debian_postinstall.sh (7135B)
1 #!/usr/bin/env bash 2 # 3 # Postinstall scripts after Debian preseed 4 # 5 # set -o errexit 6 # set -o nounset 7 set -o xtrace 8 9 # Reset ssh root login 10 sed -i 's/^.*PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config 11 12 # Configure sudoers and ssh pubkeys 13 echo "$USERNAME ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/90-packer 14 mkdir -p "/home/$USERNAME/.ssh" 15 echo -e "$AUTHORIZED_KEYS" > "/home/$USERNAME/.ssh/authorized_keys" 16 17 # Disable LXC bridge 18 sed -i 's/^USE_LXC_BRIDGE="true"/USE_LXC_BRIDGE="false"/g' /etc/default/lxc-net 19 20 # Disable dhcp on eth0 21 sed -i 's/^iface eth0 inet dhcp/iface eth0 inet static/g' /etc/network/interfaces 22 23 # Enable host device bridge 24 # https://wiki.debian.org/LXC/SimpleBridge#Host_device_as_bridge 25 cat <<EOF > /etc/network/interfaces.d/br0 26 auto br0 27 iface br0 inet dhcp 28 hwaddress ether 02:cf:f3:37:2a:be 29 bridge_ports eth0 30 bridge_fd 0 31 bridge_maxwait 0 32 EOF 33 34 # Configure AppArmor profile for nfs mount in lxc container 35 cat <<EOF > /etc/apparmor.d/lxc/lxc-gatus 36 profile lxc-gatus flags=(attach_disconnected,mediate_deleted) { 37 # Include base container profile 38 #include <abstractions/lxc/container-base> 39 40 # Allow mounting a specific directory 41 mount fstype=nfs -> /etc/nginx/tls/, 42 } 43 EOF 44 45 # Systemd override to store socket file in runtime directory 46 mkdir -p /etc/systemd/system/collectd.service.d 47 cat <<EOF > /etc/systemd/system/collectd.service.d/override.conf 48 [Service] 49 RuntimeDirectory=collectd 50 EOF 51 52 # Configure Collectd to report file system usage 53 cat <<EOF > /etc/collectd/collectd.conf 54 LoadPlugin df 55 <Plugin df> 56 Device "/dev/md127" 57 ValuesPercentage true 58 </Plugin> 59 60 LoadPlugin exec 61 <Plugin exec> 62 Exec "nobody" "/usr/local/bin/collectd-exec-mdadm.sh" 63 </Plugin> 64 65 LoadPlugin unixsock 66 <Plugin unixsock> 67 SocketFile "/var/run/collectd/query.sock" 68 SocketGroup "nogroup" 69 # allow Nginx in LXC container to write the socket 70 SocketPerms "0666" 71 </Plugin> 72 EOF 73 74 # Set script for reporting the raid health 75 cat <<'EOF' > /usr/local/bin/collectd-exec-mdadm.sh 76 #!/usr/bin/env sh 77 # 78 # Collectd Exec plugin check 79 # https://github.com/collectd/collectd/wiki/Plugin-Exec 80 81 # Starting with version-4.9 the Exec plugin sets the COLLECTD_INTERVAL and 82 # COLLECTD_HOSTNAME environment variables. The former is set to the global 83 # interval setting, the latter to the global hostname. 84 HOSTNAME="${COLLECTD_HOSTNAME:-localhost}" 85 INTERVAL=$(printf "%0.f\n" "${COLLECTD_INTERVAL:-60}") 86 87 MD_RAID=md127 88 89 while sleep "$INTERVAL"; do 90 echo "PUTVAL intel0/exec-md/md127-degraded N:1" 91 # Check if any of the raid members are degraded 92 # - https://www.kernel.org/doc/html/v4.15/admin-guide/md.html 93 # - https://github.com/TwiN/gatus#external-endpoints 94 if [ $(cat /sys/block/$MD_RAID/md/degraded) -gt 0 ] 95 then 96 # At least one raid member is in degraded state 97 # Valid collectd types can be found in /usr/share/collectd/types.db 98 echo "PUTVAL intel0/exec-md127/md_disks-degraded interval=$INTERVAL N:1" 99 else 100 echo "PUTVAL intel0/exec-md127/md_disks-degraded interval=$INTERVAL N:0" 101 fi 102 done 103 EOF 104 105 chmod +x /usr/local/bin/collectd-exec-mdadm.sh 106 107 # Ensure that initramfs has an uptodate copy 108 # https://wiki.ubuntuusers.de/Software-RAID/#mdadm-conf-aktualisieren 109 /usr/share/mdadm/mkconf > /etc/mdadm/mdadm.conf 110 sed -i 's/^MAILADDR.*/MAILADDR agruhl@gmx.ch/g' /etc/mdadm/mdadm.conf 111 update-initramfs -u 112 113 # Mount the raid 114 mkdir -p /srv/nfs 115 cat <<EOF >> /etc/fstab 116 /dev/md127 /srv/nfs ext4 defaults 0 1 117 EOF 118 119 # Configure NFS exports 120 cat <<EOF > /etc/exports 121 # - https://linux.die.net/man/5/exports 122 # - https://linux.die.net/man/8/exportfs 123 # - https://linux.die.net/man/8/rpcinfo 124 # - https://linux.die.net/man/8/nfsstat 125 # - https://wiki.archlinux.org/title/NFS 126 # 127 # Mount v4: 128 # sudo mount 192.168.1.1:/share /mnt 129 # 130 # Mount v3: 131 # sudo mount -o nfsvers=3 192.168.1.1:/srv/nfs/share /mnt 132 # 133 # Mount v3 (Gnome Files), https://gitlab.gnome.org/GNOME/gvfs/-/issues/18: 134 # nfs://192.168.1.1:/srv/nfs/share 135 # 136 # insecure: "don't require requests originate on port < IPPORT_RESERVED (1024)" 137 # refused mount request from 192.168.1.181 for /srv/nfs (/srv/nfs): illegal port 48172 138 # 139 # no_root_squash: Don't map 0 uid/gid to anonymous user 140 141 /srv/nfs 10.0.0.0/24(fsid=0,rw,insecure,sync,no_root_squash) 142 /srv/nfs 10.111.111.0/24(fsid=0,rw,insecure,sync,no_root_squash) 143 /srv/nfs/csi-nomad-snapshots 10.0.0.0/24(rw,insecure,sync,no_root_squash) 144 /srv/nfs/csi-certbot 10.0.0.0/24(rw,insecure,sync,no_root_squash) 145 /srv/nfs/csi-registry 10.0.0.0/24(rw,insecure,sync,no_root_squash) 146 /srv/nfs/csi-git 10.0.0.0/24(rw,insecure,sync,no_root_squash) 147 /srv/nfs/csi-stagit 10.0.0.0/24(rw,insecure,sync,no_root_squash) 148 /srv/nfs/csi-0x0 10.0.0.0/24(rw,insecure,sync,no_root_squash) 149 /srv/nfs/csi-diary 10.0.0.0/24(rw,insecure,sync,no_root_squash) 150 /srv/nfs/csi-cv 10.0.0.0/24(rw,insecure,sync,no_root_squash) 151 /srv/nfs/csi-ampache 10.0.0.0/24(rw,insecure,sync,no_root_squash) 152 /srv/nfs/csi-snibox 10.0.0.0/24(rw,insecure,sync,no_root_squash) 153 /srv/nfs/csi-writefreely 10.0.0.0/24(rw,insecure,sync,no_root_squash) 154 /srv/nfs/csi-kanboard 10.0.0.0/24(rw,insecure,sync,no_root_squash) 155 /srv/nfs/csi-hivedav-demo 10.0.0.0/24(rw,insecure,sync,no_root_squash) 156 /srv/nfs/csi-jenkins 10.0.0.0/24(rw,insecure,sync,no_root_squash) 157 /srv/nfs/csi-freshrss-data 10.0.0.0/24(rw,insecure,sync,no_root_squash) 158 /srv/nfs/csi-freshrss-ext 10.0.0.0/24(rw,insecure,sync,no_root_squash) 159 /srv/nfs/csi-pico 10.0.0.0/24(rw,insecure,sync,no_root_squash) 160 /srv/nfs/csi-silverbullet 10.0.0.0/24(rw,insecure,sync,no_root_squash) 161 /srv/nfs/csi-docker-mailserver-data 10.0.0.0/24(rw,insecure,sync,no_root_squash) 162 /srv/nfs/csi-docker-mailserver-config 10.0.0.0/24(rw,insecure,sync,no_root_squash) 163 /srv/nfs/csi-snac 10.0.0.0/24(rw,insecure,sync,no_root_squash) 164 /srv/nfs/csi-thelounge 10.0.0.0/24(rw,insecure,sync,no_root_squash) 165 EOF 166 167 # Install lxc snapshot cronjob 168 cat <<'EOF' > /usr/local/bin/lxc-snapshot.sh 169 #!/usr/bin/env bash 170 # 171 # Script for LXC container backup 172 # 173 # set -o errexit 174 # set -o nounset 175 set -o xtrace 176 177 BACKUP_PATH=/srv/nfs/backup/lxc 178 179 ctx=($(lxc-ls)) 180 181 for c in "${ctx[@]}"; do 182 snap_name="snap-$c" 183 184 # Create complete clone (not just snapshot) 185 # https://linuxcontainers.org/lxc/manpages/man1/lxc-copy.1.html 186 lxc-copy --name $c --newname $snap_name --allowrunning -o- 187 188 # Create tar archive in BACKUP_PATH with unix timestamp 189 tar -cjf "$BACKUP_PATH/${c}_$(date +%s).tar.bz2" "/var/lib/lxc/$snap_name" 190 191 # Cleanup the clone 192 lxc-destroy $snap_name 193 done; 194 195 # Prune snapshots older than 2 days 196 find "$BACKUP_PATH" -type f -mtime +2 -exec rm -f {} \; 197 EOF 198 199 chmod +x /usr/local/bin/lxc-snapshot.sh 200 201 cat <<EOF > /etc/systemd/system/lxc-snapshot.timer 202 [Unit] 203 Description=Take lxc snapshots 204 205 [Timer] 206 Unit=lxc-snapshot.service 207 OnCalendar=Mon-Sun 04:27 208 209 [Install] 210 WantedBy=timers.target 211 EOF 212 213 cat <<EOF > /etc/systemd/system/lxc-snapshot.service 214 [Unit] 215 Description=Take lxc snapshots 216 217 [Service] 218 Type=oneshot 219 ExecStart=/bin/sh -c '/usr/local/bin/lxc-snapshot.sh' 220 221 [Install] 222 WantedBy=multi-user.target 223 EOF 224 225 systemctl daemon-reload 226 systemctl enable lxc-snapshot.timer 227 systemctl start lxc-snapshot.timer