HomeLAB/Proxmox/Proxmox_PVE01.sh

#!/bin/sh
#
# Check if user is root
#
if [ $(id -u) != "0" ]; then
    echo "Error: You must be root to run this script, please use the root user to install the software."
    exit 1
fi

if [ ! -f /etc/debian_version ]; then 
    echo "Unsupported Linux Distribution. Prepared for Debian"
    exit 1
fi
################################################################################
#
# post-installation script for Proxmox@PVE02
#
################################################################################
#
# Assumptions: proxmox 8.X installed
#
################################################################################
#
# root pass:
#
################################################################################
#
while :
do
clear
echo ""
echo "\033[1m I N S T A L L Proxmox 8.X @ PVE01 "
echo " -----------------------------------------"
echo "\033[0m"
echo "01.Install System"
echo "02.Enable AMD pci passthrough"
echo "03.Enable INTEL pci passthrough"
echo "04.Setup ZFS"
echo "05.Install Cockpit"
echo "06.Install fail2ban"
echo "07.Disable-IPv6"
echo ""
echo " x. Exit"
echo ""
echo -n " Please enter option [01 - 08]"
read opt
case $opt in
##################################################################################
01) echo "************ Install System **********************";
##################################################################################
echo -e '\033[33m------Setup Locales to en_US.UTF-8------\033[33m'
echo -e "\033[0m"
sleep 2
dpkg-reconfigure locales &&  update-locale LANG=en_US.UTF-8 && locale-gen --purge --no-archive && update-initramfs -u -k all

echo -e '\033[33m----Setup Apt-Sources and Upgrade System----\033[33m'
echo -e "\033[0m"
sleep 2
## Remove enterprise proxmox repo
rm -rf /etc/apt/sources.list.d/pve-enterprise.list
rm -rf /etc/apt/sources.list.d/ceph.list


echo -e '\033[33m------Setup Apt-Sources and Upgrade System------\033[33m'
echo -e "\033[0m"
sleep 2
mv /etc/apt/sources.list /etc/apt/sources.list.default
cat > /etc/apt/sources.list <<"EOF"
deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware

# proxmox public repo
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
EOF

echo -e '\033[33m----Update proxmox and install various system utils----\033[33m'
echo -e "\033[0m"
sleep 2
apt update && apt dist-upgrade -y && pveam update

echo -e '\033[33m----Install common system utilities----\033[33m'
echo -e "\033[0m"
sleep 2
apt install -y \
    acpi \
    acpid \
    acpi-support \
    cpufrequtils \
    pve-headers \
    apt-listchanges \
    curl \
    git \
    wget \
    net-tools \
    screen \
    saidar \
    unzip \
    htop \
    iptraf \
    iotop \
    iftop \
    lshw \
    mc \
    powertop \
    unattended-upgrades \
    smartmontools \
    ethtool
    
# sysbench sshfs make nfs-kernel-server portmap pv

echo -e '\033[33m------Setup Unattended-Upgrades------\033[33m'
echo -e "\033[0m"
sleep 2
dpkg-reconfigure -plow unattended-upgrades
echo "Unattended-Upgrade::Mail "root";" >> /etc/apt/apt.conf.d/50unattended-upgrades
echo "APT::Periodic::Verbose "2";" >> /etc/apt/apt.conf.d/20auto-upgrades


echo -e '\033[33m----Install apticron----\033[33m'
echo -e "\033[0m"
apt install -y apticron

cat > /etc/apticron/apticron.conf <<"EOF"
EMAIL="root"
# DIFF_ONLY="1"
LISTCHANGES_PROFILE="apticron"
ALL_FQDNS="1"
SYSTEM="pve01.home.lan
# IPADDRESSNUM="1"
IPADDRESSES="192.168.10.50"
# NOTIFY_HOLDS="0"
NOTIFY_NEW="1"
CUSTOM_SUBJECT="System updates."
CUSTOM_NO_UPDATES_SUBJECT="System updates - no updates."
# CUSTOM_FROM=""
EOF

cp /etc/cron.d/apticron /etc/cron.daily/apticron

echo -e '\033[33m----Setup SystemD Service----\033[33m'
echo -e "\033[0m"
sleep 2
# Remove conflicting utilities
apt purge -y ntp openntpd chrony

## tmp.mount
cp /usr/share/systemd/tmp.mount /etc/systemd/system/ && systemctl enable tmp.mount && systemctl start tmp.mount

## fstrim timer
systemctl enable --now fstrim.timer

## journald
echo "SystemMaxUse=100M " >> /etc/systemd/journald.conf

## Set Timezone and enable NTP
timedatectl set-timezone Europe/Berlin

apt install -y systemd-timesyncd

cp /etc/systemd/timesyncd.conf /etc/systemd/timesyncd.default
cat > /etc/systemd/timesyncd.conf <<"EOF"
[Time]
NTP=192.168.10.1 192.168.10.254
#NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
RootDistanceMaxSec=5
PollIntervalMinSec=32
PollIntervalMaxSec=2048
EOF
systemctl restart systemd-timesyncd && timedatectl set-ntp true

# timedatectl status

## Disable portmapper / rpcbind (security)
systemctl disable rpcbind && systemctl stop rpcbind


echo -e '\033[33m----Optimise tcp ip----\033[33m'
echo -e "\033[0m"
sleep 2
mv /etc/sysctl.conf /etc/sysctl.conf.default
cat > /etc/sysctl.conf <<"EOF"
#############################
## CPU tweaks #
#############################
#
## Queue size modifications
net.core.optmem_max=20480
net.unix.max_dgram_qlen=50
#
## Net Core Settings
## Location: /proc/sys/net/core
net.core.wmem_max=524288
net.core.rmem_max=524288
net.core.rmem_default=256960
net.core.wmem_default=256960
#
#############################
## VM & Filesystem tweaks #
#############################
fs.lease-break-time=10
fs.file-max = 262140
vm.overcommit_memory=1
vm.oom_dump_tasks=1
vm.page-cluster=0
vm.swappiness = 10
vm.vfs_cache_pressure = 10000
vm.dirty_ratio = 10
vm.dirty_background_ratio = 5
#
#############################
## Net Speed tweaks #
#############################
#
## UnderUtilized Networking Tweaks below as recommended by avgjoemomma (from XDA)
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
#net.ipv4.tcp_congestion_control=cubic
#
net.core.netdev_max_backlog = 100000
net.core.netdev_budget = 50000
net.core.netdev_budget_usecs = 5000
net.core.somaxconn = 1024
net.core.rmem_default = 1048576
net.core.rmem_max = 16777216
net.core.wmem_default = 1048576
net.core.wmem_max = 16777216
net.core.optmem_max = 65536
net.ipv4.tcp_rmem = 4096 1048576 2097152
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192
net.ipv4.tcp_fastopen = 3
#
# TCP keepalive parameters
#net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 6
#
# # Hardening the TCP/IP stack to SYN attacks
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_syn_retries=2
net.ipv4.tcp_max_syn_backlog=1024
net.ipv4.tcp_max_tw_buckets=16384
#net.ipv4.icmp_echo_ignore_all=1
#net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_fin_timeout=15
net.ipv4.tcp_keepalive_time=1800
net.ipv4.tcp_moderate_rcvbuf=1
net.ipv4.route.flush=1
net.ipv4.udp_rmem_min=6144
net.ipv4.udp_wmem_min=6144
net.ipv4.tcp_rfc1337=1
net.ipv4.ip_no_pmtu_disc=0
net.ipv4.tcp_ecn=0
net.ipv4.tcp_sack=1
net.ipv4.tcp_fack=1
#
# Don't accept source routing
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_source_route=0
#
# Don't accept redirects
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
#
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
EOF
/sbin/sysctl -p


echo -e '\033[33m----Setup Grub----\033[33m'
echo -e "\033[0m"
sleep 2
cp /etc/default/grub /etc/default/grub.old

# GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 acpi=force pcie_aspm=force nmi_watchdog=0"
sed -i 's/#GRUB_GFXMODE=640x480/GRUB_GFXMODE=1920x1080x32/g' /etc/default/grub
# sed -i 's/GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub
update-grub


echo -e '\033[33m----Increase vzdump backup speed----\033[33m'
echo -e "\033[0m"
sleep 2
sed -i "s/#bwlimit: KBPS/bwlimit: 10240000/" /etc/vzdump.conf


echo -e '\033[33m----Increase max user watches / BUG FIX : No space left on device ----\033[33m'
echo -e "\033[0m"
sleep 2
echo 1048576 > /proc/sys/fs/inotify/max_user_watches
echo "fs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf


echo -e '\033[33m----Increase max FD limit / ulimit----\033[33m'
echo -e "\033[0m"
sleep 2
cat <<'EOF' >> /etc/security/limits.conf
* soft     nproc          131072
* hard     nproc          131072
* soft     nofile         131072
* hard     nofile         131072
root soft     nproc          131072
root hard     nproc          131072
root soft     nofile         131072
root hard     nofile         131072
EOF


echo -e '\033[33m----Increase kernel max Key limit----\033[33m'
echo -e "\033[0m"
sleep 2
cat <<'EOF' > /etc/sysctl.d/60-maxkeys.conf
kernel.keys.root_maxkeys=1000000
kernel.keys.maxkeys=1000000
EOF


echo -e '\033[33m----Remove Subscription-Banner----\033[33m'
echo -e "\033[0m"
sleep 2
cat > /root/subscription_banner.sh <<EOF
#!/bin/sh
sed -i.bak 's/if (res === null.*/if (false) {/g; /.data.status.toLowerCase()/d' /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
EOF
chmod +x /root/subscription_banner.sh

cp /etc/crontab /etc/crontab.default
echo "0  1,13 * * *   root    /root/subscription_banner.sh" >> /etc/crontab


echo -e '\033[33m----Install log2ram----\033[33m'
echo -e "\033[0m"
sleep 2
echo "deb [signed-by=/usr/share/keyrings/azlux-archive-keyring.gpg] http://packages.azlux.fr/debian/ bookworm main" | tee /etc/apt/sources.list.d/azlux.list
wget -O /usr/share/keyrings/azlux-archive-keyring.gpg  https://azlux.fr/repo.gpg
apt update && apt -y install log2ram

sed -i "s/SIZE=128M/SIZE=1024M/g" /etc/log2ram.conf

systemctl restart log2ram


echo -e '\033[33m----Install ZSWAP---\033[33m'
echo -e "\033[0m"
sleep 2
swapoff --all && free
# grep swap /etc/fstab

apt install -y zram-tools && zramswap stop

mv /etc/default/zramswap /etc/default/zramswap.default

cat > /etc/default/zramswap <<"EOF"
# Compression algorithm selection
# speed: lz4 > zstd > lzo
# compression: zstd > lzo > lz4
# This is not inclusive of all that is available in latest kernels
# See /sys/block/zram0/comp_algorithm (when zram module is loaded) to see
# what is currently set and available for your kernel[1]
# [1]  https://github.com/torvalds/linux/blob/master/Documentation/blockdev/zram.txt#L86
ALGO=lz4

# Specifies the amount of RAM that should be used for zram
# based on a percentage the total amount of available memory
# This takes precedence and overrides SIZE below
# PERCENT=5

# Specifies a static amount of RAM that should be used for
# the ZRAM devices, this is in MiB
SIZE=1024

# Specifies the priority for the swap devices, see swapon(2)
# for more details. Higher number = higher priority
# This should probably be higher than hdd/ssd swaps.
PRIORITY=100
EOF

zramswap start && zramswap status

# cat /proc/swaps


echo -e '\033[33m------secure SSH-Server------\033[33m'
echo -e "\033[0m"
sleep 2
echo "sshd: ALL EXCEPT LOCAL" >> /etc/hosts.deny
echo "sshd: 192.168.10.0/255.255.255.0" >> /etc/hosts.allow


echo -e '\033[33m----Remove no longer required packages and purge old cached updates----\033[33m'
echo -e "\033[0m"
sleep 2
apt autoremove -y && apt autoclean -y
;;

##################################################################################
02) echo "************ Enable AMD pci passthrough ****************";
##################################################################################
apt install -y amd64-microcode

echo "vfio" >> /etc/modules
echo "vfio_iommu_type1" >> /etc/modules
echo "vfio_pci" >> /etc/modules
echo "vfio_virqfd" >> /etc/modules
# Test
# dmesg | grep -e DMAR -e IOMMU

sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet"/GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on iommu=pt"/g' /etc/default/grub
update-grub
;;

##################################################################################
03) echo "************ Enable INTEL pci passthrough *****************";
##################################################################################
apt install -y intel-microcode

echo "vfio" >> /etc/modules
echo "vfio_iommu_type1" >> /etc/modules
echo "vfio_pci" >> /etc/modules
echo "vfio_virqfd" >> /etc/modules
# Test
# dmesg | grep -e DMAR -e IOMMU

sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet"/GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt"/g' /etc/default/grub
update-grub
;;

##################################################################################
04) echo "************ Setup ZFS ******************";
##################################################################################
# zpool set autotrim=on rpool
# zpool set autotrim=on storage01
# zpool set autotrim=on storage02


cat > /etc/modprobe.d/zfs.conf <<"EOF"
# yes you really DO have to specify zfs_arc_max IN BYTES ONLY!
# 16GB=17179869184, 8GB=8589934592, 7GB=7516192768 ,6GB=6442450944, 
# 4GB=4294967296, 2GB=2147483648, 1GB=1073741824
#
options zfs zfs_arc_min=4294967296
options zfs zfs_arc_max=17179869184

# ZFS File level prefetch tuning
options zfs zfs_prefetch_disable=0

# ZFS Device level prefetch tuning
options zfs zfs_vdev_cache_size=1310720
options zfs zfs_vdev_cache_max=131072
options zfs zfs_vdev_cache_bshift=17

# Chunk size tuning
options zfs zfs_read_chunk_size=1310720

# increase them so scrub/resilver is more quickly at the cost of other work
options zfs zfs_vdev_scrub_min_active=24
options zfs zfs_vdev_scrub_max_active=64

# sync write
options zfs zfs_vdev_sync_write_min_active=8
options zfs zfs_vdev_sync_write_max_active=32

# sync reads (normal)
options zfs zfs_vdev_sync_read_min_active=8
options zfs zfs_vdev_sync_read_max_active=32

# async reads : prefetcher
options zfs zfs_vdev_async_read_min_active=8
options zfs zfs_vdev_async_read_max_active=32

# async write : bulk writes
options zfs zfs_vdev_async_write_min_active=8
options zfs zfs_vdev_async_write_max_active=32

# zfs_dirty_data_max_percent (Default is 10%)
options zfs zfs_dirty_data_max_percent=40

# zfs_top_maxinflight (Maximum number of scrub I/O ,default 32)
options zfs zfs_top_maxinflight=320

# zfs_txg_timeout
# There is a time before async writes are written to disk, this makes it possible 
# for ZFS to write a larger piece. (default 30 seconds)
options zfs zfs_txg_timeout=15

# zfs_vdev_scheduler (default : noop)
# options zfs zfs_vdev_scheduler=deadline
EOF

update-initramfs -u
;;

##################################################################################
05) echo "************ Install Cockpit **************************";
##################################################################################
# apt install -y cockpit cockpit-bridge cockpit-system cockpit-networkmanager cockpit-packagekit cockpit-storaged
# apt install -y nfs-kernel-server samba
# echo -e "portmap: ALL" >> /etc/hosts.deny
# echo -e "portmap: 192.168.10.0/24" >> /etc/hosts.allow

apt -t bookworm-backports install cockpit --no-install-recommends

#apt install -y tuned tuned-utils tuned-utils-systemtap

git clone https://github.com/optimans/cockpit-zfs-manager.git
cp -r cockpit-zfs-manager/zfs /usr/share/cockpit
;;

##################################################################################
06) echo "************ Install fail2ban **************************";
##################################################################################
apt install fail2ban -y

cat > /etc/fail2ban/jail.local <<"EOF"
[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
maxretry = 3 
# 1 hour
bantime = 3600

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3 
# 1 hour
bantime = 3600
EOF

cat > /etc/fail2ban/filter.d/proxmox.conf <<"EOF"
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
EOF

systemctl restart fail2ban

# fail2ban-client status sshd
# fail2ban-client status proxmox
;;


##################################################################################
07) echo "************ Disable-IPv6 **************************";
##################################################################################
cat > /etc/sysctl.d/70-disable-ipv6.conf <<"EOF"
net.ipv6.conf.all.disable_ipv6 = 1
EOF
sysctl -p -f /etc/sysctl.d/70-disable-ipv6.conf

# Remove IPv6 hosts:
sed -i '/::/s%^%#%g' /etc/hosts

## ip addr show | grep inet6
;;

x) echo "";
exit 1;;
*) echo " Press [enter] key to continue. . .";
read enterKey;;
esac
done