flynx/proxmox-utils
1
0
Fork 0
mirror of https://github.com/flynx/proxmox-utils.git synced 2025-12-26 05:12:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: flynx:747ba1766fe2610c882d5943e3b072e99017aa6d
Branches Tags
flynx:master
..
compare: flynx:73b4a27b9d3550e330c024a79b45a469acd33e58
Branches Tags
flynx:master

No commits in common. "747ba1766fe2610c882d5943e3b072e99017aa6d" and "73b4a27b9d3550e330c024a79b45a469acd33e58" have entirely different histories.
747ba1766f ... 73b4a27b9d

12 changed files with 135 additions and 275 deletions
Show Stats Expand all files Collapse all files

2
.pct-helpers
View File

@ -10,7 +10,7 @@ CT_DIR=${CT_DIR:=/etc/pve/lxc/}
# XXX
EDITOR=${EDITOR:-nano}
EDITOR=${EDITOR:-vim}

71
Makefile
View File

@ -15,10 +15,20 @@ EDITOR ?= vim
# CTs...
#
# NOTE: The order here is important:
# - to avoid bootstrapping network connections gate must be the
# first CT to get built to route the rest of CT's to the WAN
# connection during the build process.
# - ns should be the second to be built to provide the rest of the
# CT's with DHCP network configuration.
# - the rest of the CT's are created in order of importance, strting
# from CT's needed for access and ending with services.
CORE_CTs := \
gate ns
MINIMAL_CTs := \
ssh wireguard
APP_CTs := \
syncthing nextcloud
syncthing nextcloud #gitea
# Optional (see dev target)...
DEV_CTs := \
gitea
@ -50,6 +60,7 @@ check: check-message $(foreach dep,$(DEPENDENCIES),require($(dep)))
FORCE:
# XXX should thisbe an env var or an arg to make.sh???
%-bootstrap: export BOOTSTRAP=1
%-bootstrap: %
@true
@ -75,30 +86,6 @@ config.global: config.global.example
#----------------------------------------------------------------------
# Bootstrapping...
# Bootstrap stage 1: build basic infrastructure...
.PHONY: bootstrap
bootstrap: \
host-bootstrap \
gate-bootstrap ns \
$(MINIMAL_CTs) \
bootstrap-clean
# Bootstrap stage 2: reconnect host through the base infrastructure...
.PHONY: bootstrap-clean host-bootstrap-clean
bootstrap-clean: host-bootstrap-clean
# Finalize: reconect admin port/bridge correctly...
.PHONY: finalize
finalize: bootstrap-clean gate-bootstrap-clean
@ make host-bootstrap-clean
#----------------------------------------------------------------------
# Shorthands...
@ -113,12 +100,40 @@ gate: gate-traefik
#----------------------------------------------------------------------
.PHONY: all
all: $(APP_CTs)
# XXX goal:
# - build minimal system
# - bootstrap bridge
# - gate
# - ns
# ...not yet sure of the best way to do this...
#
.PHONY: bootstrap
bootstrap: host-bootstrap gate-bootstrap \
ns \
wireguard \
bootstrap-clean
.PHONY: bootstrap-clean
bootstrap-clean: gate-bootstrap-clean host-bootstrap-clean
#----------------------------------------------------------------------
.PHONY: core
core: config $(CORE_CTs)
.PHONY: minimal
minimal: core $(MINIMAL_CTs)
.PHONY: dev
dev: $(DEV_CTs)
dev: minimal $(DEV_CTs)
.PHONY: all
all: minimal $(APP_CTs)

138
README.md
View File

@ -64,123 +64,38 @@ XXX clean setup scripts...
## Prerequisites
Install Proxmox and connect it to your network.
### Proxmox
## Semi-automated setup
This will download the [`bootstrap.sh`](./scripts/bootstrap.sh) script and execute it:
```shell
curl 'https://raw.githubusercontent.com/flynx/proxmox-utils/refs/heads/master/scripts/bootstrap.sh' | sudo bash
sudo apt update && sudo apt upgrade
```
This will:
- Install basic dependencies
- Clone this repo
- Run `make bootstrap` on the repo
After the basic setup is done connect the device to the network via the
selcted WAN port and it is reccomended to disconnect the admin PORT.
The WAN interface exposes two IPs:
- Main server (config: `DFL_WAN_IP` / `WAN_IP`)
- ssh:23
- wireguard:51820
- Fail-safe ssh (config: `DFL_WAN_SSH_IP` / `WAN_SSH_IP`)
- ssh:22
The Proxmox administrative interface is available behind the Wireguard
proxy or on the ADMIN port, both on https://10.0.0.254:8006.
XXX setup additional CTs...
XXX configuration / administration...
## Manual setup
### Bootstrapping
Since all the internal traffic is routed through the `gate` we need both
the bridges and it setup for things to work, thus we first bootstrap the
bridges, create the basic infrastructure and then finalize the setup.
Bootsrapping is done in three stages:
1. Bootstrap:
```shell
make bootstrap
sudo apt install git make
```
- Create the needed bridges
- Create the infrastructure CT's (`gate`, `ns`, `ssh`, ...)
2. Cleanup:
```shell
make bootstrap-clean
```
- Route the `host` through the `gate`
3. Finalize:
```shell
make finalise
```
- disconnect the `host` from the non-ADMIN networks
After the final stage two physical ports will be active, the ADMIN port
and the WAN port, the former is by default the same port set by Proxmox
setup, the WAN port is the port selected during the stup stage. All the
services will be listening on the WAN port while the admin port is used
only for administration and recovory cases.
### Network Bridges
`proxmox-utils` expects there to be at least three bridges:
- `WAN` (`vmbr_wan`) - connected to the port that faces the external
network (either directly of via a router)
- `LAN` (`vmbr_lan`) - a virtual bridge, not connected to any physical
interfaces
- `ADMIN` (`vmbr_admin`) - connected to a second physical interface used
for administrative purposes.
- `WAN` - connected to the port that faces the external network (either
directly of via a router)
- `LAN` - a virtual bridge, not connected to any physical interfaces
- `ADMIN` - connected to a second physical interface used for
administrative purposes.
Created via:
```shell
make host-bootstrap
```
Note their numbers (i.e. the number in `vmbr#`), this will be needed for
setup.
Updated by:
```shell
make host-bootstrap-clean
```
and:
```shell
make finalize
```
If the device has more that two ports it is recommended to assign
Note, if the device has more that two ports it is recommended to assign
first/last ports to wan/admin respectively and clearly mark them as such.
### DNS
Add `10.1.1.1` to the DNS on the Proxmox host node after the `127.0.0.1`
but before whatever external DNS you are using.
Donw via:
```shell
make host
```
or:
```shell
make host-bootstrap
```
### Firewall
@ -188,16 +103,6 @@ Make sure to allow at least `ssh` access to the host node from the `ADMIN`
interface to allow admin CT's access to the host if needed, this is mostly
needed to allow VPN/ssh administration from outside.
Donw via:
```shell
make host
```
or:
```shell
make host-bootstrap
```
For Proxmox firewall configuration see:
https://pve.proxmox.com/wiki/Firewall
@ -212,13 +117,32 @@ XXX emergency access points: ssh and wireguard
## Misc
## Setup
Get the code:
```shell
git clone https://github.com/flynx/proxmox-utils.git
```
or:
```shell
git clone git@github.com:flynx/proxmox-utils.git
```
For host setup:
```shell
sudo make host
```
Be carefull as this may overwrite existing configuration.
Install CT's:
```shell
sudo make all
```
Install gitea (optional):
```shell
sudo make dev

6
scripts/bootstrap.sh → bootstrap.sh
View File

@ -4,9 +4,13 @@
#PROXMOX_UTILS=git@github.com:flynx/proxmox-utils.git
PROXMOX_UTILS=${PROXMOX_UTILS:-https://github.com/flynx/proxmox-utils.git}
# XXX do we need to update the system here?
apt update
apt upgrade
# keep this to the minimum, at this point...
apt install \
git make wget
git make wget vim
git clone $PROXMOX_UTILS

28
config.global.example
View File

@ -18,35 +18,25 @@
#
#------------------------------------------------------------------------
# Bootsrap configuration...
#
# Usually this is the default bridge created in Proxmox, so there is no
# need to touch this.
BOOTSTRAP_BRIDGE=0
# XXX
#BOOTSTRAP_PORT=none
# CT interface bridge configuration.
#
# These are set to the bridge number (the number in 'vmbr#') used for
# a specific network.
#
# Example:
# WAN_BRIDGE=0
# LAN_BRIDGE=1
# ADMIN_BRIDGE=2
#
# NOTE: on a clean Proxmox install ADMIN is pre-setup, we will use it
# for bootstrapping and reconfigure it later.
# NOTE: to make things simpler it is recommmended to number bridges
# connecting to physical ports the same as ports and virtual
# bridges with numbers greater than X (10 in the example below)
#
# Example:
# WAN_BRIDGE=0
# ADMIN_BRIDGE=3
# LAN_BRIDGE=10
#
# XXX revise numbering...
ADMIN_BRIDGE=_admin
WAN_BRIDGE=_wan
LAN_BRIDGE=_lan
ADMIN_BRIDGE=0
WAN_BRIDGE=3
LAN_BRIDGE=10
# NOTE: it is simpler to statically assign these than to configure dhcp
@ -102,7 +92,7 @@ DFL_PCT_EXTRA=SKIP
#
# host
HOST_ADMIN_IP=10.0.0.254/24
HOST_ADMIN_IP=10.0.0.245/24
# Nameserver
NS_HOSTNAME=ns

15
gate-traefik/make.sh
View File

@ -41,17 +41,18 @@ REBOOT=${REBOOT:=1}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Bootstrap cleanup...
# NOTE: this is intentionally handled before the bootstrap...
if ! [ -z $BOOTSTRAP_CLEAN ] ; then
#ID=${ID:-${DFL_ID}}
ID=${GATE_ID:=${DFL_ID}}
xread "ID: " ID
xread "Bootstrap bridge: vmbr" BOOTSTRAP_BRIDGE
readBridgeVars
echo "# Reverting gate's WAN bridge to: vmbr${WAN_BRIDGE}..."
# XXX update WAN ip... (???)
# XXX
echo "# Reverting gate's WAN bridge to vmbr${WAN_BRIDGE}..."
@ sed -i \
-e 's/^\(net0.*vmbr\)'${BOOTSTRAP_BRIDGE}'/\1'${WAN_BRIDGE}'/' \
-e 's/^\(net0.*vmbr\)'${ADMIN_BRIDGE}'/\1'${WAN_BRIDGE}'/' \
/etc/pve/lxc/${ID}.conf
exit
fi
@ -61,9 +62,9 @@ fi
# Bootstrap...
if ! [ -z $BOOTSTRAP ] ; then
xread "Bootstrap bridge: vmbr" BOOTSTRAP_BRIDGE
# this will allow the bootstrapped CTs to access the network...
WAN_BRIDGE=${BOOTSTRAP_BRIDGE}
WAN_BRIDGE=$ADMIN_BRIDGE
#DFL_CTHOSTNAME=${DFL_CTHOSTNAME}-bootstrap
fi

10
host/bootstrap-bridges.tpl
View File

@ -1,4 +1,6 @@
# NOTE: this assumes the ADMIN bridge to exist (proxmox default) and to be vmbr0...
auto vmbr${LAN_BRIDGE}
iface vmbr${LAN_BRIDGE} inet manual
bridge-ports none
@ -13,11 +15,3 @@ iface vmbr${WAN_BRIDGE} inet manual
bridge-fd 0
#WAN
auto vmbr${ADMIN_BRIDGE}
iface vmbr${ADMIN_BRIDGE} inet static
address ${HOST_ADMIN_IP}
bridge-ports ${BOOTSTRAP_PORT}
bridge-stp off
bridge-fd 0
#ADMIN

97
host/make.sh
View File

@ -19,7 +19,6 @@ need ifreload
readConfig
DFL_WAN_PORT=${DFL_WAN_PORT:-enp5s0}
DFL_ADMIN_PORT=${DFL_ADMIN_PORT:-enp2s0}
@ -36,9 +35,9 @@ SOFTWARE=(
tmux
)
INTERFACES=/etc/network/interfaces
BRIDGES_TPL=bridges.tpl
# XXX
#BRIDGES_TPL=bridges.tpl
BRIDGES_TPL=bootstrap-bridges.tpl
# XXX
#readVars
@ -48,27 +47,8 @@ BRIDGES_TPL=bridges.tpl
# Bootstrap...
if ! [ -z $BOOTSTRAP_CLEAN ] ; then
@ cp "$INTERFACES"{,.bak}
# stage 1: bootstrap -> clean
if [ -e "$INTERFACES".clean ] ; then
@ mv "$INTERFACES"{.clean,.new}
# stage 2: clean -> final
elif [ -e "$INTERFACES".final ] ; then
@ mv "$INTERFACES"{.final,.new}
# donw
else
exit
fi
if reviewApplyChanges "$INTERFACES" ; then
# XXX this must be done in nohup to avoid breaking on connection lost...
if ! @ ifreload -a ; then
# reset settings back if ifreload fails...
@ cp "$INTERFACES"{.bak,}
@ ifreload -a
fi
fi
# XXX switch admin interface IP and Gateway to admin net...
# XXX
exit
fi
@ -76,12 +56,10 @@ fi
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Bootstrap...
# XXX
if ! [ -z $BOOTSTRAP ] ; then
DFL_BOOTSTRAP_PORT=${DFL_BOOTSTRAP_PORT:-none}
xread "Bootstrap port: " BOOTSTRAP_PORT
BRIDGES_BOOTSTRAP_TPL=bootstrap-bridges.tpl
# XXX
BRIDGES_TPL=bootstrap-bridges.tpl
true
fi
@ -112,6 +90,8 @@ if xreadYes "# Create bridges?" BRIDGES ; then
xread "Gate ADMIN IP: " GATE_ADMIN_IP
readBridgeVars
INTERFACES=/etc/network/interfaces
# check if new bridges already exist in interfaces...
if [ -e "$INTERFACES" ] \
&& grep -q \
@ -138,57 +118,20 @@ if xreadYes "# Create bridges?" BRIDGES ; then
BRIDGES="$(\
cat "$BRIDGES_TPL" \
| expandPCTTemplate \
LAN_BRIDGE WAN_BRIDGE ADMIN_BRIDGE BOOTSTRAP_BRIDGE \
WAN_PORT ADMIN_PORT BOOTSTRAP_ADMIN_PORT \
HOST_ADMIN_IP GATE_ADMIN_IP)"
[ -z $BRIDGES_BOOTSTRAP_TPL ] \
|| BRIDGES_BOOTSTRAP="$(\
cat "$BRIDGES_BOOTSTRAP_TPL" \
| expandPCTTemplate \
LAN_BRIDGE WAN_BRIDGE ADMIN_BRIDGE BOOTSTRAP_BRIDGE \
WAN_PORT ADMIN_PORT BOOTSTRAP_PORT \
LAN_BRIDGE WAN_BRIDGE ADMIN_BRIDGE \
WAN_PORT ADMIN_PORT \
HOST_ADMIN_IP GATE_ADMIN_IP)"
if [ -z "$DRY_RUN" ] ; then
# write both bootstrap and clean bridge configurations...
if ! [ -z $BRIDGES_BOOTSTRAP ] ; then
# interfaces.final
@ cp "$INTERFACES"{.new,.final}
@ sed -i \
-e 's/'$ADMIN_PORT'/'$BOOTSTRAP_PORT'/' \
-e '/^.*gateway .*$/d' \
"$INTERFACES".final
echo "$BRIDGES" \
>> "$INTERFACES".final
# interfaces.clean
@ cp "$INTERFACES"{.new,.clean}
@ sed -i \
-e '/^.*gateway .*$/d' \
"$INTERFACES".clean
echo "$BRIDGES" \
| sed \
-e 's/'$ADMIN_PORT'/'$BOOTSTRAP_PORT'/' \
>> "$INTERFACES".clean
# interfaces.new (prep)
BRIDGES=$(\
echo "$BRIDGES_BOOTSTRAP" \
| sed -e '/^.*gateway .*$/d')
fi
# interfaces.new
# XXX add $BRIDGES to "$INTERFACES" either before the
# source command or at the end...
# XXX
echo "$BRIDGES" >> "$INTERFACES".new
else
echo "$BRIDGES"
fi
# interfaces
if reviewApplyChanges "$INTERFACES" ; then
# XXX this must be done in nohup to avoid breaking on connection lost...
if ! @ ifreload -a ; then
# reset settings back if ifreload fails...
@ cp "$INTERFACES"{.bak,}
@ -206,16 +149,6 @@ buildAssets
# XXX /etc/hosts???
# /etc/hosts
if xreadYes "# Update /etc/hosts?" HOSTS ; then
@ cp /etc/hosts{,.bak}
@ cp /etc/hosts{,.new}
@ sed -i \
-e 's/^[^#].* \(pve.local.*\)$/'${HOST_ADMIN_IP/\/*}'\1/' \
/etc/hosts.new
reviewApplyChanges /etc/hosts
fi
# DNS
if xreadYes "# Update DNS?" DNS ; then
file=/etc/resolv.conf

1
ns/make.sh
View File

@ -67,7 +67,6 @@ echo "# Installing dependencies..."
echo "# Copying assets..."
pctPushAssets $ID
@ lxc-attach $ID chmod +x /root/leases
echo "# Setup: dnsmasq..."
@ lxc-attach $ID rc-update add dnsmasq

2
ssh/make.sh
View File

@ -21,7 +21,7 @@ readConfig
#----------------------------------------------------------------------
DFL_ID=${DFL_ID:=120}
DFL_ID=${DFL_ID:=102}
DFL_CTHOSTNAME=${DFL_CTHOSTNAME:=ssh}
DFL_CORES=${DFL_CORES:=1}

2
syncthing/make.sh
View File

@ -17,7 +17,7 @@ readConfig
#----------------------------------------------------------------------
DFL_ID=${DFL_ID:=1010}
DFL_ID=${DFL_ID:=1001}
DFL_CTHOSTNAME=${DFL_CTHOSTNAME:=syncthing}
DFL_CORES=${DFL_CORES:=1}

2
wireguard/make.sh
View File

@ -21,7 +21,7 @@ would-like dig #qrencode
readConfig
DFL_ID=${DFL_ID:=130}
DFL_ID=${DFL_ID:=103}
DFL_CTHOSTNAME=${DFL_CTHOSTNAME:=wireguard}
DFL_CORES=${DFL_CORES:=1}