Proxmox

Proxmox-Exposed-Host

In This Post I'm showing you How to create a Proxmox host which is reachable trough internet. It presupposes you have Debian already installed on your server:

Access and Update the Server

Add User

adduser yourusername

install sudo

apt-get install sudo

Add new user to sudo Group

sudo adduser mynewuser sudo

Create and copy your SSH Key

Creating SSH-key

Connect with SSH Key

ssh yourusername@ip-address

Upgrade Server

apt-get update && apt-get dist-upgrade -y

Harden SSH

Install UFW

apt-get install ufw

Allow Port 22 (SSH Port) with Protocol TCP

ufw allow 22/tcp

activate UFW

ufw enable

edit SSH Config File

nano /etc/ssh/sshd_config

    Now edit / instert the following

PermitRootLogin no
MaxAuthTries 6
AllowUsers yourusername
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes

Reload SSH

systemctl restart sshd

Convert your Debian 10 Server to Proxmox 6

Add an /etc/hosts entry for your IP address

nano /etc/hosts

127.0.0.1       localhost.localdomain localhost
  192.168.15.77   prox4m1.proxmox.com prox4m1
 
 # The following lines are desirable for IPv6 capable hosts
 ::1     localhost ip6-localhost ip6-loopback
 ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
You can test if your setup is ok using the hostname command:
hostname --ip-address
192.168.15.77 # should return your IP address here

Adapt your sources.list

Add the Proxmox VE repository:
echo "deb http://download.proxmox.com/debian/pve buster pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list

Add the Proxmox VE repository key

wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg
chmod +r /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg  # optional, if you have a non-default umask

Update your repository and system by running

apt update && apt full-upgrade

Install the Proxmox VE packages

apt install proxmox-ve postfix open-iscsi

Recommended: remove the os-prober package

apt remove os-prober

Update and check grub2 config by running:

update-grub

Now Reboot

reboot

Enter Proxmox Management UI

Allow the Proxmox management Port (8006) to be open

ufw allow 8006/tcp

Reload UFW

ufw reload

After that your Management Web Interface should be reachable in your Browser under https://your-ip-address:8006/

Note: we won't expose the Control Interface for very long

Configure Proxmox

Edit the file /etc/network/interfaces

Paste the following (if your Main Interface is eth0)

auto vmbr1
iface vmbr1 inet static
        address  10.10.10.254
        netmask  255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        # OpenDNS - Nameservers
        dns-nameservers 208.67.222.222 208.67.220.220

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward

        post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE

       # Like this, you can Portforward external Ports to internal TCP / UDP Ports from LXC Container
       iptables -t nat -A PREROUTING -p tcp -i vmbr0 --dport 8080 -j DNAT --to-destination 10.10.10.9:8080

Note: that I moved the Part post-up echo 1 > /proc/sys/net/ipv4/ip_forward now from the Hardware Interface to the newly created Linux Bridge (vmbr1) Note: repace eth0 for your real ethernet Interface Now Reboot

reboot

(Optional but recommendet) Make Admin Portal accessable only via VPN Connection or your Static IP:

Use / download Openvpn script: https://github.com/angristan/openvpn-install

git clone https://github.com/angristan/openvpn-install

Change directory to Openvpn script

cd openvpn-install/

Make script executable

chmod +x openvpn-install.sh

run Openvpn script

./openvpn-install.sh

Allow SSH traffic from your OpenVPN connection

ufw allow from  10.8.0.0/24  to any port 22

Allow SSH traffic from your Static IP Address (if you have one at home or use another VPS)

ufw allow from  *staticip*  to any port 22

Change loglevel of your UFW so that the logfiles don't get gigantic

ufw logging low

Edit /etc/default/ufw

nano /etc/default/ufw

Allow troughput trough your VPN Connection and avoid getting no internet connection when you are connected with your VPN by pasting the following

DEFAULT_FORWARD_POLICY="ACCEPT"

Allow Traffic to OpenVPN Port 1194

ufw allow 1194

Note: Depending if you choose UDP or TCP while installing the Openvpn Script you may want to use: 'ufw allow 1194/udp' or 'ufw allow 1194/tcp' reload ufw

ufw reload

test Admin Portal Connection via https://10.10.10.254:8006

sudo openvpn /path/to/openvpn.file

and then simply point your Browser to: https://10.10.10.254:8006 if >>EVERYTHING<< works, continue with 13. remove firewall rule to allow connection to port 8006/tcp

ufw delete allow 8006/tcp

reload ufw

ufw reload

The Only way to connect now to your servers Admin Panel is either via your (if you have one) static IP or trough your VPN connection.

Fix Locales Error

Copy paste the Commands, I also just googled them, and I'm not exactly sure what the Commands are exactly doing, besides, fixing the locales...

 export LANGUAGE=en_US.UTF-8
 export LANG=en_US.UTF-8
 export LC_ALL=en_US.UTF-8
 locale-gen en_US.UTF-8
 dpkg-reconfigure locales

No Subscription Repo

Now we are pasting the right (no-subscription) Proxmox Apt-Repository. Since we don't have a Subscription and we don't want one (most of the time...) First we remove the file /etc/apt/sources.list.d/pve-enterprise.list

rm /etc/apt/sources.list.d/pve-enterprise.list

Create a new file named pve-no-subscription.list via nano:

nano /etc/apt/sources.list.d/pve-no-subscription.list

there we paste simply the following, which has no deeper meaning, besides, it's the Proxmox no subscription Repository

deb http://download.proxmox.com/debian/pve buster pve-no-subscription

test if your repositories are correctly set up with updating your Server:

apt-get update
apt-get dist-upgrade

if there are no error messages, your repositories are correctly setup

Create a Template

The special case with a VPS

Container

in most cases a VPS has only one virtual drive attached, what makes it impossible (if the VPS uses LVM) for Proxmox to create a template, since the template needs to be on another Storage (correct me, if it changed in meantime). So what you do instead is download a LXC Template from the GUI, assign it the last possible IP you have and costumize it. This has several advantages:

the first Container has the id 0, if it's your template, the first Container can be assigned with your IP X.X.X.1 you can simply clone your fist Container via GUI even tough it's no "real" Template

Note: This is more or less a workaround, since if you have f.e. ZFS as storage, you CAN create templates. Netherless, it is good practice to use your first created container / VM as template, since it's easier, to assign your IP addresses in order.

Create a reverse Proxy

Install a webserver

in this case we are using a Nginx webserver

apt-get install nginx

Configure nginx

for Nginx configuration I am linking a sample Nginx configuration creator:

https://nginxconfig.io/

test Nginx configuration for mistakes

nginx -t

restart Nginx

systemctl restart nginx

... enjoy your nginx reverse proxy

Proxmox Fixes and Workarounds

XMPP Letsencrypt Container

Create Certificate Folder

mkdir /var/www/ssl/xmpp

get Letsencrypt Certificate

certbot certonly --webroot -w /var/www/ssl/xmpp --email mail@domain.tld -d xmpp.domain.tld -d conference.domain.tld -d pubsub.domain.tld -d upload.domain.tld -d domain.tld

Set Mountpoint from Host to Container

Assuming your XMPP Container ID is 100:

pct set 100 -mp0 /etc/letsencrypt/live,mp=/etc/letsencrypt/live
pct set 100 -mp1 /etc/letsencrypt/archive,mp=/etc/letsencrypt/archive

Fix Locales Debian 10 LXC

Enter the following Commands:


export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
locale-gen en_US.UTF-8
dpkg-reconfigure locales

Docker under LXC

Use unprivileged container in Options set keyctl=1, nested=1

Execute on Host:

systemctl edit containerd.service

Paste the following:

[Service] ExecStartPre=

.img to proxmox image (.qcow2)

move disk as qcow2 to external Storage sshfs to storage

qemu-img convert -f raw -O qcow2 image.img vm-104-disk.qcow2

snmpd Monitoring fix

# This file controls the activity of snmpd and snmptrapd

# MIB directories. /usr/share/snmp/mibs is the default, but
# including it here avoids some strange problems.
export MIBDIRS=/usr/share/snmp/mibs 

# snmpd control (yes means start daemon).
SNMPDRUN=yes

# snmpd options (use syslog, close stdin/out/err).
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid'

# snmptrapd control (yes means start daemon). As of net-snmp version
# 5.0, master agentx support must be enabled in snmpd before snmptrapd
# can be run. See snmpd.conf(5) for how to do this.
TRAPDRUN=no

# snmptrapd options (use syslog).
TRAPDOPTS='-Lsd -p /var/run/snmptrapd.pid'

# create symlink on Debian legacy location to official RFC path
SNMPDCOMPAT=yes

The special case with a VPS

Container

in most cases a VPS has only one virtual drive attached, what makes it impossible (if the VPS uses LVM) for Proxmox to create a template, since the template needs to be on another Storage (correct me, if it changed in meantime). So what you do instead is download a LXC Template from the GUI, assign it the last possible IP you have and costumize it. This has several advantages:

the first Container has the id 0, if it's your template, the first Container can be assigned with your IP X.X.X.1 you can simply clone your fist Container via GUI even tough it's no "real" Template

Note: This is more or less a workaround, since if you have f.e. ZFS as storage, you CAN create templates. Netherless, it is good practice to use your first created container / VM as template, since it's easier, to assign your IP addresses in order.

Monitoring

Remember to do Backups!!!

install smpd

apt-get install snmpd libsnmp-dev

add v3 user

net-snmp-config --create-snmpv3-user -ro -A authpass -X privpass -a SHA -x AES username

add clientserver to observium

cd /opt/observium
./add_device.php <ipaddress> ap v3 username authpass privpass sha aes 161 udp

remember to open ufw

Proxmox fix

# This file controls the activity of snmpd and snmptrapd

# MIB directories. /usr/share/snmp/mibs is the default, but
# including it here avoids some strange problems.
export MIBDIRS=/usr/share/snmp/mibs 

# snmpd control (yes means start daemon).
SNMPDRUN=yes

# snmpd options (use syslog, close stdin/out/err).
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid'

# snmptrapd control (yes means start daemon). As of net-snmp version
# 5.0, master agentx support must be enabled in snmpd before snmptrapd
# can be run. See snmpd.conf(5) for how to do this.
TRAPDRUN=no

# snmptrapd options (use syslog).
TRAPDOPTS='-Lsd -p /var/run/snmptrapd.pid'

# create symlink on Debian legacy location to official RFC path
SNMPDCOMPAT=yes

Proxmox Workstation

Proxmox Workstation

Install Linux Mint Debian Edition 6

I am assuming, that you want to use a Debian based Operating System (not Ubuntu based) and you want Proxmox, Docker and GPT4All installed on your Laptop. Here I am using Linux Mint Debian Edition 6

let's get started:

Go trough installation process

mint-install.png

Install Proxmox VE

Upgrade the system and install some basic tools

sudo apt update && sudo apt dist-upgrade -y
sudo apt install vim git curl wget htop ssh netcat-traditional openvpn

Cerate a Interface used for LXC Containers: edit /etc/network/interfaces

auto lo
iface lo inet loopback

auto enp2s0
iface enp2s0 inet static
        address 10.10.20.254/24

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.10.20.0/24' -o enp0s3 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.20.0/24' -o enp0s3 -j MASQUERADE

source /etc/network/interfaces.d/*

Edit hosts file, needed to install proxmox successfully vim /etc/hosts

127.0.0.1       localhost
10.10.20.254   devstation.proxmox.local devstation

hostname --ip-address
127.0.0.1 10.10.20.254 # should return your IP address here

Add Proxmox Repos and gpg key

echo "deb [arch=amd64] http://download.proxmox.com/debian/pve bookworm pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list
wget https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg 

Upgrade Packagebase, Install Proxmox Kernel and reboot

apt update && apt full-upgrade
apt install pve-kernel-6.2
systemctl reboot

Install Proxmox, remove Debian Kernel, update Grub bootloader and remove os-prober

apt install proxmox-ve postfix open-iscsi chrony
apt remove linux-image-amd64 'linux-image-6.1*'
update-grub
apt remove os-prober

We log into the webinterface with root user, so it needs to have a password

sudo -i
passwd

Now navigate to your browser with this URL https://127.0.0.1:8006

Accept the security exception and enter your root password

exception

Now you should see this dashboard

dashboard.png

install Docker and Portainer

sudo apt install docker.io docker-compose
sudo docker volume create portainer_data
sudo docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

Now you can navigate to the Docker Webinterface

https://127.0.0.1:9443

you should see something like this

portainer.png

Install GPT4All

comes in very hand for basic questions

wget https://gpt4all.io/installers/gpt4all-installer-linux.run
sudo chmod +x gpt4all-installer-linux.run
mkdir ~/Desktop
./gpt4all-installer-linux.run
mv ~/Desktop/GPT4All.desktop ~/.local/share/applications/

Now download a Language Model via GUI:

models

GPT4All is now ready to answer your questions

gpt4all