pvestrap

#!/bin/sh

# Basic sanity check
if [ ! -d /etc/pve ]; then
  echo "This script should only be run inside Proxmox VE" >&2
  exit 1
elif [ "$(id -u)" -ne 0 ]; then
  echo "This script requires root" >&2
  exit 1
fi


# For LXC: subuid and subgid
echo "root:100000:165536" > /etc/subuid
echo "root:100000:165536" > /etc/subgid


# apt and dpkg
cat > /etc/apt/sources.list << EOF
deb https://mirrors.ustc.edu.cn/debian bookworm main contrib non-free non-free-firmware
deb https://mirrors.ustc.edu.cn/debian bookworm-updates main contrib non-free non-free-firmware
deb https://mirrors.ustc.edu.cn/debian-security bookworm-security main contrib non-free non-free-firmware
EOF

cat > /etc/apt/apt.conf.d/51unattended-upgrades-custom << EOF
Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,codename=\${distro_codename}-updates,label=Debian";
    "origin=Proxmox,codename=\${distro_codename}";
    "origin=InfluxDB";
};
EOF

# influxdata source (for telegraf)
if [ ! -f /etc/apt/keyrings/influxdata.asc ]; then
  mkdir -p /etc/apt/keyrings
  wget https://mirrors.ustc.edu.cn/influxdata/influxdata-archive_compat.key -O /etc/apt/keyrings/influxdata.asc
fi
echo 'deb [signed-by=/etc/apt/keyrings/influxdata.asc] https://mirrors.ustc.edu.cn/influxdata/debian stable main' > /etc/apt/sources.list.d/influxdata.list
# remove old influxdata list, if exists
rm -f /etc/apt/sources.list.d/influxdb.list


# sysctl
rm -f \
  /etc/sysctl.d/10-arp.conf \
  /etc/sysctl.d/20-inotify.conf \
  /etc/sysctl.d/20-keys.conf \
  /etc/sysctl.d/20-nf-conntrack.conf \
  /etc/sysctl.d/20-pids.conf \
  /etc/sysctl.d/30-net.conf

cat > /etc/sysctl.d/10-vlab.conf << EOF
# ARP
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

# inotify (for VSCode and various)
fs.inotify.max_user_instances = 65536

# keyctl (for Docker)
kernel.keys.maxkeys = 50000
kernel.keys.maxbytes = 1000000

# conntrack
net.nf_conntrack_max = 1048576

# PIDs
kernel.pid_max = 4194304

# Miscellaneous networking
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
net.ipv4.ip_forward = 1
net.ipv4.neigh.default.gc_thresh3 = 8192
net.ipv6.neigh.default.gc_thresh3 = 8192
EOF
sysctl --system


# LXC conf
rm -f \
  /usr/share/lxc/config/common.conf.d/10-pids.conf \
  /usr/share/lxc/config/common.conf.d/10-prlimits.conf

PIDS_MAX=32768
if [ "$(hostname -s)" = "pv1" ]; then
  PIDS_MAX=8192
fi

cat > /usr/share/lxc/config/common.conf.d/10-vlab.conf << EOF
lxc.cgroup2.pids.max = $PIDS_MAX
lxc.prlimit.memlock = 16777216

# TUN device and KVM device
lxc.cgroup2.devices.allow = c 10:200 rwm
lxc.cgroup2.devices.allow = c 10:232 rwm

# Limit tmpfs size
lxc.mount.entry = tmpfs run tmpfs size=2G,mode=0755 0 0
lxc.mount.entry = tmpfs dev/shm tmpfs size=4G,mode=1777,create=dir 0 0
EOF


# LVM conf
F=/etc/lvm/lvm.conf
if [ ! -f "$F.dpkg-divert" ]; then
  dpkg-divert --rename --divert "$F.dpkg-divert" --add "$F"
fi

cat > "$F" << EOF
devices {
  # added by pve-manager to avoid scanning ZFS zvols
  global_filter=["r|/dev/zd.*|","r|/dev/rbd.*|"]
  scan_lvs=0
  issue_discards = 1
}
activation {
  auto_activation_volume_list = [ "pve", "data" ]
}
EOF
update-initramfs -u -k all


# iptables
rm -f /etc/iptables/ipsets
cat << EOF | tee /etc/iptables/rules.v{4,6} >/dev/null
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -p tcp --dport 443 -j REDIRECT --to-ports 8006
COMMIT
EOF

# Force iSCSI zeroing to not using unmap with udev rules
# See:
# - https://vlab.ibugone.com/records/2024-10-02/
# - https://bugzilla.proxmox.com/show_bug.cgi?id=5754

cat << EOF | tee /etc/udev/rules.d/99-scsi-zeroing-mode.rules >/dev/null
ACTION=="add", SUBSYSTEM=="scsi_disk", DEVPATH=="/devices/platform/host*/session*/target*/scsi_disk/*", ATTR{zeroing_mode}="writesame"
EOF