“after installation we can do some configurations”

goals:

  • create regulary user for ssh maintenance access
  • usermanagement for “Proxmox VE authentication server” login
  • edit sources.list to “no subsription”
  • revert thin-lvm
  • spindown hdd´s per systemd.timer
  • add drives to lvm pool
  • fail2ban for ssh & weblogin
  • send metrics per udp to influxdb
  • some recommends

create regulary user:

## create regulary user 
> useradd -m -G users -s /bin/bash username
> passwd username

usermanagement for pve:

## create user to administrate proxmox
> pveum useradd username@pve -comment "vmadmin"
> pveum passwd username@pve
> pveum groupadd vmadmin -comment "vm administrators"
> pveum aclmod / -group vmadmin -role PVEVMAdmin
> pveum aclmod / -group vmadmin -role PVEDatastoreUser
> pveum usermod username@pve -group vmadmin

## create user who can only watch
> pveum useradd username@pve -comment "view vms only"
> pveum passwd username@pve
> pveum aclmod /vms -user username@pve -role PVEAuditor

edit sources.list:

## edit /etc/apt/sources.list.d/pve-enterprise.list
## uncomment "pve-enterprise" and add
deb http://download.proxmox.com/debian/pve buster pve-no-subscription

## upgrade system
> apt update ; apt dist-upgrade

revert thin-lvm:

## revert thin-lvm
delete complete "lvmthin" part in /etc/pve/storage.cfg

## recreate /var/lib/vz
> lvremove pve/data
> lvcreate --name data -l +100%FREE pve
> mkfs.ext4 /dev/pve/data

## add to /etc/fstab
/dev/pve/data /var/lib/vz ext4 defaults 0 1

spindown hdd´s:

## make script dir in /opt 
> mkdir -p /opt/scripts

## edit /opt/scripts/hdparm.sh
#!/bin/bash
hdparm -B 127 -S 180 /dev/sdc
hdparm -B 127 -S 180 /dev/sdd

## make executable
> chmod +x /opt/scripts/hdparm.sh
## edit /usr/lib/systemd/system/hdparm.service

[Unit]
Description=hdparm

[Service]
Type=simple
ExecStart=/opt/scripts/hdparm.sh

[Install]
WantedBy=multi-user.target
## edit /usr/lib/systemd/system/hdparm.timer

[Unit]
Description=hdparm

[Timer]
#OnCalendar=*-*-* *:00:00
OnBootSec=1min
Unit=hdparm.service

[Install]
WantedBy=multi-user.target
## enable and start timer
> systemctl enable hdparm.timer
> systemctl start hdparm.timer

## start service manually
> systemctl start hugo-ci

add drives to lvm pool:

## format the new drive with fdisk and partition type "8e" for LVM 


## create new LVM volume
> pvcreate /dev/sdb1

## add new LVM volume to proxmox pve group
> vgextend pve /dev/sdb1

## increases the size of the logical volume
# root volume
lvextend -L+40G /dev/mapper/pve-root
# data volume
lvextend -L+440G /dev/mapper/pve-data

## now boot from iso using "rescue mode"
## make lvm volumes accessible
> lvm vgchange -ay

## run e2fsck forced
# root volume
> e2fsck -f /dev/mapper/pve-root
# data volume
> e2fsck -f /dev/mapper/pve-data

## run resize2fs
# root volume
> resize2fs /dev/mapper/pve-root
# data volume
> resize2fs /dev/mapper/pve-data

fail2ban:

## install fail2ban
> apt install fail2ban
## edit /etc/fail2ban/jail.local
[sshd]
enabled	= true
port    = ssh
filter	= sshd
logpath	= /var/log/auth.log
maxretry = 3
findtime = 43200 # 12h
bantime = 86400 # 24h

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
bantime = 3600 # 1h
## create /etc/fail2ban/filter.d/proxmox.conf
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
## test regex
fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf

## restart service
> systemctl restart fail2ban

send metrics to influxdb:

## edit /etc/pve/status.cfg on proxmox host
influxdb: proxmox
	server example.com
	port 8089
## create proxmox database on influxdb server
CREATE DATABASE proxmox
## add read only user to proxmox database
GRANT READ ON proxmox TO user
## edit /etc/influxdb/influxdb.conf on influxdb server
[[udp]]
  enabled = true
  bind-address = "0.0.0.0:8089"
  database = "proxmox"
  batch-size = 1000
  batch-timeout = "1s"
## restart service
> systemctl restart influxdb
## now we can log into grafana
## setup influxdb data source like:
> URL:
* https://localhost:8086
> Auth:
* Skip TLS Verify = true
> Database
* proxmox
> User
* username

import grafana dashboard “10048” from grafana.com
see Grafana & influxDB on Debian 10 for an installation tutorial