||||
|
systemctl restart systemd-timesyncd && timedatectl set-ntp true
|
||||||
|
|
||||||
|
# timedatectl status
|
||||||
|
|
||||||
|
## Disable portmapper / rpcbind (security)
|
||||||
|
systemctl disable rpcbind && systemctl stop rpcbind
|
||||||
|
|
||||||
|
|
||||||
|
echo -e '\033[33m----Optimise tcp ip----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
mv /etc/sysctl.conf /etc/sysctl.conf.default
|
||||||
|
cat > /etc/sysctl.conf <<"EOF"
|
||||||
|
#############################
|
||||||
|
## CPU tweaks #
|
||||||
|
#############################
|
||||||
|
#
|
||||||
|
## Queue size modifications
|
||||||
|
net.core.optmem_max=20480
|
||||||
|
net.unix.max_dgram_qlen=50
|
||||||
|
#
|
||||||
|
## Net Core Settings
|
||||||
|
## Location: /proc/sys/net/core
|
||||||
|
net.core.wmem_max=524288
|
||||||
|
net.core.rmem_max=524288
|
||||||
|
net.core.rmem_default=256960
|
||||||
|
net.core.wmem_default=256960
|
||||||
|
#
|
||||||
|
#############################
|
||||||
|
## VM & Filesystem tweaks #
|
||||||
|
#############################
|
||||||
|
fs.lease-break-time=10
|
||||||
|
fs.file-max = 262140
|
||||||
|
vm.overcommit_memory=1
|
||||||
|
vm.oom_dump_tasks=1
|
||||||
|
vm.page-cluster=0
|
||||||
|
vm.swappiness = 10
|
||||||
|
vm.vfs_cache_pressure = 10000
|
||||||
|
vm.dirty_ratio = 10
|
||||||
|
vm.dirty_background_ratio = 5
|
||||||
|
#
|
||||||
|
#############################
|
||||||
|
## Net Speed tweaks #
|
||||||
|
#############################
|
||||||
|
#
|
||||||
|
## UnderUtilized Networking Tweaks below as recommended by avgjoemomma (from XDA)
|
||||||
|
net.core.default_qdisc=fq
|
||||||
|
net.ipv4.tcp_congestion_control=bbr
|
||||||
|
#net.ipv4.tcp_congestion_control=cubic
|
||||||
|
#
|
||||||
|
net.core.netdev_max_backlog = 100000
|
||||||
|
net.core.netdev_budget = 50000
|
||||||
|
net.core.netdev_budget_usecs = 5000
|
||||||
|
net.core.somaxconn = 1024
|
||||||
|
net.core.rmem_default = 1048576
|
||||||
|
net.core.rmem_max = 16777216
|
||||||
|
net.core.wmem_default = 1048576
|
||||||
|
net.core.wmem_max = 16777216
|
||||||
|
net.core.optmem_max = 65536
|
||||||
|
net.ipv4.tcp_rmem = 4096 1048576 2097152
|
||||||
|
net.ipv4.tcp_wmem = 4096 65536 16777216
|
||||||
|
net.ipv4.udp_rmem_min = 8192
|
||||||
|
net.ipv4.udp_wmem_min = 8192
|
||||||
|
net.ipv4.tcp_fastopen = 3
|
||||||
|
#
|
||||||
|
# TCP keepalive parameters
|
||||||
|
#net.ipv4.tcp_keepalive_time = 60
|
||||||
|
net.ipv4.tcp_keepalive_intvl = 10
|
||||||
|
net.ipv4.tcp_keepalive_probes = 6
|
||||||
|
#
|
||||||
|
# # Hardening the TCP/IP stack to SYN attacks
|
||||||
|
net.ipv4.tcp_syncookies=1
|
||||||
|
net.ipv4.conf.all.rp_filter=1
|
||||||
|
net.ipv4.conf.default.rp_filter=1
|
||||||
|
net.ipv4.tcp_synack_retries=2
|
||||||
|
net.ipv4.tcp_syn_retries=2
|
||||||
|
net.ipv4.tcp_max_syn_backlog=1024
|
||||||
|
net.ipv4.tcp_max_tw_buckets=16384
|
||||||
|
#net.ipv4.icmp_echo_ignore_all=1
|
||||||
|
#net.ipv4.icmp_ignore_bogus_error_responses=1
|
||||||
|
net.ipv4.tcp_no_metrics_save=1
|
||||||
|
net.ipv4.tcp_fin_timeout=15
|
||||||
|
net.ipv4.tcp_keepalive_time=1800
|
||||||
|
net.ipv4.tcp_moderate_rcvbuf=1
|
||||||
|
net.ipv4.route.flush=1
|
||||||
|
net.ipv4.udp_rmem_min=6144
|
||||||
|
net.ipv4.udp_wmem_min=6144
|
||||||
|
net.ipv4.tcp_rfc1337=1
|
||||||
|
net.ipv4.ip_no_pmtu_disc=0
|
||||||
|
net.ipv4.tcp_ecn=0
|
||||||
|
net.ipv4.tcp_sack=1
|
||||||
|
net.ipv4.tcp_fack=1
|
||||||
|
#
|
||||||
|
# Don't accept source routing
|
||||||
|
net.ipv4.conf.default.accept_source_route=0
|
||||||
|
net.ipv4.conf.all.accept_source_route=0
|
||||||
|
#
|
||||||
|
# Don't accept redirects
|
||||||
|
net.ipv4.conf.all.accept_redirects=0
|
||||||
|
net.ipv4.conf.default.accept_redirects=0
|
||||||
|
net.ipv4.conf.all.secure_redirects=0
|
||||||
|
net.ipv4.conf.default.secure_redirects=0
|
||||||
|
#
|
||||||
|
net.ipv4.ip_forward=1
|
||||||
|
net.ipv6.conf.all.forwarding=1
|
||||||
|
EOF
|
||||||
|
/sbin/sysctl -p
|
||||||
|
|
||||||
|
|
||||||
|
echo -e '\033[33m----Setup Grub----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
cp /etc/default/grub /etc/default/grub.old
|
||||||
|
|
||||||
|
# GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 acpi=force pcie_aspm=force nmi_watchdog=0"
|
||||||
|
sed -i 's/#GRUB_GFXMODE=640x480/GRUB_GFXMODE=1920x1080x32/g' /etc/default/grub
|
||||||
|
# sed -i 's/GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub
|
||||||
|
update-grub
|
||||||
|
|
||||||
|
|
||||||
|
echo -e '\033[33m----Increase vzdump backup speed----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
sed -i "s/#bwlimit: KBPS/bwlimit: 10240000/" /etc/vzdump.conf
|
||||||
|
|
||||||
|
|
||||||
|
echo -e '\033[33m----Increase max user watches / BUG FIX : No space left on device ----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
echo 1048576 > /proc/sys/fs/inotify/max_user_watches
|
||||||
|
echo "fs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf
|
||||||
|
sysctl -p /etc/sysctl.conf
|
||||||
|
|
||||||
|
|
||||||
|
echo -e '\033[33m----Increase max FD limit / ulimit----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
cat <<'EOF' >> /etc/security/limits.conf
|
||||||
|
* soft nproc 131072
|
||||||
|
* hard nproc 131072
|
||||||
|
* soft nofile 131072
|
||||||
|
* hard nofile 131072
|
||||||
|
root soft nproc 131072
|
||||||
|
root hard nproc 131072
|
||||||
|
root soft nofile 131072
|
||||||
|
root hard nofile 131072
|
||||||
|
EOF
|
||||||
|
|
||||||
|
|
||||||
|
echo -e '\033[33m----Increase kernel max Key limit----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
cat <<'EOF' > /etc/sysctl.d/60-maxkeys.conf
|
||||||
|
kernel.keys.root_maxkeys=1000000
|
||||||
|
kernel.keys.maxkeys=1000000
|
||||||
|
EOF
|
||||||
|
|
||||||
|
|
||||||
|
echo -e '\033[33m----Remove Subscription-Banner----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
cat > /root/subscription_banner.sh <<EOF
|
||||||
|
#!/bin/sh
|
||||||
|
sed -i.bak 's/if (res === null.*/if (false) {/g; /.data.status.toLowerCase()/d' /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
|
||||||
|
EOF
|
||||||
|
chmod +x /root/subscription_banner.sh
|
||||||
|
|
||||||
|
cp /etc/crontab /etc/crontab.default
|
||||||
|
echo "0 1,13 * * * root /root/subscription_banner.sh" >> /etc/crontab
|
||||||
|
|
||||||
|
|
||||||
|
echo -e '\033[33m----Install log2ram----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
echo "deb [signed-by=/usr/share/keyrings/azlux-archive-keyring.gpg] http://packages.azlux.fr/debian/ bookworm main" | tee /etc/apt/sources.list.d/azlux.list
|
||||||
|
wget -O /usr/share/keyrings/azlux-archive-keyring.gpg https://azlux.fr/repo.gpg
|
||||||
|
apt update && apt -y install log2ram
|
||||||
|
|
||||||
|
sed -i "s/SIZE=128M/SIZE=1024M/g" /etc/log2ram.conf
|
||||||
|
|
||||||
|
systemctl restart log2ram
|
||||||
|
|
||||||
|
|
||||||
|
echo -e '\033[33m----Install ZSWAP---\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
swapoff --all && free
|
||||||
|
# grep swap /etc/fstab
|
||||||
|
|
||||||
|
apt install -y zram-tools && zramswap stop
|
||||||
|
|
||||||
|
mv /etc/default/zramswap /etc/default/zramswap.default
|
||||||
|
|
||||||
|
cat > /etc/default/zramswap <<"EOF"
|
||||||
|
# Compression algorithm selection
|
||||||
|
# speed: lz4 > zstd > lzo
|
||||||
|
# compression: zstd > lzo > lz4
|
||||||
|
# This is not inclusive of all that is available in latest kernels
|
||||||
|
# See /sys/block/zram0/comp_algorithm (when zram module is loaded) to see
|
||||||
|
# what is currently set and available for your kernel[1]
|
||||||
|
# [1] https://github.com/torvalds/linux/blob/master/Documentation/blockdev/zram.txt#L86
|
||||||
|
ALGO=lz4
|
||||||
|
|
||||||
|
# Specifies the amount of RAM that should be used for zram
|
||||||
|
# based on a percentage the total amount of available memory
|
||||||
|
# This takes precedence and overrides SIZE below
|
||||||
|
# PERCENT=5
|
||||||
|
|
||||||
|
# Specifies a static amount of RAM that should be used for
|
||||||
|
# the ZRAM devices, this is in MiB
|
||||||
|
SIZE=1024
|
||||||
|
|
||||||
|
# Specifies the priority for the swap devices, see swapon(2)
|
||||||
|
# for more details. Higher number = higher priority
|
||||||
|
# This should probably be higher than hdd/ssd swaps.
|
||||||
|
PRIORITY=100
|
||||||
|
EOF
|
||||||
|
|
||||||
|
zramswap start && zramswap status
|
||||||
|
|
||||||
|
# cat /proc/swaps
|
||||||
|
|
||||||
|
|
||||||
|
echo -e '\033[33m------secure SSH-Server------\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
echo "sshd: ALL EXCEPT LOCAL" >> /etc/hosts.deny
|
||||||
|
echo "sshd: 192.168.10.0/255.255.255.0" >> /etc/hosts.allow
|
||||||
|
|
||||||
|
|
||||||
|
echo -e '\033[33m----Remove no longer required packages and purge old cached updates----\033[33m'
|
||||||
|
echo -e "\033[0m"
|
||||||
|
sleep 2
|
||||||
|
apt autoremove -y && apt autoclean -y
|
||||||
|
;;
|
||||||
|
|
||||||
|
##################################################################################
|
||||||
|
02) echo "************ Enable AMD pci passthrough ****************";
|
||||||
|
##################################################################################
|
||||||
|
apt install -y amd64-microcode
|
||||||
|
|
||||||
|
echo "vfio" >> /etc/modules
|
||||||
|
echo "vfio_iommu_type1" >> /etc/modules
|
||||||
|
echo "vfio_pci" >> /etc/modules
|
||||||
|
echo "vfio_virqfd" >> /etc/modules
|
||||||
|
# Test
|
||||||
|
# dmesg | grep -e DMAR -e IOMMU
|
||||||
|
|
||||||
|
sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet"/GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on iommu=pt"/g' /etc/default/grub
|
||||||
|
update-grub
|
||||||
|
;;
|
||||||
|
|
||||||
|
##################################################################################
|
||||||
|
03) echo "************ Enable INTEL pci passthrough *****************";
|
||||||
|
##################################################################################
|
||||||
|
apt install -y intel-microcode
|
||||||
|
|
||||||
|
echo "vfio" >> /etc/modules
|
||||||
|
echo "vfio_iommu_type1" >> /etc/modules
|
||||||
|
echo "vfio_pci" >> /etc/modules
|
||||||
|
echo "vfio_virqfd" >> /etc/modules
|
||||||
|
# Test
|
||||||
|
# dmesg | grep -e DMAR -e IOMMU
|
||||||
|
|
||||||
|
sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet"/GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt"/g' /etc/default/grub
|
||||||
|
update-grub
|
||||||
|
;;
|
||||||
|
|
||||||
|
##################################################################################
|
||||||
|
04) echo "************ Setup ZFS ******************";
|
||||||
|
##################################################################################
|
||||||
|
# zpool set autotrim=on rpool
|
||||||
|
# zpool set autotrim=on storage01
|
||||||
|
# zpool set autotrim=on storage02
|
||||||
|
|
||||||
|
|
||||||
|
cat > /etc/modprobe.d/zfs.conf <<"EOF"
|
||||||
|
# yes you really DO have to specify zfs_arc_max IN BYTES ONLY!
|
||||||
|
# 16GB=17179869184, 8GB=8589934592, 7GB=7516192768 ,6GB=6442450944,
|
||||||
|
# 4GB=4294967296, 2GB=2147483648, 1GB=1073741824
|
||||||
|
#
|
||||||
|
options zfs zfs_arc_min=4294967296
|
||||||
|
options zfs zfs_arc_max=17179869184
|
||||||
|
|
||||||
|
# ZFS File level prefetch tuning
|
||||||
|
options zfs zfs_prefetch_disable=0
|
||||||
|
|
||||||
|
# ZFS Device level prefetch tuning
|
||||||
|
options zfs zfs_vdev_cache_size=1310720
|
||||||
|
options zfs zfs_vdev_cache_max=131072
|
||||||
|
options zfs zfs_vdev_cache_bshift=17
|
||||||
|
|
||||||
|
# Chunk size tuning
|
||||||
|
options zfs zfs_read_chunk_size=1310720
|
||||||
|
|
||||||
|
# increase them so scrub/resilver is more quickly at the cost of other work
|
||||||
|
options zfs zfs_vdev_scrub_min_active=24
|
||||||
|
options zfs zfs_vdev_scrub_max_active=64
|
||||||
|
|
||||||
|
# sync write
|
||||||
|
options zfs zfs_vdev_sync_write_min_active=8
|
||||||
|
options zfs zfs_vdev_sync_write_max_active=32
|
||||||
|
|
||||||
|
# sync reads (normal)
|
||||||
|
options zfs zfs_vdev_sync_read_min_active=8
|
||||||
|
options zfs zfs_vdev_sync_read_max_active=32
|
||||||
|
|
||||||
|
# async reads : prefetcher
|
||||||
|
options zfs zfs_vdev_async_read_min_active=8
|
||||||
|
options zfs zfs_vdev_async_read_max_active=32
|
||||||
|
|
||||||
|
# async write : bulk writes
|
||||||
|
options zfs zfs_vdev_async_write_min_active=8
|
||||||
|
options zfs zfs_vdev_async_write_max_active=32
|
||||||
|
|
||||||
|
# zfs_dirty_data_max_percent (Default is 10%)
|
||||||
|
options zfs zfs_dirty_data_max_percent=40
|
||||||
|
|
||||||
|
# zfs_top_maxinflight (Maximum number of scrub I/O ,default 32)
|
||||||
|
options zfs zfs_top_maxinflight=320
|
||||||
|
|
||||||
|
# zfs_txg_timeout
|
||||||
|
# There is a time before async writes are written to disk, this makes it possible
|
||||||
|
# for ZFS to write a larger piece. (default 30 seconds)
|
||||||
|
options zfs zfs_txg_timeout=15
|
||||||
|
|
||||||
|
# zfs_vdev_scheduler (default : noop)
|
||||||
|
# options zfs zfs_vdev_scheduler=deadline
|
||||||
|
EOF
|
||||||
|
|
||||||
|
update-initramfs -u
|
||||||
|
;;
|
||||||
|
|
||||||
|
##################################################################################
|
||||||
|
05) echo "************ Install Cockpit **************************";
|
||||||
|
##################################################################################
|
||||||
|
# apt install -y cockpit cockpit-bridge cockpit-system cockpit-networkmanager cockpit-packagekit cockpit-storaged
|
||||||
|
# apt install -y nfs-kernel-server samba
|
||||||
|
# echo -e "portmap: ALL" >> /etc/hosts.deny
|
||||||
|
# echo -e "portmap: 192.168.10.0/24" >> /etc/hosts.allow
|
||||||
|
|
||||||
|
apt -t bookworm-backports install cockpit --no-install-recommends
|
||||||
|
|
||||||
|
#apt install -y tuned tuned-utils tuned-utils-systemtap
|
||||||
|
|
||||||
|
git clone https://github.com/optimans/cockpit-zfs-manager.git
|
||||||
|
cp -r cockpit-zfs-manager/zfs /usr/share/cockpit
|
||||||
|
;;
|
||||||
|
|
||||||
|
##################################################################################
|
||||||
|
06) echo "************ Install fail2ban **************************";
|
||||||
|
##################################################################################
|
||||||
|
apt install fail2ban -y
|
||||||
|
|
||||||
|
cat > /etc/fail2ban/jail.local <<"EOF"
|
||||||
|
[sshd]
|
||||||
|
enabled = true
|
||||||
|
port = ssh
|
||||||
|
logpath = %(sshd_log)s
|
||||||
|
maxretry = 3
|
||||||
|
# 1 hour
|
||||||
|
bantime = 3600
|
||||||
|
|
||||||
|
[proxmox]
|
||||||
|
enabled = true
|
||||||
|
port = https,http,8006
|
||||||
|
filter = proxmox
|
||||||
|
logpath = /var/log/daemon.log
|
||||||
|
maxretry = 3
|
||||||
|
# 1 hour
|
||||||
|
bantime = 3600
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat > /etc/fail2ban/filter.d/proxmox.conf <<"EOF"
|
||||||
|
[Definition]
|
||||||
|
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
|
||||||
|
ignoreregex =
|
||||||
|
EOF
|
||||||
|
|
||||||
|
systemctl restart fail2ban
|
||||||
|
|
||||||
|
# fail2ban-client status sshd
|
||||||
|
# fail2ban-client status proxmox
|
||||||
|
;;
|
||||||
|
|
||||||
|
|
||||||
|
##################################################################################
|
||||||
|
07) echo "************ Disable-IPv6 **************************";
|
||||||
|
##################################################################################
|
||||||
|
cat > /etc/sysctl.d/70-disable-ipv6.conf <<"EOF"
|
||||||
|
net.ipv6.conf.all.disable_ipv6 = 1
|
||||||
|
EOF
|
||||||
|
sysctl -p -f /etc/sysctl.d/70-disable-ipv6.conf
|
||||||
|
|
||||||
|
# Remove IPv6 hosts:
|
||||||
|
sed -i '/::/s%^%#%g' /etc/hosts
|
||||||
|
|
||||||
|
## ip addr show | grep inet6
|
||||||
|
;;
|
||||||
|
|
||||||
|
x) echo "";
|
||||||
|
exit 1;;
|
||||||
|
*) echo " Press [enter] key to continue. . .";
|
||||||
|
read enterKey;;
|
||||||
|
esac
|
||||||
|
done
|
Reference in New Issue
Block a user