#!/bin/bash # forksand-bootstrap-hk2 # GPLv3+ # This script does some initial setup and config # Sets up Proxmox. # Log script exec > >(tee /root/bootstrap-hk2.log) 2>/root/bootstrap-hk2.err set -x # Set locale echo "en_US.UTF-8 UTF-8" > /etc/locale.gen locale-gen update-locale # XXX Set timezone ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime # Set up git for tracking. XXX Ansible... XXX apt-get -y install git sudo cd /etc git init chmod og-rwx /etc/.git cat > /etc/.gitignore < /etc/apt/sources.list < /etc/default/cpufrequtils /etc/init.d/cpufrequtils restart cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils' # Small user tweaks echo :syntax on > ~/.vimrc echo :syntax on > /home/jebba/.vimrc chown jebba:jebba /home/jebba/.vimrc echo export EDITOR=vi >> /root/.bashrc # XXX Passwordless sudo XXX Ya, probably remove sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers adduser jebba sudo cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo' # SSH config XXX sed cruft sed -i \ -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \ -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \ -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ -e 's/\#X11Forwarding yes/X11Forwarding no/g' \ /etc/ssh/sshd_config echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config # Need to update/fix for Debian Buster (testing/10). This line breaks Buster: #echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config # XXX Add admins as only allowed ssh users # XXX add user for ansbile echo "AllowUsers jebba root" >> /etc/ssh/sshd_config cd /etc ; git add . ; git commit -a -m 'Set up sshd' systemctl restart sshd # Startup XXX disable unneeded. for i in rsync exim4 saned do echo $i /usr/sbin/update-rc.d $i disable done # XXX KILL THIS, listening on public port (firewalled, but still): # tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot' # GRUB sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub update-grub cd /etc ; git add . ; git commit -a -m 'GRUB tweaks' # Fix network to come up on boot sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces cd /etc ; git add . ; git commit -a -m 'Auto start network' # XXX not sure why this is getting installed: apt-get -y autoremove apt-get -y remove os-prober # Proxmox #cat > /etc/apt/sources.list.d/pve-enterprise.list< /etc/apt/sources.list.d/pve-no-subscription.list< /etc/apt/auth.conf< System --> Network # Fix subnet mask, IP in web gui. # Create --> Linux Bridge: # vmbr0 # XXX best way for this server? No subnet. # # Set up ethernet ports # XXX check name Disable enp2s0 (Autostart no) # set up vmbr0 to the main IP, gateway, etc. # Create Linux Bridge in web interface # vmbr0 #XXX THIS ISN'T CORRECT IP # 174.128.229.130/27 # 255.255.255.224 # Autostart # VLAN Aware # Bridge: enp2s0 # Comment Main bridge # # Set up 10.2.2.0 and 10.99.99.0 networks statically # on secondary ethernet interfaces # Reboot! hk2 (host) --> Restart # Configure Corosync # Set up hosts # XXX MAKE SURE NEW NODES GET ADDED TO EXISTING SERVER /etc/hosts echo "10.3.3.1 hk1-coro" >> /etc/hosts echo "10.3.3.2 hk2-coro" >> /etc/hosts echo "10.3.3.3 hk3-coro" >> /etc/hosts echo "10.88.88.1 hk2-fs" >> /etc/hosts echo "10.88.88.2 hk2-fs" >> /etc/hosts echo "10.88.88.3 hk3-fs" >> /etc/hosts # Test cluster ping for i in hk1-coro hk2-coro hk3-coro do ping -q -c1 $i done # Test ssh for i in hk1-coro hk2-coro hk3-coro do ssh $i hostname done # ssh via IP for i in 10.2.2.3 do ssh $i hostname done # Note this is needed on at least one of the SharkTech servers or # you get bad UDP checksums # Also set to correct ethernet device # XXX CHECK ethtool -K enp3s0 gso off ethtool --offload enp3s0 rx off tx off ethtool -K enp4s0 gso off ethtool --offload enp4s0 rx off tx off # Run this on just one node, hk1, to get the cluster started #pvecm create hkfork --bindnet0_addr 10.2.2.1 --ring0_addr hk1-coro # Run this on hk2 pvecm add 10.2.2.1 --ring0_addr hk1-coro pvecm status pvecm nodes # rebootz ? # After Cluster is Configured # =========================== # Data Center --> Permissions --> Users # Add user with Realm Proxmox VE authentication server. # Give user root permissions: Datacenter --> Permissions --> Add --> User permission. # Path: / User: j Role: Administrator # XXX Or create admin group, add perms to that... # Permissions --> Authentication. Set Proxmox VE authentication server to default. # Storage # Datacenter --> Storage --> Edit local. Enable all content (add VZDump) # # DNS # hk2 (host) --> System --> DNS # Add servers: # 208.67.222.222 208.67.220.220 37.235.1.174 #