flynx/proxmox-utils
1
0
Fork 0
mirror of https://github.com/flynx/proxmox-utils.git synced 2025-12-26 05:12:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: flynx:747ba1766fe2610c882d5943e3b072e99017aa6d
Branches Tags
flynx:master
..
compare: flynx:73b4a27b9d3550e330c024a79b45a469acd33e58
Branches Tags
flynx:master

No commits in common. "747ba1766fe2610c882d5943e3b072e99017aa6d" and "73b4a27b9d3550e330c024a79b45a469acd33e58" have entirely different histories.
747ba1766f ... 73b4a27b9d

12 changed files with 135 additions and 275 deletions
Show Stats Expand all files Collapse all files

2
.pct-helpers
View File

@ -10,7 +10,7 @@ CT_DIR=${CT_DIR:=/etc/pve/lxc/}
# XXX # XXX
EDITOR=${EDITOR:-nano} EDITOR=${EDITOR:-vim}

71
Makefile
View File

@ -15,10 +15,20 @@ EDITOR ?= vim
# CTs... # CTs...
# #
# NOTE: The order here is important:
# - to avoid bootstrapping network connections gate must be the
# first CT to get built to route the rest of CT's to the WAN
# connection during the build process.
# - ns should be the second to be built to provide the rest of the
# CT's with DHCP network configuration.
# - the rest of the CT's are created in order of importance, strting
# from CT's needed for access and ending with services.
CORE_CTs := \
gate ns
MINIMAL_CTs := \ MINIMAL_CTs := \
ssh wireguard ssh wireguard
APP_CTs := \ APP_CTs := \
syncthing nextcloud syncthing nextcloud #gitea
# Optional (see dev target)... # Optional (see dev target)...
DEV_CTs := \ DEV_CTs := \
gitea gitea
@ -50,6 +60,7 @@ check: check-message $(foreach dep,$(DEPENDENCIES),require($(dep)))
FORCE: FORCE:
# XXX should thisbe an env var or an arg to make.sh???
%-bootstrap: export BOOTSTRAP=1 %-bootstrap: export BOOTSTRAP=1
%-bootstrap: % %-bootstrap: %
@true @true
@ -75,30 +86,6 @@ config.global: config.global.example
#----------------------------------------------------------------------
# Bootstrapping...
# Bootstrap stage 1: build basic infrastructure...
.PHONY: bootstrap
bootstrap: \
host-bootstrap \
gate-bootstrap ns \
$(MINIMAL_CTs) \
bootstrap-clean
# Bootstrap stage 2: reconnect host through the base infrastructure...
.PHONY: bootstrap-clean host-bootstrap-clean
bootstrap-clean: host-bootstrap-clean
# Finalize: reconect admin port/bridge correctly...
.PHONY: finalize
finalize: bootstrap-clean gate-bootstrap-clean
@ make host-bootstrap-clean
#---------------------------------------------------------------------- #----------------------------------------------------------------------
# Shorthands... # Shorthands...
@ -113,12 +100,40 @@ gate: gate-traefik
#---------------------------------------------------------------------- #----------------------------------------------------------------------
.PHONY: all # XXX goal:
all: $(APP_CTs) # - build minimal system
# - bootstrap bridge
# - gate
# - ns
# ...not yet sure of the best way to do this...
#
.PHONY: bootstrap
bootstrap: host-bootstrap gate-bootstrap \
ns \
wireguard \
bootstrap-clean
.PHONY: bootstrap-clean
bootstrap-clean: gate-bootstrap-clean host-bootstrap-clean
#----------------------------------------------------------------------
.PHONY: core
core: config $(CORE_CTs)
.PHONY: minimal
minimal: core $(MINIMAL_CTs)
.PHONY: dev .PHONY: dev
dev: $(DEV_CTs) dev: minimal $(DEV_CTs)
.PHONY: all
all: minimal $(APP_CTs)

142
README.md
View File

@ -64,123 +64,38 @@ XXX clean setup scripts...
## Prerequisites ## Prerequisites
Install Proxmox and connect it to your network. ### Proxmox
## Semi-automated setup
This will download the [`bootstrap.sh`](./scripts/bootstrap.sh) script and execute it:
```shell ```shell
curl 'https://raw.githubusercontent.com/flynx/proxmox-utils/refs/heads/master/scripts/bootstrap.sh' | sudo bash sudo apt update && sudo apt upgrade
``` ```
This will: ```shell
- Install basic dependencies sudo apt install git make
- Clone this repo ```
- Run `make bootstrap` on the repo
After the basic setup is done connect the device to the network via the
selcted WAN port and it is reccomended to disconnect the admin PORT.
The WAN interface exposes two IPs:
- Main server (config: `DFL_WAN_IP` / `WAN_IP`)
- ssh:23
- wireguard:51820
- Fail-safe ssh (config: `DFL_WAN_SSH_IP` / `WAN_SSH_IP`)
- ssh:22
The Proxmox administrative interface is available behind the Wireguard
proxy or on the ADMIN port, both on https://10.0.0.254:8006.
XXX setup additional CTs...
XXX configuration / administration...
## Manual setup
### Bootstrapping
Since all the internal traffic is routed through the `gate` we need both
the bridges and it setup for things to work, thus we first bootstrap the
bridges, create the basic infrastructure and then finalize the setup.
Bootsrapping is done in three stages:
1. Bootstrap:
```shell
make bootstrap
```
- Create the needed bridges
- Create the infrastructure CT's (`gate`, `ns`, `ssh`, ...)
2. Cleanup:
```shell
make bootstrap-clean
```
- Route the `host` through the `gate`
3. Finalize:
```shell
make finalise
```
- disconnect the `host` from the non-ADMIN networks
After the final stage two physical ports will be active, the ADMIN port
and the WAN port, the former is by default the same port set by Proxmox
setup, the WAN port is the port selected during the stup stage. All the
services will be listening on the WAN port while the admin port is used
only for administration and recovory cases.
### Network Bridges ### Network Bridges
`proxmox-utils` expects there to be at least three bridges: `proxmox-utils` expects there to be at least three bridges:
- `WAN` (`vmbr_wan`) - connected to the port that faces the external - `WAN` - connected to the port that faces the external network (either
network (either directly of via a router) directly of via a router)
- `LAN` (`vmbr_lan`) - a virtual bridge, not connected to any physical - `LAN` - a virtual bridge, not connected to any physical interfaces
interfaces - `ADMIN` - connected to a second physical interface used for
- `ADMIN` (`vmbr_admin`) - connected to a second physical interface used administrative purposes.
for administrative purposes.
Created via: Note their numbers (i.e. the number in `vmbr#`), this will be needed for
```shell setup.
make host-bootstrap
```
Updated by: Note, if the device has more that two ports it is recommended to assign
```shell
make host-bootstrap-clean
```
and:
```shell
make finalize
```
If the device has more that two ports it is recommended to assign
first/last ports to wan/admin respectively and clearly mark them as such. first/last ports to wan/admin respectively and clearly mark them as such.
### DNS ### DNS
Add `10.1.1.1` to the DNS on the Proxmox host node after the `127.0.0.1` Add `10.1.1.1` to the DNS on the Proxmox host node after the `127.0.0.1`
but before whatever external DNS you are using. but before whatever external DNS you are using.
Donw via:
```shell
make host
```
or:
```shell
make host-bootstrap
```
### Firewall ### Firewall
@ -188,16 +103,6 @@ Make sure to allow at least `ssh` access to the host node from the `ADMIN`
interface to allow admin CT's access to the host if needed, this is mostly interface to allow admin CT's access to the host if needed, this is mostly
needed to allow VPN/ssh administration from outside. needed to allow VPN/ssh administration from outside.
Donw via:
```shell
make host
```
or:
```shell
make host-bootstrap
```
For Proxmox firewall configuration see: For Proxmox firewall configuration see:
https://pve.proxmox.com/wiki/Firewall https://pve.proxmox.com/wiki/Firewall
@ -212,13 +117,32 @@ XXX emergency access points: ssh and wireguard
## Misc ## Setup
Get the code:
```shell
git clone https://github.com/flynx/proxmox-utils.git
```
or:
```shell
git clone git@github.com:flynx/proxmox-utils.git
```
For host setup:
```shell
sudo make host
```
Be carefull as this may overwrite existing configuration.
Install CT's: Install CT's:
```shell ```shell
sudo make all sudo make all
``` ```
Install gitea (optional): Install gitea (optional):
```shell ```shell
sudo make dev sudo make dev

6
scripts/bootstrap.sh → bootstrap.sh
View File

@ -4,9 +4,13 @@
#PROXMOX_UTILS=git@github.com:flynx/proxmox-utils.git #PROXMOX_UTILS=git@github.com:flynx/proxmox-utils.git
PROXMOX_UTILS=${PROXMOX_UTILS:-https://github.com/flynx/proxmox-utils.git} PROXMOX_UTILS=${PROXMOX_UTILS:-https://github.com/flynx/proxmox-utils.git}
# XXX do we need to update the system here?
apt update
apt upgrade
# keep this to the minimum, at this point... # keep this to the minimum, at this point...
apt install \ apt install \
git make wget git make wget vim
git clone $PROXMOX_UTILS git clone $PROXMOX_UTILS

28
config.global.example
View File

@ -18,35 +18,25 @@
# #
#------------------------------------------------------------------------ #------------------------------------------------------------------------
# Bootsrap configuration...
#
# Usually this is the default bridge created in Proxmox, so there is no
# need to touch this.
BOOTSTRAP_BRIDGE=0
# XXX
#BOOTSTRAP_PORT=none
# CT interface bridge configuration. # CT interface bridge configuration.
# #
# These are set to the bridge number (the number in 'vmbr#') used for # These are set to the bridge number (the number in 'vmbr#') used for
# a specific network. # a specific network.
# #
# Example:
# WAN_BRIDGE=0
# LAN_BRIDGE=1
# ADMIN_BRIDGE=2
#
# NOTE: on a clean Proxmox install ADMIN is pre-setup, we will use it # NOTE: on a clean Proxmox install ADMIN is pre-setup, we will use it
# for bootstrapping and reconfigure it later. # for bootstrapping and reconfigure it later.
# NOTE: to make things simpler it is recommmended to number bridges # NOTE: to make things simpler it is recommmended to number bridges
# connecting to physical ports the same as ports and virtual # connecting to physical ports the same as ports and virtual
# bridges with numbers greater than X (10 in the example below) # bridges with numbers greater than X (10 in the example below)
# #
# Example: ADMIN_BRIDGE=0
# WAN_BRIDGE=0 WAN_BRIDGE=3
# ADMIN_BRIDGE=3 LAN_BRIDGE=10
# LAN_BRIDGE=10
#
# XXX revise numbering...
ADMIN_BRIDGE=_admin
WAN_BRIDGE=_wan
LAN_BRIDGE=_lan
# NOTE: it is simpler to statically assign these than to configure dhcp # NOTE: it is simpler to statically assign these than to configure dhcp
@ -102,7 +92,7 @@ DFL_PCT_EXTRA=SKIP
# #
# host # host
HOST_ADMIN_IP=10.0.0.254/24 HOST_ADMIN_IP=10.0.0.245/24
# Nameserver # Nameserver
NS_HOSTNAME=ns NS_HOSTNAME=ns

15
gate-traefik/make.sh
View File

@ -41,17 +41,18 @@ REBOOT=${REBOOT:=1}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Bootstrap cleanup... # Bootstrap cleanup...
# NOTE: this is intentionally handled before the bootstrap...
if ! [ -z $BOOTSTRAP_CLEAN ] ; then if ! [ -z $BOOTSTRAP_CLEAN ] ; then
#ID=${ID:-${DFL_ID}} ID=${GATE_ID:=${DFL_ID}}
xread "ID: " ID xread "ID: " ID
xread "Bootstrap bridge: vmbr" BOOTSTRAP_BRIDGE
readBridgeVars readBridgeVars
echo "# Reverting gate's WAN bridge to: vmbr${WAN_BRIDGE}..." # XXX update WAN ip... (???)
# XXX
echo "# Reverting gate's WAN bridge to vmbr${WAN_BRIDGE}..."
@ sed -i \ @ sed -i \
-e 's/^\(net0.*vmbr\)'${BOOTSTRAP_BRIDGE}'/\1'${WAN_BRIDGE}'/' \ -e 's/^\(net0.*vmbr\)'${ADMIN_BRIDGE}'/\1'${WAN_BRIDGE}'/' \
/etc/pve/lxc/${ID}.conf /etc/pve/lxc/${ID}.conf
exit exit
fi fi
@ -61,9 +62,9 @@ fi
# Bootstrap... # Bootstrap...
if ! [ -z $BOOTSTRAP ] ; then if ! [ -z $BOOTSTRAP ] ; then
xread "Bootstrap bridge: vmbr" BOOTSTRAP_BRIDGE
# this will allow the bootstrapped CTs to access the network... # this will allow the bootstrapped CTs to access the network...
WAN_BRIDGE=${BOOTSTRAP_BRIDGE} WAN_BRIDGE=$ADMIN_BRIDGE
#DFL_CTHOSTNAME=${DFL_CTHOSTNAME}-bootstrap
fi fi

10
host/bootstrap-bridges.tpl
View File

@ -1,4 +1,6 @@
# NOTE: this assumes the ADMIN bridge to exist (proxmox default) and to be vmbr0...
auto vmbr${LAN_BRIDGE} auto vmbr${LAN_BRIDGE}
iface vmbr${LAN_BRIDGE} inet manual iface vmbr${LAN_BRIDGE} inet manual
bridge-ports none bridge-ports none
@ -13,11 +15,3 @@ iface vmbr${WAN_BRIDGE} inet manual
bridge-fd 0 bridge-fd 0
#WAN #WAN
auto vmbr${ADMIN_BRIDGE}
iface vmbr${ADMIN_BRIDGE} inet static
address ${HOST_ADMIN_IP}
bridge-ports ${BOOTSTRAP_PORT}
bridge-stp off
bridge-fd 0
#ADMIN

97
host/make.sh
View File

@ -19,7 +19,6 @@ need ifreload
readConfig readConfig
DFL_WAN_PORT=${DFL_WAN_PORT:-enp5s0} DFL_WAN_PORT=${DFL_WAN_PORT:-enp5s0}
DFL_ADMIN_PORT=${DFL_ADMIN_PORT:-enp2s0} DFL_ADMIN_PORT=${DFL_ADMIN_PORT:-enp2s0}
@ -36,9 +35,9 @@ SOFTWARE=(
tmux tmux
) )
INTERFACES=/etc/network/interfaces # XXX
#BRIDGES_TPL=bridges.tpl
BRIDGES_TPL=bridges.tpl BRIDGES_TPL=bootstrap-bridges.tpl
# XXX # XXX
#readVars #readVars
@ -48,27 +47,8 @@ BRIDGES_TPL=bridges.tpl
# Bootstrap... # Bootstrap...
if ! [ -z $BOOTSTRAP_CLEAN ] ; then if ! [ -z $BOOTSTRAP_CLEAN ] ; then
@ cp "$INTERFACES"{,.bak} # XXX switch admin interface IP and Gateway to admin net...
# XXX
# stage 1: bootstrap -> clean
if [ -e "$INTERFACES".clean ] ; then
@ mv "$INTERFACES"{.clean,.new}
# stage 2: clean -> final
elif [ -e "$INTERFACES".final ] ; then
@ mv "$INTERFACES"{.final,.new}
# donw
else
exit
fi
if reviewApplyChanges "$INTERFACES" ; then
# XXX this must be done in nohup to avoid breaking on connection lost...
if ! @ ifreload -a ; then
# reset settings back if ifreload fails...
@ cp "$INTERFACES"{.bak,}
@ ifreload -a
fi
fi
exit exit
fi fi
@ -76,12 +56,10 @@ fi
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Bootstrap... # Bootstrap...
# XXX
if ! [ -z $BOOTSTRAP ] ; then if ! [ -z $BOOTSTRAP ] ; then
DFL_BOOTSTRAP_PORT=${DFL_BOOTSTRAP_PORT:-none} # XXX
xread "Bootstrap port: " BOOTSTRAP_PORT BRIDGES_TPL=bootstrap-bridges.tpl
true
BRIDGES_BOOTSTRAP_TPL=bootstrap-bridges.tpl
fi fi
@ -112,6 +90,8 @@ if xreadYes "# Create bridges?" BRIDGES ; then
xread "Gate ADMIN IP: " GATE_ADMIN_IP xread "Gate ADMIN IP: " GATE_ADMIN_IP
readBridgeVars readBridgeVars
INTERFACES=/etc/network/interfaces
# check if new bridges already exist in interfaces... # check if new bridges already exist in interfaces...
if [ -e "$INTERFACES" ] \ if [ -e "$INTERFACES" ] \
&& grep -q \ && grep -q \
@ -138,57 +118,20 @@ if xreadYes "# Create bridges?" BRIDGES ; then
BRIDGES="$(\ BRIDGES="$(\
cat "$BRIDGES_TPL" \ cat "$BRIDGES_TPL" \
| expandPCTTemplate \ | expandPCTTemplate \
LAN_BRIDGE WAN_BRIDGE ADMIN_BRIDGE BOOTSTRAP_BRIDGE \ LAN_BRIDGE WAN_BRIDGE ADMIN_BRIDGE \
WAN_PORT ADMIN_PORT BOOTSTRAP_ADMIN_PORT \ WAN_PORT ADMIN_PORT \
HOST_ADMIN_IP GATE_ADMIN_IP)" HOST_ADMIN_IP GATE_ADMIN_IP)"
[ -z $BRIDGES_BOOTSTRAP_TPL ] \
|| BRIDGES_BOOTSTRAP="$(\
cat "$BRIDGES_BOOTSTRAP_TPL" \
| expandPCTTemplate \
LAN_BRIDGE WAN_BRIDGE ADMIN_BRIDGE BOOTSTRAP_BRIDGE \
WAN_PORT ADMIN_PORT BOOTSTRAP_PORT \
HOST_ADMIN_IP GATE_ADMIN_IP)"
if [ -z "$DRY_RUN" ] ; then if [ -z "$DRY_RUN" ] ; then
# write both bootstrap and clean bridge configurations... # XXX add $BRIDGES to "$INTERFACES" either before the
if ! [ -z $BRIDGES_BOOTSTRAP ] ; then # source command or at the end...
# XXX
# interfaces.final
@ cp "$INTERFACES"{.new,.final}
@ sed -i \
-e 's/'$ADMIN_PORT'/'$BOOTSTRAP_PORT'/' \
-e '/^.*gateway .*$/d' \
"$INTERFACES".final
echo "$BRIDGES" \
>> "$INTERFACES".final
# interfaces.clean
@ cp "$INTERFACES"{.new,.clean}
@ sed -i \
-e '/^.*gateway .*$/d' \
"$INTERFACES".clean
echo "$BRIDGES" \
| sed \
-e 's/'$ADMIN_PORT'/'$BOOTSTRAP_PORT'/' \
>> "$INTERFACES".clean
# interfaces.new (prep)
BRIDGES=$(\
echo "$BRIDGES_BOOTSTRAP" \
| sed -e '/^.*gateway .*$/d')
fi
# interfaces.new
echo "$BRIDGES" >> "$INTERFACES".new echo "$BRIDGES" >> "$INTERFACES".new
else else
echo "$BRIDGES" echo "$BRIDGES"
fi fi
# interfaces
if reviewApplyChanges "$INTERFACES" ; then if reviewApplyChanges "$INTERFACES" ; then
# XXX this must be done in nohup to avoid breaking on connection lost...
if ! @ ifreload -a ; then if ! @ ifreload -a ; then
# reset settings back if ifreload fails... # reset settings back if ifreload fails...
@ cp "$INTERFACES"{.bak,} @ cp "$INTERFACES"{.bak,}
@ -206,16 +149,6 @@ buildAssets
# XXX /etc/hosts??? # XXX /etc/hosts???
# /etc/hosts
if xreadYes "# Update /etc/hosts?" HOSTS ; then
@ cp /etc/hosts{,.bak}
@ cp /etc/hosts{,.new}
@ sed -i \
-e 's/^[^#].* \(pve.local.*\)$/'${HOST_ADMIN_IP/\/*}'\1/' \
/etc/hosts.new
reviewApplyChanges /etc/hosts
fi
# DNS # DNS
if xreadYes "# Update DNS?" DNS ; then if xreadYes "# Update DNS?" DNS ; then
file=/etc/resolv.conf file=/etc/resolv.conf

1
ns/make.sh
View File

@ -67,7 +67,6 @@ echo "# Installing dependencies..."
echo "# Copying assets..." echo "# Copying assets..."
pctPushAssets $ID pctPushAssets $ID
@ lxc-attach $ID chmod +x /root/leases
echo "# Setup: dnsmasq..." echo "# Setup: dnsmasq..."
@ lxc-attach $ID rc-update add dnsmasq @ lxc-attach $ID rc-update add dnsmasq

4
ssh/make.sh
View File

@ -21,7 +21,7 @@ readConfig
#---------------------------------------------------------------------- #----------------------------------------------------------------------
DFL_ID=${DFL_ID:=120} DFL_ID=${DFL_ID:=102}
DFL_CTHOSTNAME=${DFL_CTHOSTNAME:=ssh} DFL_CTHOSTNAME=${DFL_CTHOSTNAME:=ssh}
DFL_CORES=${DFL_CORES:=1} DFL_CORES=${DFL_CORES:=1}
@ -39,7 +39,7 @@ LAN_GATE=SKIP
REBOOT=${REBOOT:=1} REBOOT=${REBOOT:=1}
DFL_WAN_SSH_IP=${DFL_WAN_SSH_IP:=} DFL_WAN_SSH_IP=${DFL_WAN_SSH_IP:=}
xread "WAN ssh ip: " WAN_SSH_IP xread "WAN ssh ip:" WAN_SSH_IP
#xread "Gate CT id: " GATE_ID #xread "Gate CT id: " GATE_ID

2
syncthing/make.sh
View File

@ -17,7 +17,7 @@ readConfig
#---------------------------------------------------------------------- #----------------------------------------------------------------------
DFL_ID=${DFL_ID:=1010} DFL_ID=${DFL_ID:=1001}
DFL_CTHOSTNAME=${DFL_CTHOSTNAME:=syncthing} DFL_CTHOSTNAME=${DFL_CTHOSTNAME:=syncthing}
DFL_CORES=${DFL_CORES:=1} DFL_CORES=${DFL_CORES:=1}

2
wireguard/make.sh
View File

@ -21,7 +21,7 @@ would-like dig #qrencode
readConfig readConfig
DFL_ID=${DFL_ID:=130} DFL_ID=${DFL_ID:=103}
DFL_CTHOSTNAME=${DFL_CTHOSTNAME:=wireguard} DFL_CTHOSTNAME=${DFL_CTHOSTNAME:=wireguard}
DFL_CORES=${DFL_CORES:=1} DFL_CORES=${DFL_CORES:=1}