#!/bin/sh # # Check if user is root # if [ $(id -u) != "0" ]; then echo "Error: You must be root to run this script, please use the root user to install the software." exit 1 fi if [ ! -f /etc/debian_version ]; then echo "Unsupported Linux Distribution. Prepared for Debian" exit 1 fi ################################################################################ # # post-installation script for Proxmox@PVE02 # ################################################################################ # # Assumptions: proxmox 8.X installed # ################################################################################ # # root pass: # ################################################################################ # while : do clear echo "" echo "\033[1m I N S T A L L Proxmox 8.X @ PVE01 " echo " -----------------------------------------" echo "\033[0m" echo "01.Install System" echo "02.Enable AMD pci passthrough" echo "03.Enable INTEL pci passthrough" echo "04.Setup ZFS" echo "05.Install Cockpit" echo "06.Install fail2ban" echo "07.Disable-IPv6" echo "" echo " x. Exit" echo "" echo -n " Please enter option [01 - 08]" read opt case $opt in ################################################################################## 01) echo "************ Install System **********************"; ################################################################################## echo -e '\033[33m------Setup Locales to en_US.UTF-8------\033[33m' echo -e "\033[0m" sleep 2 dpkg-reconfigure locales && update-locale LANG=en_US.UTF-8 && locale-gen --purge --no-archive && update-initramfs -u -k all echo -e '\033[33m----Setup Apt-Sources and Upgrade System----\033[33m' echo -e "\033[0m" sleep 2 ## Remove enterprise proxmox repo rm -rf /etc/apt/sources.list.d/pve-enterprise.list rm -rf /etc/apt/sources.list.d/ceph.list echo -e '\033[33m------Setup Apt-Sources and Upgrade System------\033[33m' echo -e "\033[0m" sleep 2 mv /etc/apt/sources.list /etc/apt/sources.list.default cat > /etc/apt/sources.list <<"EOF" deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware # proxmox public repo deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription EOF echo -e '\033[33m----Update proxmox and install various system utils----\033[33m' echo -e "\033[0m" sleep 2 apt update && apt dist-upgrade -y && pveam update echo -e '\033[33m----Install common system utilities----\033[33m' echo -e "\033[0m" sleep 2 apt install -y \ acpi \ acpid \ acpi-support \ cpufrequtils \ pve-headers \ apt-listchanges \ curl \ git \ wget \ net-tools \ screen \ saidar \ unzip \ htop \ iptraf \ iotop \ iftop \ lshw \ mc \ powertop \ unattended-upgrades \ smartmontools \ ethtool # sysbench sshfs make nfs-kernel-server portmap pv echo -e '\033[33m------Setup Unattended-Upgrades------\033[33m' echo -e "\033[0m" sleep 2 dpkg-reconfigure -plow unattended-upgrades echo "Unattended-Upgrade::Mail "root";" >> /etc/apt/apt.conf.d/50unattended-upgrades echo "APT::Periodic::Verbose "2";" >> /etc/apt/apt.conf.d/20auto-upgrades echo -e '\033[33m----Install apticron----\033[33m' echo -e "\033[0m" apt install -y apticron cat > /etc/apticron/apticron.conf <<"EOF" EMAIL="root" # DIFF_ONLY="1" LISTCHANGES_PROFILE="apticron" ALL_FQDNS="1" SYSTEM="pve01.home.lan # IPADDRESSNUM="1" IPADDRESSES="192.168.10.50" # NOTIFY_HOLDS="0" NOTIFY_NEW="1" CUSTOM_SUBJECT="System updates." CUSTOM_NO_UPDATES_SUBJECT="System updates - no updates." # CUSTOM_FROM="" EOF cp /etc/cron.d/apticron /etc/cron.daily/apticron echo -e '\033[33m----Setup SystemD Service----\033[33m' echo -e "\033[0m" sleep 2 # Remove conflicting utilities apt purge -y ntp openntpd chrony ## tmp.mount cp /usr/share/systemd/tmp.mount /etc/systemd/system/ && systemctl enable tmp.mount && systemctl start tmp.mount ## fstrim timer systemctl enable --now fstrim.timer ## journald echo "SystemMaxUse=100M " >> /etc/systemd/journald.conf ## Set Timezone and enable NTP timedatectl set-timezone Europe/Berlin apt install -y systemd-timesyncd cp /etc/systemd/timesyncd.conf /etc/systemd/timesyncd.default cat > /etc/systemd/timesyncd.conf <<"EOF" [Time] NTP=192.168.10.1 192.168.10.254 #NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org RootDistanceMaxSec=5 PollIntervalMinSec=32 PollIntervalMaxSec=2048 EOF systemctl restart systemd-timesyncd && timedatectl set-ntp true # timedatectl status ## Disable portmapper / rpcbind (security) systemctl disable rpcbind && systemctl stop rpcbind echo -e '\033[33m----Optimise tcp ip----\033[33m' echo -e "\033[0m" sleep 2 mv /etc/sysctl.conf /etc/sysctl.conf.default cat > /etc/sysctl.conf <<"EOF" ############################# ## CPU tweaks # ############################# # ## Queue size modifications net.core.optmem_max=20480 net.unix.max_dgram_qlen=50 # ## Net Core Settings ## Location: /proc/sys/net/core net.core.wmem_max=524288 net.core.rmem_max=524288 net.core.rmem_default=256960 net.core.wmem_default=256960 # ############################# ## VM & Filesystem tweaks # ############################# fs.lease-break-time=10 fs.file-max = 262140 vm.overcommit_memory=1 vm.oom_dump_tasks=1 vm.page-cluster=0 vm.swappiness = 10 vm.vfs_cache_pressure = 10000 vm.dirty_ratio = 10 vm.dirty_background_ratio = 5 # ############################# ## Net Speed tweaks # ############################# # ## UnderUtilized Networking Tweaks below as recommended by avgjoemomma (from XDA) net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbr #net.ipv4.tcp_congestion_control=cubic # net.core.netdev_max_backlog = 100000 net.core.netdev_budget = 50000 net.core.netdev_budget_usecs = 5000 net.core.somaxconn = 1024 net.core.rmem_default = 1048576 net.core.rmem_max = 16777216 net.core.wmem_default = 1048576 net.core.wmem_max = 16777216 net.core.optmem_max = 65536 net.ipv4.tcp_rmem = 4096 1048576 2097152 net.ipv4.tcp_wmem = 4096 65536 16777216 net.ipv4.udp_rmem_min = 8192 net.ipv4.udp_wmem_min = 8192 net.ipv4.tcp_fastopen = 3 # # TCP keepalive parameters #net.ipv4.tcp_keepalive_time = 60 net.ipv4.tcp_keepalive_intvl = 10 net.ipv4.tcp_keepalive_probes = 6 # # # Hardening the TCP/IP stack to SYN attacks net.ipv4.tcp_syncookies=1 net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 net.ipv4.tcp_synack_retries=2 net.ipv4.tcp_syn_retries=2 net.ipv4.tcp_max_syn_backlog=1024 net.ipv4.tcp_max_tw_buckets=16384 #net.ipv4.icmp_echo_ignore_all=1 #net.ipv4.icmp_ignore_bogus_error_responses=1 net.ipv4.tcp_no_metrics_save=1 net.ipv4.tcp_fin_timeout=15 net.ipv4.tcp_keepalive_time=1800 net.ipv4.tcp_moderate_rcvbuf=1 net.ipv4.route.flush=1 net.ipv4.udp_rmem_min=6144 net.ipv4.udp_wmem_min=6144 net.ipv4.tcp_rfc1337=1 net.ipv4.ip_no_pmtu_disc=0 net.ipv4.tcp_ecn=0 net.ipv4.tcp_sack=1 net.ipv4.tcp_fack=1 # # Don't accept source routing net.ipv4.conf.default.accept_source_route=0 net.ipv4.conf.all.accept_source_route=0 # # Don't accept redirects net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 # net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 EOF /sbin/sysctl -p echo -e '\033[33m----Setup Grub----\033[33m' echo -e "\033[0m" sleep 2 cp /etc/default/grub /etc/default/grub.old # GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 acpi=force pcie_aspm=force nmi_watchdog=0" sed -i 's/#GRUB_GFXMODE=640x480/GRUB_GFXMODE=1920x1080x32/g' /etc/default/grub # sed -i 's/GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub update-grub echo -e '\033[33m----Increase vzdump backup speed----\033[33m' echo -e "\033[0m" sleep 2 sed -i "s/#bwlimit: KBPS/bwlimit: 10240000/" /etc/vzdump.conf echo -e '\033[33m----Increase max user watches / BUG FIX : No space left on device ----\033[33m' echo -e "\033[0m" sleep 2 echo 1048576 > /proc/sys/fs/inotify/max_user_watches echo "fs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf sysctl -p /etc/sysctl.conf echo -e '\033[33m----Increase max FD limit / ulimit----\033[33m' echo -e "\033[0m" sleep 2 cat <<'EOF' >> /etc/security/limits.conf * soft nproc 131072 * hard nproc 131072 * soft nofile 131072 * hard nofile 131072 root soft nproc 131072 root hard nproc 131072 root soft nofile 131072 root hard nofile 131072 EOF echo -e '\033[33m----Increase kernel max Key limit----\033[33m' echo -e "\033[0m" sleep 2 cat <<'EOF' > /etc/sysctl.d/60-maxkeys.conf kernel.keys.root_maxkeys=1000000 kernel.keys.maxkeys=1000000 EOF echo -e '\033[33m----Remove Subscription-Banner----\033[33m' echo -e "\033[0m" sleep 2 cat > /root/subscription_banner.sh <> /etc/crontab echo -e '\033[33m----Install log2ram----\033[33m' echo -e "\033[0m" sleep 2 echo "deb [signed-by=/usr/share/keyrings/azlux-archive-keyring.gpg] http://packages.azlux.fr/debian/ bookworm main" | tee /etc/apt/sources.list.d/azlux.list wget -O /usr/share/keyrings/azlux-archive-keyring.gpg https://azlux.fr/repo.gpg apt update && apt -y install log2ram sed -i "s/SIZE=128M/SIZE=1024M/g" /etc/log2ram.conf systemctl restart log2ram echo -e '\033[33m----Install ZSWAP---\033[33m' echo -e "\033[0m" sleep 2 swapoff --all && free # grep swap /etc/fstab apt install -y zram-tools && zramswap stop mv /etc/default/zramswap /etc/default/zramswap.default cat > /etc/default/zramswap <<"EOF" # Compression algorithm selection # speed: lz4 > zstd > lzo # compression: zstd > lzo > lz4 # This is not inclusive of all that is available in latest kernels # See /sys/block/zram0/comp_algorithm (when zram module is loaded) to see # what is currently set and available for your kernel[1] # [1] https://github.com/torvalds/linux/blob/master/Documentation/blockdev/zram.txt#L86 ALGO=lz4 # Specifies the amount of RAM that should be used for zram # based on a percentage the total amount of available memory # This takes precedence and overrides SIZE below # PERCENT=5 # Specifies a static amount of RAM that should be used for # the ZRAM devices, this is in MiB SIZE=1024 # Specifies the priority for the swap devices, see swapon(2) # for more details. Higher number = higher priority # This should probably be higher than hdd/ssd swaps. PRIORITY=100 EOF zramswap start && zramswap status # cat /proc/swaps echo -e '\033[33m------secure SSH-Server------\033[33m' echo -e "\033[0m" sleep 2 echo "sshd: ALL EXCEPT LOCAL" >> /etc/hosts.deny echo "sshd: 192.168.10.0/255.255.255.0" >> /etc/hosts.allow echo -e '\033[33m----Remove no longer required packages and purge old cached updates----\033[33m' echo -e "\033[0m" sleep 2 apt autoremove -y && apt autoclean -y ;; ################################################################################## 02) echo "************ Enable AMD pci passthrough ****************"; ################################################################################## apt install -y amd64-microcode echo "vfio" >> /etc/modules echo "vfio_iommu_type1" >> /etc/modules echo "vfio_pci" >> /etc/modules echo "vfio_virqfd" >> /etc/modules # Test # dmesg | grep -e DMAR -e IOMMU sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet"/GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on iommu=pt"/g' /etc/default/grub update-grub ;; ################################################################################## 03) echo "************ Enable INTEL pci passthrough *****************"; ################################################################################## apt install -y intel-microcode echo "vfio" >> /etc/modules echo "vfio_iommu_type1" >> /etc/modules echo "vfio_pci" >> /etc/modules echo "vfio_virqfd" >> /etc/modules # Test # dmesg | grep -e DMAR -e IOMMU sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet"/GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt"/g' /etc/default/grub update-grub ;; ################################################################################## 04) echo "************ Setup ZFS ******************"; ################################################################################## # zpool set autotrim=on rpool # zpool set autotrim=on storage01 # zpool set autotrim=on storage02 cat > /etc/modprobe.d/zfs.conf <<"EOF" # yes you really DO have to specify zfs_arc_max IN BYTES ONLY! # 16GB=17179869184, 8GB=8589934592, 7GB=7516192768 ,6GB=6442450944, # 4GB=4294967296, 2GB=2147483648, 1GB=1073741824 # options zfs zfs_arc_min=4294967296 options zfs zfs_arc_max=17179869184 # ZFS File level prefetch tuning options zfs zfs_prefetch_disable=0 # ZFS Device level prefetch tuning options zfs zfs_vdev_cache_size=1310720 options zfs zfs_vdev_cache_max=131072 options zfs zfs_vdev_cache_bshift=17 # Chunk size tuning options zfs zfs_read_chunk_size=1310720 # increase them so scrub/resilver is more quickly at the cost of other work options zfs zfs_vdev_scrub_min_active=24 options zfs zfs_vdev_scrub_max_active=64 # sync write options zfs zfs_vdev_sync_write_min_active=8 options zfs zfs_vdev_sync_write_max_active=32 # sync reads (normal) options zfs zfs_vdev_sync_read_min_active=8 options zfs zfs_vdev_sync_read_max_active=32 # async reads : prefetcher options zfs zfs_vdev_async_read_min_active=8 options zfs zfs_vdev_async_read_max_active=32 # async write : bulk writes options zfs zfs_vdev_async_write_min_active=8 options zfs zfs_vdev_async_write_max_active=32 # zfs_dirty_data_max_percent (Default is 10%) options zfs zfs_dirty_data_max_percent=40 # zfs_top_maxinflight (Maximum number of scrub I/O ,default 32) options zfs zfs_top_maxinflight=320 # zfs_txg_timeout # There is a time before async writes are written to disk, this makes it possible # for ZFS to write a larger piece. (default 30 seconds) options zfs zfs_txg_timeout=15 # zfs_vdev_scheduler (default : noop) # options zfs zfs_vdev_scheduler=deadline EOF update-initramfs -u ;; ################################################################################## 05) echo "************ Install Cockpit **************************"; ################################################################################## # apt install -y cockpit cockpit-bridge cockpit-system cockpit-networkmanager cockpit-packagekit cockpit-storaged # apt install -y nfs-kernel-server samba # echo -e "portmap: ALL" >> /etc/hosts.deny # echo -e "portmap: 192.168.10.0/24" >> /etc/hosts.allow apt -t bookworm-backports install cockpit --no-install-recommends #apt install -y tuned tuned-utils tuned-utils-systemtap git clone https://github.com/optimans/cockpit-zfs-manager.git cp -r cockpit-zfs-manager/zfs /usr/share/cockpit ;; ################################################################################## 06) echo "************ Install fail2ban **************************"; ################################################################################## apt install fail2ban -y cat > /etc/fail2ban/jail.local <<"EOF" [sshd] enabled = true port = ssh logpath = %(sshd_log)s maxretry = 3 # 1 hour bantime = 3600 [proxmox] enabled = true port = https,http,8006 filter = proxmox logpath = /var/log/daemon.log maxretry = 3 # 1 hour bantime = 3600 EOF cat > /etc/fail2ban/filter.d/proxmox.conf <<"EOF" [Definition] failregex = pvedaemon\[.*authentication failure; rhost= user=.* msg=.* ignoreregex = EOF systemctl restart fail2ban # fail2ban-client status sshd # fail2ban-client status proxmox ;; ################################################################################## 07) echo "************ Disable-IPv6 **************************"; ################################################################################## cat > /etc/sysctl.d/70-disable-ipv6.conf <<"EOF" net.ipv6.conf.all.disable_ipv6 = 1 EOF sysctl -p -f /etc/sysctl.d/70-disable-ipv6.conf # Remove IPv6 hosts: sed -i '/::/s%^%#%g' /etc/hosts ## ip addr show | grep inet6 ;; x) echo ""; exit 1;; *) echo " Press [enter] key to continue. . ."; read enterKey;; esac done