luu123 · March 17, 2023 21:47
diff --git a/!proxmox_setup.sh b/!proxmox_setup.sh
 # copy and paste oneliner below to run
 # curl -s https://gist.github.com/ilude/32aec45964bc1207810f7e6e49544064/raw/%21proxmox_setup.sh?$(date +%s) | /bin/bash -s

 # Disable Commercial Repo
 sed -i "s/^deb/\#deb/" /etc/apt/sources.list.d/pve-enterprise.list

 # Add PVE Community Repo
 echo "deb http://download.proxmox.com/debian/pve $(grep "VERSION=" /etc/os-release | sed -n 's/.*(\(.*\)).*/\1/p') pve-no-subscription" > /etc/apt/sources.list.d/pve-no-enterprise.list

 # setup no nag script to run on upgrade
 echo "DPkg::Post-Invoke { \"dpkg -V proxmox-widget-toolkit | grep -q '/proxmoxlib\.js$'; if [ \$? -eq 1 ]; then { echo 'Removing subscription nag from UI...'; sed -i '/data.status/{s/\!//;s/Active/NoMoreNagging/}' /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js; }; fi\"; };" > /etc/apt/apt.conf.d/99-proxmox-no-nag-script

 # setup dark-theme to reinstall on upgrade
 THEME_APT_SCRIPT_FILE=/etc/apt/apt.conf.d/99-proxmox-dark-theme
 if [ ! -f "$THEME_APT_SCRIPT_FILE" ]; then
 tee -a "$THEME_APT_SCRIPT_FILE" >/dev/null <<'EOF'
 DPkg::Post-Invoke { "wget https://raw.githubusercontent.com/Weilbyte/PVEDiscordDark/master/PVEDiscordDark.sh && bash PVEDiscordDark.sh install || true"; };
 EOF
 fi

 apt-get update
 apt-get dist-upgrade -y

 # disable kerbose authentication for sshd, this will speed up logins
 sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
 systemctl restart ssh

 # force post-invoke scripts to run
 apt --reinstall install proxmox-widget-toolkit

 # keep a record of when the system was setup
 if ! [[ -f /etc/birth_certificate ]]; then
  echo "Creating /etc/birth_certificate"
  date > /etc/birth_certificate
 fi

 # offer to fetch and store github public keys in authorized_keys file
 fetch_github_key()
 {
  mkdir -p ~/.ssh
  if ! [[ -f ~/.ssh/authorized_keys ]]; then
    touch ~/.ssh/authorized_keys
  fi
  chmod 700 ~/.ssh
  chmod 600 ~/.ssh/*

  read -p "Enter Github Username: " github_username
  curl -s https://github.com/${github_username}.keys >> ~/.ssh/authorized_keys
 }

 read -t 10 -p "Download github public key for ssh? (Y/n): " REPLY
 if [ $? -gt 128 ]; then
  echo "Timed out waiting for input. Defaulting to N!"
  break
 fi

 case $REPLY in
 [yY]*)
  fetch_github_key
  ;;
 *)
  ;;
 esac

 # offer to setup gmail for outgoing smtp messages
 # https://geekistheway.com/2021/03/07/configuring-e-mail-alerts-on-your-proxmox/
 setup_smtp_to_gmail() 
 {
  apt update
  apt install -y libsasl2-modules

  echo "You will need to go to https://security.google.com/settings/security/apppasswords to generate an app password!"
  echo ""
  read -p  'Gmail username (without @gmail.com): ' YOUR_GMAIL_USERNAME
  read -sp 'Gmail App Password: ' YOUR_GMAIL_APP_PASSWORD

  echo "smtp.gmail.com [email protected]:$YOUR_GMAIL_APP_PASSWORD" > /etc/postfix/sasl_passwd
  postmap hash:/etc/postfix/sasl_passwd
  chmod 600 /etc/postfix/sasl_passwd

  sed -i 's/relayhost\ =/relayhost\ =\ smtp.gmail.com:587/g' /etc/postfix/main.cf

  tee -a /etc/postfix/main.cf >/dev/null <<'EOF'
 smtp_use_tls = yes
 smtp_sasl_auth_enable = yes
 smtp_sasl_security_options =
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 smtp_tls_CAfile = /etc/ssl/certs/Entrust_Root_Certification_Authority.pem
 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
 smtp_tls_session_cache_timeout = 3600s
 EOF

  postfix reload

  echo "Proxmox test message $(date)" | mail -s "Proxmox Test from $(hostname)" [email protected]
 }

 read -t 10 -p "Setup gmail for outgoing smtp mail messages? (Y/n): " REPLY
 if [ $? -gt 128 ]; then
  echo "Timed out waiting for input. Defaulting to N!"
  break
 fi

 case $REPLY in
 [yY]*)
  setup_smtp_to_gmail
  ;;
 *)
  ;;
 esac

 # check if reboot is required 
 if [ -f /var/run/reboot-required ]; then
  sudo reboot
 fi
diff --git a/proxmox samba notes b/proxmox samba notes
 ##############################################################
 # zfs samba file sharing
 # https://forum.level1techs.com/t/how-to-create-a-nas-using-zfs-and-proxmox-with-pictures/117375

 # On the root proxmox server:

 apt-get update
 apt-get install samba

 # add root as a samba user and create a password
 smbpasswd

 # It would also be nice to not have to connect as root to the server every time.
 # Lets create a new user and give them samba permissions.

 # To create a new Unix user:
 useradd -m mike
 passwd mike

 # This adds the new user to Samba.
 smbpasswd -a mike

 nano /etc/samba/smb.conf

 service smbd stop
 service smbd start

 # Test for errors.
 testparm
diff --git a/proxmox smb_hardened.conf b/proxmox smb_hardened.conf
 # https://blog.tim.kent.id.au/2018/11/hardening-samba.html
 #
 # https://wiki.archlinux.org/title/samba#Restrict_protocols_for_better_security

 [global]
   server role = standalone server
   obey pam restrictions = yes
   create mask = 0766
   directory mask = 0777
   server string = Samba
   disable netbios = Yes
   server min protocol = SMB3_00
   smb ports = 445
   server signing = required
   restrict anonymous = 2

   server smb encrypt = desired
   use sendfile = yes

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes
   show add printer wizard = no
   
 [pool]
   comment = Pool Share
   browseable = yes
   path = /pool/share
   guest ok = no
   read only = no

 [homes]
   comment = Home Directories
   browseable = no
diff --git a/proxmox zfs notes b/proxmox zfs notes
 zfs create pool/share
 zfs create pool/share/apps 
 zfs create pool/share/iso
 zfs create pool/share/media
 zfs create pool/vmstorage 

 zfs list

 NAME                           USED  AVAIL     REFER  MOUNTPOINT
 pool                          24.4G  8.19T      192K  /pool
 pool/share                    24.4G  8.19T      224K  /pool/share
 pool/share/apps               23.0G  8.19T     23.0G  /pool/share/apps
 pool/share/iso                1.37G  8.19T     1.37G  /pool/share/iso
 pool/share/media               192K  8.19T      192K  /pool/share/media
 pool/vmstorage                 304K  8.19T      192K  /pool/vmstorage

 Back in GUI land…

 Click on “Datacenter”
 “Storage”
 “Add”
 “Directory”
 ID: iso
 Directory: /storage/share/iso
 Content: make sure only “ISO image” and “Container template” are selected.
 “Add”

 And again…
 “Add”
 “ZFS”
 ID: vmstorage
 ZFS Pool: /storage/vmstorage

diff --git a/proxmox_notes.md b/proxmox_notes.md
diff --git a/proxmox_setup_fail2ban.sh b/proxmox_setup_fail2ban.sh
 # barrowed from https://github.com/DeadlockState/Proxmox-prepare/blob/master/proxmox_prepare.sh

 apt-get install -y fail2ban > /dev/null 2>&1
 	
 	cd /etc/fail2ban/
 	
 	touch jail.local
 	
 	echo "[proxmox]
 enabled = true
 port = http,https,8006
 filter = proxmox
 logpath = /var/log/daemon.log
 maxretry = 4
 bantime = 43200" > jail.local

 	cd filter.d/
 	
 	touch proxmox.conf
 	
 	echo "[Definition]
 failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
 ignoreregex =" > proxmox.conf

 	service fail2ban restart
	# copy and paste oneliner below to run
	# curl -s https://gist.github.com/ilude/32aec45964bc1207810f7e6e49544064/raw/%21proxmox_setup.sh?$(date +%s) \| /bin/bash -s

	# Disable Commercial Repo
	sed -i "s/^deb/\#deb/" /etc/apt/sources.list.d/pve-enterprise.list

	# Add PVE Community Repo
	echo "deb http://download.proxmox.com/debian/pve $(grep "VERSION=" /etc/os-release \| sed -n 's/.(\(.\)).*/\1/p') pve-no-subscription" > /etc/apt/sources.list.d/pve-no-enterprise.list

	# setup no nag script to run on upgrade
	echo "DPkg::Post-Invoke { \"dpkg -V proxmox-widget-toolkit \| grep -q '/proxmoxlib\.js$'; if [ \$? -eq 1 ]; then { echo 'Removing subscription nag from UI...'; sed -i '/data.status/{s/\!//;s/Active/NoMoreNagging/}' /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js; }; fi\"; };" > /etc/apt/apt.conf.d/99-proxmox-no-nag-script

	# setup dark-theme to reinstall on upgrade
	THEME_APT_SCRIPT_FILE=/etc/apt/apt.conf.d/99-proxmox-dark-theme
	if [ ! -f "$THEME_APT_SCRIPT_FILE" ]; then
	tee -a "$THEME_APT_SCRIPT_FILE" >/dev/null <<'EOF'
	DPkg::Post-Invoke { "wget https://raw.githubusercontent.com/Weilbyte/PVEDiscordDark/master/PVEDiscordDark.sh && bash PVEDiscordDark.sh install \|\| true"; };
	EOF
	fi

	apt-get update
	apt-get dist-upgrade -y

	# disable kerbose authentication for sshd, this will speed up logins
	sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
	systemctl restart ssh

	# force post-invoke scripts to run
	apt --reinstall install proxmox-widget-toolkit

	# keep a record of when the system was setup
	if ! [[ -f /etc/birth_certificate ]]; then
	echo "Creating /etc/birth_certificate"
	date > /etc/birth_certificate
	fi

	# offer to fetch and store github public keys in authorized_keys file
	fetch_github_key()
	{
	mkdir -p ~/.ssh
	if ! [[ -f ~/.ssh/authorized_keys ]]; then
	touch ~/.ssh/authorized_keys
	fi
	chmod 700 ~/.ssh
	chmod 600 ~/.ssh/*

	read -p "Enter Github Username: " github_username
	curl -s https://github.com/${github_username}.keys >> ~/.ssh/authorized_keys
	}

	read -t 10 -p "Download github public key for ssh? (Y/n): " REPLY
	if [ $? -gt 128 ]; then
	echo "Timed out waiting for input. Defaulting to N!"
	break
	fi

	case $REPLY in
	[yY]*)
	fetch_github_key
	;;
	*)
	;;
	esac

	# offer to setup gmail for outgoing smtp messages
	# https://geekistheway.com/2021/03/07/configuring-e-mail-alerts-on-your-proxmox/
	setup_smtp_to_gmail()
	{
	apt update
	apt install -y libsasl2-modules

	echo "You will need to go to https://security.google.com/settings/security/apppasswords to generate an app password!"
	echo ""
	read -p 'Gmail username (without @gmail.com): ' YOUR_GMAIL_USERNAME
	read -sp 'Gmail App Password: ' YOUR_GMAIL_APP_PASSWORD

	echo "smtp.gmail.com [email protected]:$YOUR_GMAIL_APP_PASSWORD" > /etc/postfix/sasl_passwd
	postmap hash:/etc/postfix/sasl_passwd
	chmod 600 /etc/postfix/sasl_passwd

	sed -i 's/relayhost\ =/relayhost\ =\ smtp.gmail.com:587/g' /etc/postfix/main.cf

	tee -a /etc/postfix/main.cf >/dev/null <<'EOF'
	smtp_use_tls = yes
	smtp_sasl_auth_enable = yes
	smtp_sasl_security_options =
	smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
	smtp_tls_CAfile = /etc/ssl/certs/Entrust_Root_Certification_Authority.pem
	smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
	smtp_tls_session_cache_timeout = 3600s
	EOF

	postfix reload

	echo "Proxmox test message $(date)" \| mail -s "Proxmox Test from $(hostname)" [email protected]
	}

	read -t 10 -p "Setup gmail for outgoing smtp mail messages? (Y/n): " REPLY
	if [ $? -gt 128 ]; then
	echo "Timed out waiting for input. Defaulting to N!"
	break
	fi

	case $REPLY in
	[yY]*)
	setup_smtp_to_gmail
	;;
	*)
	;;
	esac

	# check if reboot is required
	if [ -f /var/run/reboot-required ]; then
	sudo reboot
	fi
	##############################################################
	# zfs samba file sharing
	# https://forum.level1techs.com/t/how-to-create-a-nas-using-zfs-and-proxmox-with-pictures/117375

	# On the root proxmox server:

	apt-get update
	apt-get install samba

	# add root as a samba user and create a password
	smbpasswd

	# It would also be nice to not have to connect as root to the server every time.
	# Lets create a new user and give them samba permissions.

	# To create a new Unix user:
	useradd -m mike
	passwd mike

	# This adds the new user to Samba.
	smbpasswd -a mike

	nano /etc/samba/smb.conf

	service smbd stop
	service smbd start

	# Test for errors.
	testparm
	# https://blog.tim.kent.id.au/2018/11/hardening-samba.html
	#
	# https://wiki.archlinux.org/title/samba#Restrict_protocols_for_better_security

	[global]
	server role = standalone server
	obey pam restrictions = yes
	create mask = 0766
	directory mask = 0777
	server string = Samba
	disable netbios = Yes
	server min protocol = SMB3_00
	smb ports = 445
	server signing = required
	restrict anonymous = 2

	server smb encrypt = desired
	use sendfile = yes

	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	show add printer wizard = no

	[pool]
	comment = Pool Share
	browseable = yes
	path = /pool/share
	guest ok = no
	read only = no

	[homes]
	comment = Home Directories
	browseable = no
	zfs create pool/share
	zfs create pool/share/apps
	zfs create pool/share/iso
	zfs create pool/share/media
	zfs create pool/vmstorage

	zfs list

	NAME USED AVAIL REFER MOUNTPOINT
	pool 24.4G 8.19T 192K /pool
	pool/share 24.4G 8.19T 224K /pool/share
	pool/share/apps 23.0G 8.19T 23.0G /pool/share/apps
	pool/share/iso 1.37G 8.19T 1.37G /pool/share/iso
	pool/share/media 192K 8.19T 192K /pool/share/media
	pool/vmstorage 304K 8.19T 192K /pool/vmstorage

	Back in GUI land…

	Click on “Datacenter”
	“Storage”
	“Add”
	“Directory”
	ID: iso
	Directory: /storage/share/iso
	Content: make sure only “ISO image” and “Container template” are selected.
	“Add”

	And again…
	“Add”
	“ZFS”
	ID: vmstorage
	ZFS Pool: /storage/vmstorage
	# barrowed from https://github.com/DeadlockState/Proxmox-prepare/blob/master/proxmox_prepare.sh

	apt-get install -y fail2ban > /dev/null 2>&1

	cd /etc/fail2ban/

	touch jail.local

	echo "[proxmox]
	enabled = true
	port = http,https,8006
	filter = proxmox
	logpath = /var/log/daemon.log
	maxretry = 4
	bantime = 43200" > jail.local

	cd filter.d/

	touch proxmox.conf

	echo "[Definition]
	failregex = pvedaemon\[.authentication failure; rhost=<HOST> user=. msg=.*
	ignoreregex =" > proxmox.conf

	service fail2ban restart