flynx/proxmox-utils
1
0
Fork 0
mirror of https://github.com/flynx/proxmox-utils.git synced 2025-12-26 05:12:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: flynx:6e1886acd62163a57a9b7f8e35aee88399f9f7c7
Branches Tags
flynx:master
..
compare: flynx:747ba1766fe2610c882d5943e3b072e99017aa6d
Branches Tags
flynx:master

No commits in common. "6e1886acd62163a57a9b7f8e35aee88399f9f7c7" and "747ba1766fe2610c882d5943e3b072e99017aa6d" have entirely different histories.
6e1886acd6 ... 747ba1766f

5 changed files with 57 additions and 160 deletions
Show Stats Expand all files Collapse all files

7
.pct-helpers
View File

@ -228,13 +228,10 @@ xreadYes(){
# XXX check DFL_..???
if [[ "${!var}" == "SKIP" ]] ; then
eval "$var="
return 1
return
fi
if [ -z ${!var} ] ; then
if [[ "$(eval "echo \$DFL_${var}")" == "SKIP" ]] ; then
eval "$var="
return 1
elif [ -z $(eval "echo \$DFL_${var}") ] ; then
if [ -z $(eval "echo \$DFL_${var}") ] ; then
local yes=y
local no=N
local dfl=

8
Makefile
View File

@ -83,19 +83,19 @@ config.global: config.global.example
bootstrap: \
host-bootstrap \
gate-bootstrap ns \
$(MINIMAL_CTs)
make bootstrap-clean
$(MINIMAL_CTs) \
bootstrap-clean
# Bootstrap stage 2: reconnect host through the base infrastructure...
.PHONY: bootstrap-clean
.PHONY: bootstrap-clean host-bootstrap-clean
bootstrap-clean: host-bootstrap-clean
# Finalize: reconect admin port/bridge correctly...
.PHONY: finalize
finalize: bootstrap-clean gate-bootstrap-clean
make host-bootstrap-clean
@ make host-bootstrap-clean

127
README.md
View File

@ -41,61 +41,35 @@ Goals:
and administration of all the related components at the cost of a
heavier CT transparently integrating multiple related services
XXX service structure
### Network
XXX network
```
Internet Admin
v v
+----|----------------------------------------------------|-----+
| | | |
| (wan) (lan) (admin) |
| | | | |
| | | pve --+ |
| | | | |
| | +--------------------------------+ |
| | / | | |
| +--($WAN_SSH_IP)- ssh ---------------+ | |
| | ^ | | |
| | (ssh:23) | | |
| | . | | |
| | . +------------------------(nat)--+ |
| | ./ | | |
| +------($WAN_IP)- gate ------(nat)---+ | |
| . | | |
| . +-- ns ---------+ |
| . | | |
| + - (udp:51820)-> +-- wireguard | |
| . | | |
| + - (ssh/https)-> +-- gitea | |
| . | | |
| + - - - (https)-> +-- nextcloud | |
| | | |
| +-- syncthing --+ |
| |
+---------------------------------------------------------------+
```
XXX
In general `proxmox-utils` splits the configuration into two levels:
### Services
### CT level
XXX
This level is handled by the `Makefile` and is almost completely automated
### Host level
This level depends on the host setup and is currently done manually
depending on existing host configuration.
XXX clean setup scripts...
## Setup
### Prerequisites
## Prerequisites
Install Proxmox and connect it to your network.
## Semi-automated setup
### Semi-automated setup
Download the [`bootstrap.sh`](./scripts/bootstrap.sh) script and execute it:
This will download the [`bootstrap.sh`](./scripts/bootstrap.sh) script and execute it:
```shell
curl 'https://raw.githubusercontent.com/flynx/proxmox-utils/refs/heads/master/scripts/bootstrap.sh' | sudo bash
```
@ -106,79 +80,30 @@ This will:
- Run `make bootstrap` on the repo
After the basic setup is done connect the device to the network via the
selcted WAN port and **disconnect** the ADMIN port.
selcted WAN port and it is reccomended to disconnect the admin PORT.
The WAN interface exposes two IPs:
- Main server (config: `$DFL_WAN_IP` / `$WAN_IP`)
- Main server (config: `DFL_WAN_IP` / `WAN_IP`)
- ssh:23
- wireguard:51820
- Fail-safe ssh (config: `$DFL_WAN_SSH_IP` / `$WAN_SSH_IP`)
- Fail-safe ssh (config: `DFL_WAN_SSH_IP` / `WAN_SSH_IP`)
- ssh:22
The Proxmox administrative interface is available behind the Wireguard
proxy or on the ADMIN port, both on https://10.0.0.254:8006.
To finalize the setup run:
```shell
make finalize
```
This will
- detach the host from any external ports and make it accessible only
from the internal network.
See: [Architecture](#architecture) and [Bootstrapping](#bootstrapping)
- setup firewall rules.
Note that the firewall will not be enabled, this should be done manually
after rule review.
XXX setup additional CTs...
*Note that the ADMIN port is configured for direct connections only (DHCP),
connecting it to a configured network can lead to unexpected behavior.*
#### Accessing the host
XXX
#### Setup additional services
XXX
```shell
make all
```
```shell
make dev
```
Or individually:
```shell
make nextcloud
```
```shell
make syncthing
```
```shell
make gitea
```
#### Setup and configure custom services
XXX traefik rules
XXX configuration / administration...
### Manual setup
## Manual setup
#### Bootstrapping
### Bootstrapping
Since all the internal traffic is routed through the `gate` we need both
the bridges and it setup for things to work, thus we first bootstrap the
@ -211,7 +136,7 @@ only for administration and recovory cases.
#### Network Bridges
### Network Bridges
`proxmox-utils` expects there to be at least three bridges:
- `WAN` (`vmbr_wan`) - connected to the port that faces the external
@ -241,7 +166,7 @@ first/last ports to wan/admin respectively and clearly mark them as such.
#### DNS
### DNS
Add `10.1.1.1` to the DNS on the Proxmox host node after the `127.0.0.1`
but before whatever external DNS you are using.
@ -257,7 +182,7 @@ make host-bootstrap
```
#### Firewall
### Firewall
Make sure to allow at least `ssh` access to the host node from the `ADMIN`
interface to allow admin CT's access to the host if needed, this is mostly

75
host/make.sh
View File

@ -53,26 +53,10 @@ if ! [ -z $BOOTSTRAP_CLEAN ] ; then
# stage 1: bootstrap -> clean
if [ -e "$INTERFACES".clean ] ; then
@ mv "$INTERFACES"{.clean,.new}
DFL_UPDATE=SKIP
DFL_APPS=SKIP
DFL_BRIDGES=SKIP
DFL_HOSTS=SKIP
DFL_DNS=1
DFL_FIREWALL=SKIP
# stage 2: clean -> final
elif [ -e "$INTERFACES".final ] ; then
@ mv "$INTERFACES"{.final,.new}
DFL_UPDATE=SKIP
DFL_APPS=SKIP
DFL_BRIDGES=SKIP
DFL_HOSTS=1
DFL_DNS=SKIP
DFL_FIREWALL=1
REBOOT=1
# done
# donw
else
exit
fi
@ -85,40 +69,42 @@ if ! [ -z $BOOTSTRAP_CLEAN ] ; then
@ ifreload -a
fi
fi
exit
fi
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Bootstrap...
elif ! [ -z $BOOTSTRAP ] ; then
# XXX
if ! [ -z $BOOTSTRAP ] ; then
DFL_BOOTSTRAP_PORT=${DFL_BOOTSTRAP_PORT:-none}
xread "Bootstrap port: " BOOTSTRAP_PORT
BRIDGES_BOOTSTRAP_TPL=bootstrap-bridges.tpl
DFL_UPDATE=1
DFL_APPS=1
DFL_BRIDGES=1
DFL_HOSTS=SKIP
DFL_DNS=SKIP
DFL_FIREWALL=SKIP
fi
#----------------------------------------------------------------------
# System...
# Tools
if xreadYes "# Update system?" UPDATE ; then
@ apt update
@ apt upgrade
fi
# Tools...
if xreadYes "# Install additional apps?" APPS ; then
@ apt install ${SOFTWARE[@]}
fi
# Bridges...
# XXX need to:
# - bootstrap this
# - setup the gate, ssh, and wireguard
# - inalize
# XXX /etc/hosts
# XXX save config???
# XXX should we do things in ./staging ???
if xreadYes "# Create bridges?" BRIDGES ; then
xread "WAN port: " WAN_PORT
xread "ADMIN port: " ADMIN_PORT
@ -212,30 +198,26 @@ if xreadYes "# Create bridges?" BRIDGES ; then
fi
echo "# Building config..."
# XXX do we need any extra vars here???
buildAssets
# XXX /etc/hosts???
# /etc/hosts
if xreadYes "# Update /etc/hosts?" HOSTS ; then
@ cp /etc/hosts{,.bak}
@ cp /etc/hosts{,.new}
@ sed -i \
-e 's/^[^#].* \(pve.local.*\)$/'${HOST_ADMIN_IP/\/*}' \1/' \
-e 's/^[^#].* \(pve.local.*\)$/'${HOST_ADMIN_IP/\/*}'\1/' \
/etc/hosts.new
reviewApplyChanges /etc/hosts
fi
# build only if we need to...
build(){
if [ -z $__ASSETS ] ; then
__ASSETS=1
echo "# Building config templates..."
buildAssets
fi
}
# DNS
if xreadYes "# Update DNS?" DNS ; then
build
file=/etc/resolv.conf
@ cp "staging/${file}" "${file}".new
reviewApplyChanges "${file}"
@ -244,7 +226,6 @@ fi
# Firewall
if xreadYes "# Update firewall rules?" FIREWALL ; then
build
file=/etc/pve/firewall/cluster.fw
@ cp "staging/${file}" "${file}".new
reviewApplyChanges "${file}"
@ -255,12 +236,6 @@ showNotes
echo "# Done."
if ! [ -z $REBOOT ] ; then
echo "# Rebooting..."
@ reboot
fi
#----------------------------------------------------------------------
# vim:set ts=4 sw=4 :

2
wireguard/make.sh
View File

@ -89,7 +89,7 @@ pctCreateAlpine $ID "$PASS"
echo "# Installing dependencies..."
@ lxc-attach $ID apk add \
iptables wireguard-tools-wg-quick make bind-tools libqrencode-tools logrotate
iptables wireguard-tools-wg-quick make bind-tools libqrencode logrotate
echo "# Copying assets..."
pctPushAssets $ID