sugoidogo · March 29, 2025 01:00
diff --git a/0-pve.sh b/0-pve.sh
 #!/usr/bin/env bash
 # wget -qO 0-pve.sh https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/ && bash 0-pve.sh
 set -e
 export DEBIAN_FRONTEND=noninteractive
 export APT_LISTCHANGES_FRONTEND=none
 function download { wget $* || curl -fLO $*; }
 function stream { wget -qO- $* || curl -fsSL $*; }
 function package { apt $* || dnf $*; }
 echo "This script will download and run the installation script in a screen session"
 echo "The installation script will download post-installation scripts to $HOME and reboot the system upon successful installation"
 read -p "Press enter to continue"
 echo "removing pve-enterprise repo"
 rm /etc/apt/sources.list.d/pve-enterprise.list || true
 echo "updating repos"
 package update
 echo "installing required packages"
 package install gnupg sed screen curl -y
 echo "downloading install script"
 download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/1-install.sh
 echo "executing install script in screen session"
 screen -dm sh -c "bash 1-install.sh 2>&1 | tee install.log" # this line hurts me, someone help
 sleep 1
 tail -f install.log &
 wait $(cat install.pid)
 kill %1
diff --git a/1-install.sh b/1-install.sh
 #!/usr/bin/env bash
 set -e
 echo $$ > install.pid
 export DEBIAN_FRONTEND=noninteractive
 export APT_LISTCHANGES_FRONTEND=none
 function download { wget $* || curl -fLO $*; }
 function stream { wget -qO- $* || curl -fsSL $*; }
 function package { apt $* || dnf $*; }
 echo "upgrading system to stable+backports"
 wget -qO- https://gist.github.com/sugoidogo/1df06591d9dc4a8852fcbe2dd9757985/raw/ | bash
 source /etc/os-release
 echo "installing proxmox GPG key"
 stream http://download.proxmox.com/debian/proxmox-release-$VERSION_CODENAME.gpg | apt-key add -
 echo "installing proxmox repo"
 mkdir -p /etc/apt/sources.list.d && cd /etc/apt/sources.list.d
 echo "deb http://download.proxmox.com/debian/pve $VERSION_CODENAME pve-no-subscription" > pve-no-subscription.list
 echo "installing preferences: proxmox 1500 (always prioritise proxmox packages, even downgrades)"
 mkdir -p /etc/apt/preferences.d && cd /etc/apt/preferences.d
 download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/proxmox.pref
 echo "updating repos"
 package update
 echo "changing hostname entry in /etc/hosts"
 sed -i s/127.0.1.1/0.0.0.0/g /etc/hosts
 echo "installing proxmox and firewalld"
 echo "this step may cause temporary network loss"
 package install proxmox-ve firewalld -y || systemctl restart networking && package install proxmox-ve -y
 echo "removing unused packages"
 package remove os-prober linux-image-amd64* -y
 echo "removing pve-enterprise repo"
 rm /etc/apt/sources.list.d/pve-enterprise.list || true
 echo "setting tuned profile"
 tuned-adm profile virtual-host
 echo "allowing services through firewalld"
 firewall-cmd --add-service ssh --permanent
 firewall-cmd --add-port=8006/tcp --permanent
 echo "enabling mdns and tuned - change your default firewalld zone to home to allow mdns"
 systemctl enable avahi-daemon
 systemctl enable tuned
 echo "downloading post-setup scripts - check your home folder after reboot"
 cd ~
 download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/2-bridge.sh
 download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/2-nat.sh
 download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/3-user.sh
 download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/3-shared-mount.sh
 echo "Installation complete! rebooting"
 reboot
diff --git a/2-bridge.sh b/2-bridge.sh
 #!/usr/bin/env bash
 set -e
 export DEBIAN_FRONTEND=noninteractive
 export APT_LISTCHANGES_FRONTEND=none
 function download { wget $* || curl -fLO $*; }
 function stream { wget -qO- $* || curl -fsSL $*; }
 function package { apt $* || dnf $*; }
 interfaces=$(grep dhcp /etc/network/interfaces | sed -e 's/iface//g;s/inet//g;s/dhcp//g' | xargs)
 sed -i s/dhcp/manual/g /etc/network/interfaces
 echo "
 auto vmbr0
 iface vmbr0 inet dhcp
    bridge-ports $interfaces
    pre-up brctl addif vmbr0
    # Bridge Guest Network
 " >> /etc/network/interfaces
 ifup vmbr0
diff --git a/2-nat.sh b/2-nat.sh
 #!/usr/bin/env bash
 set -e
 export DEBIAN_FRONTEND=noninteractive
 export APT_LISTCHANGES_FRONTEND=none
 function download { wget $* || curl -fLO $*; }
 function stream { wget -qO- $* || curl -fsSL $*; }
 function package { apt $* || dnf $*; }

 package install dnsmasq -y

 X=$(( ( $RANDOM % 9 ) + 1 ))$(( $RANDOM % 10 ))
 Y=$(( ( $RANDOM % 9 ) + 1 ))$(( $RANDOM % 10 ))

 echo "
 auto vmbr0
 iface vmbr0 inet static
    address 10.$X.$Y.10/24
    pre-up brctl addbr vmbr0
    # NAT Geust Network
 " >> /etc/network/interfaces

 cd /etc
 mv resolvconf.conf resolvconf.conf.example || true
 download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/resolvconf.conf
 sed -i "s/{X}/$X/g;s/{Y}/$Y/g" resolvconf.conf
 mv dnsmasq.conf dnsmasq.conf.example || true
 download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/dnsmasq.conf
 sed -i "s/{X}/$X/g;s/{Y}/$Y/g" dnsmasq.conf
 cd dnsmasq.d
 download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/cloudflare-dns.conf
 download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/google-dns.conf
 download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/quad9-dns.conf
 download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/domain.conf
 sed -i "s/{X}/$X/g;s/{Y}/$Y/g;s/{HOSTNAME}/$HOSTNAME/g" domain.conf

 package install openresolv -y

 ifup vmbr0
 firewall-cmd --add-masquerade
 firewall-cmd --zone=internal --add-interface vmbr0
 firewall-cmd --zone=internal --add-masquerade
 firewall-cmd --zone=internal --add-service dhcp
 firewall-cmd --zone=internal --add-service dns
 firewall-cmd --runtime-to-permanent
 systemctl restart dnsmasq
diff --git a/3-shared-mount.sh b/3-shared-mount.sh
 #!/usr/bin/env bash
 set -e

 echo "This script adds a bind mount to be shared by all containers and host"
 read -p "mount path: /" MOUNT
 mkdir -p /$MOUNT
 chmod 777 /$MOUNT
 cd /usr/share/lxc/config/common.conf.d/
 echo "lxc.mount.entry = /$MOUNT $MOUNT none bind,create=dir 0 0
 " >> shared-mount.conf
 echo "any containers started now will share the /$MOUNT directory with the host"
diff --git a/3-user.sh b/3-user.sh
 #!/usr/bin/env bash
 set -e
 export DEBIAN_FRONTEND=noninteractive
 export APT_LISTCHANGES_FRONTEND=none

 apt install sudo -y

 read -p 'New Username: ' NEWUSER
 adduser --ingroup sudo $NEWUSER

 pveum group add admin -comment "System Administrators"
 pveum acl modify / -group admin -role Administrator
 pveum user add $NEWUSER@pam
 pveum user modify $NEWUSER@pam -group admin

 passwd -l root

 echo "The root account is now locked, user $NEWUSER may become root with sudo"
diff --git a/cloudflare-dns.conf b/cloudflare-dns.conf
 server=1.1.1.1
 server=1.0.0.1
 server=2606:4700:4700::1111
 server=2606:4700:4700::1001
diff --git a/dnsmasq.conf b/dnsmasq.conf
 # https://github.com/imp/dnsmasq/blob/master/dnsmasq.conf.example

 # The following two options make you a better netizen, since they
 # tell dnsmasq to filter out queries which the public DNS cannot
 # answer, and which load the servers (especially the root servers)
 # unnecessarily. If you have a dial-on-demand link they also stop
 # these requests from bringing up the link unnecessarily.

 # Never forward plain names (without a dot or domain part)
 domain-needed
 # Never forward addresses in the non-routed address spaces.
 bogus-priv

 # If you don't want dnsmasq to read /etc/resolv.conf or any other
 # file, getting its servers from this file instead (see below), then
 # uncomment this.
 no-resolv

 # Read configuration generated by openresolv
 conf-file=/etc/dnsmasq-conf.conf
 resolv-file=/etc/dnsmasq-resolv.conf

 # If you want dnsmasq to listen for DHCP and DNS requests only on
 # specified interfaces (and the loopback) give the name of the
 # interface (eg eth0) here.
 # Repeat the line for more than one interface.
 interface=vmbr0

 # Uncomment this to enable the integrated DHCP server, you need
 # to supply the range of addresses available for lease and optionally
 # a lease time. If you have more than one network, you will need to
 # repeat this for each network on which you want to supply DHCP
 # service.
 dhcp-range=10.{X}.{Y}.11,10.{X}.{Y}.99

 # Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
 # add names to the DNS for the IPv6 address of SLAAC-configured dual-stack 
 # hosts. Use the DHCPv4 lease to derive the name, network segment and 
 # MAC address and assume that the host will also have an
 # IPv6 address calculated using the SLAAC algorithm.
 dhcp-range={X}{Y}::, ra-names

 # Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
 dhcp-option=252,"\n"

 # Send microsoft-specific option to tell windows to release the DHCP lease
 # when it shuts down. Note the "i" flag, to tell dnsmasq to send the
 # value as a four-byte integer - that's what microsoft wants. See
 # http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
 dhcp-option=vendor:MSFT,2,1i

 # Set the DHCP server to authoritative mode. In this mode it will barge in
 # and take over the lease for any client which broadcasts on the network,
 # whether it has a record of the lease or not. This avoids long timeouts
 # when a machine wakes up on a new network. DO NOT enable this if there's
 # the slightest chance that you might end up accidentally configuring a DHCP
 # server for your campus/company accidentally. The ISC server uses
 # the same option, and this URL provides more information:
 # http://www.isc.org/files/auth.html
 dhcp-authoritative

 # Include all files in a directory which end in .conf
 conf-dir=/etc/dnsmasq.d/,*.conf

 # If a DHCP client claims that its name is "wpad", ignore that.
 # This fixes a security hole. see CERT Vulnerability VU#598349
 dhcp-name-match=set:wpad-ignore,wpad
 dhcp-ignore-names=tag:wpad-ignore
diff --git a/domain.conf b/domain.conf
 # Set the domain for dnsmasq. this is optional, but if it is set, it
 # does the following things.
 # 1) Allows DHCP hosts to have fully qualified domain names, as long
 #     as the domain part matches this setting.
 # 2) Sets the "domain" DHCP option thereby potentially setting the
 #    domain of all systems configured by DHCP
 # 3) Provides the domain part for "expand-hosts"
 domain={HOSTNAME}
 address=/{HOSTNAME}/10.{X}.{Y}.10
diff --git a/google-dns.conf b/google-dns.conf
 server=8.8.8.8
 server=8.8.4.4
 server=2001:4860:4860::8888
 server=2001:4860:4860::8844
diff --git a/proxmox.pref b/proxmox.pref
 Package: *
 Pin: release o=Proxmox
 Pin-Priority: 1500
diff --git a/quad9-dns.conf b/quad9-dns.conf
 server=9.9.9.10
 server=149.112.112.10
 server=2620:fe::10
 server=2620:fe::fe:10
diff --git a/resolvconf.conf b/resolvconf.conf
 # Use the local name server
 name_servers="10.{X}.{Y}.11"
 resolv_conf_options="trust-ad"

 # Write out dnsmasq extended configuration and resolv files
 dnsmasq_conf=/etc/dnsmasq-conf.conf
 dnsmasq_resolv=/etc/dnsmasq-resolv.conf
	#!/usr/bin/env bash
	# wget -qO 0-pve.sh https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/ && bash 0-pve.sh
	set -e
	export DEBIAN_FRONTEND=noninteractive
	export APT_LISTCHANGES_FRONTEND=none
	function download { wget $* \|\| curl -fLO $*; }
	function stream { wget -qO- $* \|\| curl -fsSL $*; }
	function package { apt $* \|\| dnf $*; }
	echo "This script will download and run the installation script in a screen session"
	echo "The installation script will download post-installation scripts to $HOME and reboot the system upon successful installation"
	read -p "Press enter to continue"
	echo "removing pve-enterprise repo"
	rm /etc/apt/sources.list.d/pve-enterprise.list \|\| true
	echo "updating repos"
	package update
	echo "installing required packages"
	package install gnupg sed screen curl -y
	echo "downloading install script"
	download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/1-install.sh
	echo "executing install script in screen session"
	screen -dm sh -c "bash 1-install.sh 2>&1 \| tee install.log" # this line hurts me, someone help
	sleep 1
	tail -f install.log &
	wait $(cat install.pid)
	kill %1
	#!/usr/bin/env bash
	set -e
	echo $$ > install.pid
	export DEBIAN_FRONTEND=noninteractive
	export APT_LISTCHANGES_FRONTEND=none
	function download { wget $* \|\| curl -fLO $*; }
	function stream { wget -qO- $* \|\| curl -fsSL $*; }
	function package { apt $* \|\| dnf $*; }
	echo "upgrading system to stable+backports"
	wget -qO- https://gist.github.com/sugoidogo/1df06591d9dc4a8852fcbe2dd9757985/raw/ \| bash
	source /etc/os-release
	echo "installing proxmox GPG key"
	stream http://download.proxmox.com/debian/proxmox-release-$VERSION_CODENAME.gpg \| apt-key add -
	echo "installing proxmox repo"
	mkdir -p /etc/apt/sources.list.d && cd /etc/apt/sources.list.d
	echo "deb http://download.proxmox.com/debian/pve $VERSION_CODENAME pve-no-subscription" > pve-no-subscription.list
	echo "installing preferences: proxmox 1500 (always prioritise proxmox packages, even downgrades)"
	mkdir -p /etc/apt/preferences.d && cd /etc/apt/preferences.d
	download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/proxmox.pref
	echo "updating repos"
	package update
	echo "changing hostname entry in /etc/hosts"
	sed -i s/127.0.1.1/0.0.0.0/g /etc/hosts
	echo "installing proxmox and firewalld"
	echo "this step may cause temporary network loss"
	package install proxmox-ve firewalld -y \|\| systemctl restart networking && package install proxmox-ve -y
	echo "removing unused packages"
	package remove os-prober linux-image-amd64* -y
	echo "removing pve-enterprise repo"
	rm /etc/apt/sources.list.d/pve-enterprise.list \|\| true
	echo "setting tuned profile"
	tuned-adm profile virtual-host
	echo "allowing services through firewalld"
	firewall-cmd --add-service ssh --permanent
	firewall-cmd --add-port=8006/tcp --permanent
	echo "enabling mdns and tuned - change your default firewalld zone to home to allow mdns"
	systemctl enable avahi-daemon
	systemctl enable tuned
	echo "downloading post-setup scripts - check your home folder after reboot"
	cd ~
	download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/2-bridge.sh
	download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/2-nat.sh
	download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/3-user.sh
	download https://gist.github.com/sugoidogo/4684e4659431e17d15be20171160c1f9/raw/3-shared-mount.sh
	echo "Installation complete! rebooting"
	reboot
	#!/usr/bin/env bash
	set -e

	echo "This script adds a bind mount to be shared by all containers and host"
	read -p "mount path: /" MOUNT
	mkdir -p /$MOUNT
	chmod 777 /$MOUNT
	cd /usr/share/lxc/config/common.conf.d/
	echo "lxc.mount.entry = /$MOUNT $MOUNT none bind,create=dir 0 0
	" >> shared-mount.conf
	echo "any containers started now will share the /$MOUNT directory with the host"
	server=1.1.1.1
	server=1.0.0.1
	server=2606:4700:4700::1111
	server=2606:4700:4700::1001
	# https://github.com/imp/dnsmasq/blob/master/dnsmasq.conf.example

	# The following two options make you a better netizen, since they
	# tell dnsmasq to filter out queries which the public DNS cannot
	# answer, and which load the servers (especially the root servers)
	# unnecessarily. If you have a dial-on-demand link they also stop
	# these requests from bringing up the link unnecessarily.

	# Never forward plain names (without a dot or domain part)
	domain-needed
	# Never forward addresses in the non-routed address spaces.
	bogus-priv

	# If you don't want dnsmasq to read /etc/resolv.conf or any other
	# file, getting its servers from this file instead (see below), then
	# uncomment this.
	no-resolv

	# Read configuration generated by openresolv
	conf-file=/etc/dnsmasq-conf.conf
	resolv-file=/etc/dnsmasq-resolv.conf

	# If you want dnsmasq to listen for DHCP and DNS requests only on
	# specified interfaces (and the loopback) give the name of the
	# interface (eg eth0) here.
	# Repeat the line for more than one interface.
	interface=vmbr0

	# Uncomment this to enable the integrated DHCP server, you need
	# to supply the range of addresses available for lease and optionally
	# a lease time. If you have more than one network, you will need to
	# repeat this for each network on which you want to supply DHCP
	# service.
	dhcp-range=10.{X}.{Y}.11,10.{X}.{Y}.99

	# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
	# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
	# hosts. Use the DHCPv4 lease to derive the name, network segment and
	# MAC address and assume that the host will also have an
	# IPv6 address calculated using the SLAAC algorithm.
	dhcp-range={X}{Y}::, ra-names

	# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
	dhcp-option=252,"\n"

	# Send microsoft-specific option to tell windows to release the DHCP lease
	# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
	# value as a four-byte integer - that's what microsoft wants. See
	# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
	dhcp-option=vendor:MSFT,2,1i

	# Set the DHCP server to authoritative mode. In this mode it will barge in
	# and take over the lease for any client which broadcasts on the network,
	# whether it has a record of the lease or not. This avoids long timeouts
	# when a machine wakes up on a new network. DO NOT enable this if there's
	# the slightest chance that you might end up accidentally configuring a DHCP
	# server for your campus/company accidentally. The ISC server uses
	# the same option, and this URL provides more information:
	# http://www.isc.org/files/auth.html
	dhcp-authoritative

	# Include all files in a directory which end in .conf
	conf-dir=/etc/dnsmasq.d/,*.conf

	# If a DHCP client claims that its name is "wpad", ignore that.
	# This fixes a security hole. see CERT Vulnerability VU#598349
	dhcp-name-match=set:wpad-ignore,wpad
	dhcp-ignore-names=tag:wpad-ignore
	# Set the domain for dnsmasq. this is optional, but if it is set, it
	# does the following things.
	# 1) Allows DHCP hosts to have fully qualified domain names, as long
	# as the domain part matches this setting.
	# 2) Sets the "domain" DHCP option thereby potentially setting the
	# domain of all systems configured by DHCP
	# 3) Provides the domain part for "expand-hosts"
	domain={HOSTNAME}
	address=/{HOSTNAME}/10.{X}.{Y}.10
	server=8.8.8.8
	server=8.8.4.4
	server=2001:4860:4860::8888
	server=2001:4860:4860::8844
	server=9.9.9.10
	server=149.112.112.10
	server=2620:fe::10
	server=2620:fe::fe:10
	# Use the local name server
	name_servers="10.{X}.{Y}.11"
	resolv_conf_options="trust-ad"

	# Write out dnsmasq extended configuration and resolv files
	dnsmasq_conf=/etc/dnsmasq-conf.conf
	dnsmasq_resolv=/etc/dnsmasq-resolv.conf