-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup-nasbeery
325 lines (285 loc) · 12.1 KB
/
setup-nasbeery
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
#!/bin/bash
prog="$(basename "$0")"
usage() {
cat >&2 <<-EOF
usage: $prog [-h] [-U USERNAME] [-P PASSWORD] [-H HOSTNAME] [-D DOMAIN] [-A ADDONS] [-S SHARE]
installs nasbeery onto your raspberry pi os
-U USERNAME Username for SSH, Cockpit and SMB Login (default: pi)
-P PASSWORD Password for SSH, Cockpit and SMB Login (min. 8 chars, default: password prompt)
-H HOSTNAME Hostname of this nasbeery (default: nasbeery)
-D DOMAIN Domain name of this nasbeery (default: bashclub.lan)
-A ADDONS Comma separated list of addons to install (ispconfig, docker)
-S SHARE Name of the SMB share to create (default: share)
---------------------------------------------------------------------------
(C) 2022 nasbeery installer by bashclub (https://github.com/bashclub)
---------------------------------------------------------------------------
EOF
exit $1
}
USERNAME=nasbeery
HOSTNAME=nasbeery
DOMAIN=bashclub.lan
FORMAT=0
ADDONS=
ZPOOL=tank
SHARE=share
BASE_REPO=https://github.com/bashclub/nasbeery
while getopts "hU:P:H:D:A:S:" opt; do
case $opt in
h) usage 0 ;;
U) USERNAME=$OPTARG ;;
P) PASSWORD=$OPTARG PASSWORD_REPEAT=$OPTARG ;;
H) HOSTNAME=$OPTARG ;;
D) DOMAIN=$OPTARG ;;
A) ADDONS=$OPTARG ;;
S) SHARE=$OPTARG ;;
*) usage 1 ;;
esac
done
shift $((OPTIND-1))
if [ -f nasbeery.conf ]; then
source nasbeery.conf
else
cat << EOF > nasbeery.conf
USERNAME=$USERNAME
HOSTNAME=$HOSTNAME
DOMAIN=$DOMAIN
ADDONS=$ADDONS
SHARE=$SHARE
EOF
fi
# Change password for Samba and Terminal
while [[ "$PASSWORD" != "$PASSWORD_REPEAT" || ${#PASSWORD} -le 8 ]]; do
PASSWORD=$(whiptail --backtitle "NASBEERY SETUP" --title "Set password!" --passwordbox "${PASSWORD_invalid_message}Please set a password for Terminal, Samba and Backupwireless\n(At least 8 characters!):" 10 75 3>&1 1>&2 2>&3)
PASSWORD_REPEAT=$(whiptail --backtitle "NASBEERY SETUP" --title "Set password!" --passwordbox "Please repeat the Password:" 10 70 3>&1 1>&2 2>&3)
PASSWORD_invalid_message="ERROR: Password is too short, or not matching! \n\n"
done
whiptail --title "Possible data loss!" \
--backtitle "NASBEERY SETUP" \
--yes-button "PRESERVE DATA" \
--no-button "FORMAT DISKS!" \
--yesno "Would you like to preserve you existing ZFS data from a previous installation?" 10 75
FORMAT=$?
# pin cockpit to buster backports
echo "Configure apt to install cockpit from backports repo"
cat << EOF | tee -i /etc/apt/preferences.d/99-cockpit
Package: cockpit cockpit-*
Pin: release a=bullseye-backports
Pin-Priority: 900
EOF
grep contrib /etc/apt/sources.list
if [ $? -gt 0 ]; then
sed -i "s/main/main contrib non-free/g" /etc/apt/sources.list
fi
echo "Add debian bullseye backports repo"
echo "deb http://ftp.de.debian.org/debian/ bullseye-backports main contrib non-free" | tee -i /etc/apt/sources.list.d/bulleye-backports.list
# update system and install packages
echo "Updating package lists"
apt -qq update
echo "Installing dist-upgrade"
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" dist-upgrade
echo "Detecting Architecture"
if [[ $(dpkg --get-selections | grep -m1 "raspberrypi-kernel") ]]; then
headers="raspberrypi-kernel-headers"
elif [[ $(dpkg --get-selections | grep -E -m1 "linux-image-current-rockchip64") ]]; then
headers="linux-headers-current-rockchip64"
elif [[ $(dpkg --get-selections | grep -E -m1 "linux-image-edge-rockchip64") ]]; then
headers="linux-edge-current-rockchip64"
elif [[ $(dpkg --get-selections | grep -E -m1 "linux-image-current-meson64") ]]; then
headers="linux-headers-current-meson64"
elif [[ $(dpkg --get-selections | grep -E -m1 "linux-image-edge-meson64") ]]; then
headers="linux-headers-edge-meson64"
elif [[ $(dpkg --get-selections | grep -m1 "linux-image-generic") ]]; then
headers="linux-headers-generic"
elif [[ $(dpkg --get-selections | grep -m1 "linux-image-raspi") ]]; then
headers="linux-headers-raspi"
elif [[ $(dpkg --get-selections | grep -m1 "linux-image-amd64") ]]; then
headers="linux-headers-amd64"
fi
echo "Intalling required packages"
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install $headers ntpdate git apt-transport-https gnupg2 software-properties-common vim htop net-tools dnsutils dpkg-dev
# add extra apt keys
echo "Add wsdd apt repo key"
wget -O - https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key | gpg --dearmor | tee -i /etc/apt/trusted.gpg.d/wsdd.gpg
# add extra apt repos
echo "Add wsdd apt repo url"
echo "deb [signed-by=/etc/apt/trusted.gpg.d/wsdd.gpg] https://pkg.ltec.ch/public/ $(lsb_release -cs) main" | tee -i /etc/apt/sources.list.d/wsdd.list
echo "add 45drives repo key"
wget -O - https://repo.45drives.com/key/gpg.asc | gpg --dearmor | tee -i /etc/apt/trusted.gpg.d/45drives.gpg
echo "Add 45drives apt repo url"
echo "deb [signed-by=/etc/apt/trusted.gpg.d/45drives.gpg arch=amd64] https://repo.45drives.com/debian focal main" > /etc/apt/sources.list.d/45drives.list
echo "Updating package lists"
apt -qq update
echo "Installing samba"
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install -t bullseye-backports acl samba-dsdb-modules samba-vfs-modules samba winbind wsdd zfs-dkms zfsutils-linux zfs-auto-snapshot
ARCH=$(arch)
if [[ "${ARCH}" == "aarch64" ]] || [[ "${ARCH}" == "riscv64" ]]; then
znapzend_version=$(apt search znapzend 2>/dev/null | grep znapzend | cut -d ' ' -f2)
wget -O znapzend_${znapzend_version}_amd64.deb https://repo.45drives.com/debian/pool/main/z/znapzend/znapzend_${znapzend_version}_amd64.deb
mkdir znapzend
dpkg-deb -R znapzend_${znapzend_version}_amd64.deb ./znapzend
sed -i "s/amd64/${ARCH}/g" ./znapzend/DEBIAN/control
sed -i "s/x86_64-linux-gnu/${ARCH}-linux-gnu/g" znapzend/usr/bin/*
mv znapzend/usr/lib/x86_64-linux-gnu znapzend/usr/lib/${ARCH}-linux-gnu
dpkg-deb -b znapzend znapzend_${znapzend_version}_${ARCH}.deb
apt install ./znapzend_${znapzend_version}_${ARCH}.deb
systemctl disable znapzend.service
rm -r znapzend*
fi
echo "Installing cockpit"
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install --no-install-recommends cockpit cockpit-identities cockpit-file-sharing cockpit-navigator cockpit-zfs-manager cockpit-benchmark
echo "Activate zfs module"
modprobe zfs
echo "Update time via ntp"
ntpdate-debian -b > /dev/null
rootfs=$(grep " / " /proc/mounts | cut -d'/' -f3)
if [[ "$rootfs" == *"nvme"* ]] || [[ "$rootfs" == *"mmcblk"* ]]; then
rootdisk=${rootfs::-3}
else
rootdisk=${rootfs::1}
fi
zdisks=$(echo $(lsblk -nd -I 8,259,179 -o name | grep -v ${rootdisk}) | cut -d' ' -f1-2)
case $FORMAT in
0) echo "Your ZFS Data will be preserved";;
1) echo "Existing data on the drives will be deleted..."
zpool destroy $ZPOOL
zpool create -f -o autoexpand=on -o ashift=12 $ZPOOL mirror $zdisks
echo "Regenerate ssh host keys"
rm -f /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
;;
255) echo "[ESC] key pressed >> EXIT" && exit;;
esac
echo "Hadening ssh service"
echo "Enable the RSA and ED25519 keys"
sed -i 's/^\#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
echo "Remove small Diffie-Hellman moduli"
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv -f /etc/ssh/moduli.safe /etc/ssh/moduli
echo "Restrict supported key exchange, cipher, and MAC algorithms"
echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\nMACs [email protected],[email protected],[email protected]\nHostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,rsa-sha2-512,[email protected],[email protected]" | tee -i /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
if [ ! $(zfs list $ZPOOL/$SHARE) ] ; then
echo "Creating $ZPOOL/$SHARE"
zfs create -o compression=lz4 $ZPOOL/$SHARE
fi
echo "Settings permissions on $ZPOOL/$SHARE"
chmod -R 770 /$ZPOOL
chown -R $USERNAME:root /$ZPOOL
echo "Seting hostname and fqdn"
echo "$HOSTNAME" | tee -i /etc/hostname
cat << EOF | tee -i /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 $HOSTNAME.$DOMAIN $HOSTNAME
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
EOF
echo "Configuring user"
useradd -m -s /bin/bash $USERNAME
echo "$USERNAME:$PASSWORD" | chpasswd
smbpasswd -x $USERNAME
(echo $PASSWORD; echo $PASSWORD) | smbpasswd -a $USERNAME
usermod -aG sudo $USERNAME
echo "Writing cockpit configuration"
cat << EOF | tee -i /etc/cockpit/zfs/config.json
{
"#1": "COCKPIT ZFS MANAGER",
"#2": "WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION",
"cockpit": {
"manage": true
},
"disks": {
"base2": false
},
"loglevel": "2",
"samba": {
"manage": true,
"windowscompatibility": true
},
"updates": {
"check": true
},
"zfs": {
"filesystem": {
"cloneorigin": false,
"quotarestrict": true,
"readonlylockdown": false,
"snapshotactions": true
},
"snapshot": {
"filesystemlist": true
},
"status": {
"errorcolors": true,
"trimunsupported": false
},
"storagepool": {
"activetab": 1,
"boot": true,
"bootlockdown": true,
"count": true,
"refreshall": false,
"root": true
}
}
}
EOF
if [ -f /etc/cockpit/zfs/shares.conf ]; then
echo "Creating cockpit zfs shares conf"
mkdir -p /etc/cockpit/zfs/
cat << EOF | tee -i /etc/cockpit/zfs/shares.conf
# COCKPIT ZFS MANAGER
# WARNING: DO NOT EDIT, AUTO-GENERATED CONFIGURATION
EOF
fi
echo "Configure zfs-auto-snapshot: change retention from 24 to 48h and 12 to 3 months"
sed -i 's/24/48/g' /etc/cron.hourly/zfs-auto-snapshot
sed -i 's/12/3/g' /etc/cron.monthly/zfs-auto-snapshot
echo "Configure RAID led"
echo -e 'PATH="/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"\n*/1 * * * * root echo 14 > /sys/class/gpio/export 2> /dev/null;echo out > /sys/class/gpio/gpio14/direction ; zpool import -fa -d /dev/ > /dev/null; zpool list| grep -q ONLINE; echo \$? > /sys/class/gpio/gpio14/value' | tee -i /etc/cron.d/raidled
echo "Write samba server configuration"
cat << EOF | tee -i /etc/samba/smb.conf
[global]
include = registry
EOF
cat << EOF | tee -i /etc/samba/import.template
[global]
workgroup = WORKGROUP
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
vfs objects = shadow_copy2
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = -%Y-%m-%d-%H%M
shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\}
shadow: delimiter = -20
[$SHARE]
comment = Main Share
path = /$ZPOOL/$SHARE
read only = No
create mask = 0660
directory mask = 0770
EOF
net conf import /etc/samba/import.template
#### PLUGIN INSTALLATION ####
for addon in $ADDONS; do
wget -O ./$addon $base_repo/raw/main/plugins/$addon
bash ./$addon -Z $ZPOOL
done
echo "Restart samba services"
systemctl enable smbd nmbd wsdd
echo "############################################"
echo "nasbeery installation finished! rebooting..."
echo "############################################"
reboot