diff --git a/config/users.json b/config/users.json new file mode 100644 index 0000000..d996e89 --- /dev/null +++ b/config/users.json @@ -0,0 +1,9 @@ +[ + { + "username": "martin", + "ssh_keys": [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAAbhoySAszm9rtDlkxt1odZyFv4C5rljjKdEUXlcYjh martin@i9" + ], + "sudo": true + } +] diff --git a/ct/ubuntu.sh b/ct/ubuntu.sh index 77f836e..926c67d 100644 --- a/ct/ubuntu.sh +++ b/ct/ubuntu.sh @@ -1,24 +1,28 @@ #!/usr/bin/env bash source <(curl -fsSL https://git.inbox.sk/proxmox/Ubuntu24_LXC/raw/branch/main/misc/build.func) -# Copyright (c) 2021-2026 tteck -# Author: tteck (tteckster) -# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE -# Source: https://ubuntu.com/ +# Vlastný skript pre Ubuntu 24.04 LXC kontajner +# Zdroj: https://git.inbox.sk/proxmox/Ubuntu24_LXC APP="Ubuntu" var_tags="${var_tags:-os}" -var_cpu="${var_cpu:-1}" -var_ram="${var_ram:-512}" -var_disk="${var_disk:-2}" +var_cpu="${var_cpu:-4}" +var_ram="${var_ram:-4096}" +var_disk="${var_disk:-32}" var_os="${var_os:-ubuntu}" var_version="${var_version:-24.04}" var_unprivileged="${var_unprivileged:-1}" +# URL pre stiahnutie users.json +USERS_JSON_URL="https://git.inbox.sk/proxmox/Ubuntu24_LXC/raw/branch/main/config/users.json" + header_info "$APP" variables color catch_errors +# ============================================================================= +# update_script() - aktualizácia existujúceho kontajnera +# ============================================================================= function update_script() { header_info check_container_storage @@ -35,7 +39,171 @@ function update_script() { exit } -start +# ============================================================================= +# simple_install() - zjednodušená inštalácia s výberom užívateľov +# ============================================================================= +simple_install() { + pve_check + shell_check + root_check + arch_check + + NEXTID=$(pvesh get /cluster/nextid) + + # Timezone + if command -v timedatectl >/dev/null 2>&1; then + timezone=$(timedatectl show --value --property=Timezone 2>/dev/null || echo "UTC") + elif [ -f /etc/timezone ]; then + timezone=$(cat /etc/timezone) + else + timezone="UTC" + fi + + header_info + + # --- KROK 1: Hostname --- + HN=$(whiptail --backtitle "Ubuntu LXC Setup" \ + --title "HOSTNAME" \ + --inputbox "\nZadaj hostname pre kontajner:" 10 58 "ubuntu" \ + 3>&1 1>&2 2>&3) || exit_script + HN=$(echo "${HN,,}" | tr -d ' ') + [[ -z "$HN" ]] && HN="ubuntu" + + # --- KROK 2: IP adresa --- + local ip_input + ip_input=$(whiptail --backtitle "Ubuntu LXC Setup" \ + --title "IP ADRESA" \ + --inputbox "\nZadaj statickú IP adresu s maskou\n(napr. 192.168.1.100/24)\n\nAlebo nechaj prázdne pre DHCP:" 12 58 "" \ + 3>&1 1>&2 2>&3) || exit_script + + if [[ -n "$ip_input" ]]; then + NET="$ip_input" + # Gateway + local default_gw + default_gw=$(echo "$ip_input" | cut -d'/' -f1 | sed 's/\.[0-9]*$/.1/') + GATE=$(whiptail --backtitle "Ubuntu LXC Setup" \ + --title "GATEWAY" \ + --inputbox "\nZadaj gateway:" 10 58 "$default_gw" \ + 3>&1 1>&2 2>&3) || exit_script + [[ -z "$GATE" ]] && GATE="$default_gw" + else + NET="dhcp" + GATE="" + fi + + # --- KROK 3: Resources --- + DISK_SIZE=$(whiptail --backtitle "Ubuntu LXC Setup" \ + --title "DISK" \ + --inputbox "\nVeľkosť disku v GB:" 10 58 "$var_disk" \ + 3>&1 1>&2 2>&3) || exit_script + [[ -z "$DISK_SIZE" ]] && DISK_SIZE="$var_disk" + + RAM_SIZE=$(whiptail --backtitle "Ubuntu LXC Setup" \ + --title "RAM" \ + --inputbox "\nVeľkosť RAM v MB:" 10 58 "$var_ram" \ + 3>&1 1>&2 2>&3) || exit_script + [[ -z "$RAM_SIZE" ]] && RAM_SIZE="$var_ram" + + CORE_COUNT=$(whiptail --backtitle "Ubuntu LXC Setup" \ + --title "CPU" \ + --inputbox "\nPočet CPU jadier:" 10 58 "$var_cpu" \ + 3>&1 1>&2 2>&3) || exit_script + [[ -z "$CORE_COUNT" ]] && CORE_COUNT="$var_cpu" + + # --- KROK 4: Výber užívateľov z users.json --- + msg_info "Sťahujem zoznam užívateľov" + local users_json + users_json=$(curl -fsSL "$USERS_JSON_URL") || { + msg_error "Nepodarilo sa stiahnuť users.json" + exit 1 + } + msg_ok "Zoznam užívateľov stiahnutý" + + # Parsovanie užívateľov pre whiptail checklist + local user_count + user_count=$(echo "$users_json" | jq length) + + if [[ "$user_count" -eq 0 ]]; then + msg_warn "Žiadni užívatelia v users.json" + SELECTED_USERS="" + else + local checklist_args=() + for i in $(seq 0 $((user_count - 1))); do + local uname + uname=$(echo "$users_json" | jq -r ".[$i].username") + local key_count + key_count=$(echo "$users_json" | jq ".[$i].ssh_keys | length") + checklist_args+=("$uname" "${key_count} SSH kľúč(ov)" "ON") + done + + SELECTED_USERS=$(whiptail --backtitle "Ubuntu LXC Setup" \ + --title "UŽÍVATELIA" \ + --checklist "\nVyber užívateľov na vytvorenie:\n(SPACE = zaškrtni, ENTER = potvrď)" \ + $((user_count + 10)) 58 "$user_count" \ + "${checklist_args[@]}" \ + 3>&1 1>&2 2>&3) || exit_script + fi + + # Export pre install skript + export SELECTED_USERS + export USERS_JSON="$users_json" + + # --- Nastavenie premenných pre build_container --- + CT_TYPE="$var_unprivileged" + CT_ID="$NEXTID" + BRG="${var_brg:-vmbr0}" + MAC="" + VLAN="" + MTU="" + SD="" + NS="" + IPV6_METHOD="auto" + IPV6_ADDR="" + IPV6_GATE="" + SSH="no" + SSH_AUTHORIZED_KEY="" + APT_CACHER="" + APT_CACHER_IP="" + ENABLE_FUSE="no" + ENABLE_TUN="no" + ENABLE_GPU="no" + ENABLE_NESTING="1" + ENABLE_KEYCTL="0" + ENABLE_MKNOD="0" + PROTECT_CT="no" + CT_TIMEZONE="$timezone" + TAGS="community-script;${var_tags:-}" + PW="" + VERBOSE="no" + METHOD="simple" + DIAGNOSTICS="no" + + # Zobraz súhrn + header_info + echo -e "${DEFAULT}${BOLD}${BL}Ubuntu LXC - Inštalácia${CL}" + echo -e "${TAB}${HOSTNAME}${YW} Hostname: ${GN}${HN}${CL}" + echo -e "${TAB}${NETWORK}${YW} IP: ${GN}${NET}${CL}" + if [[ -n "$GATE" ]]; then + echo -e "${TAB}${GATEWAY}${YW} Gateway: ${GN}${GATE}${CL}" + fi + echo -e "${TAB}${DISKSIZE}${YW} Disk: ${GN}${DISK_SIZE}GB${CL}" + echo -e "${TAB}${RAMSIZE}${YW} RAM: ${GN}${RAM_SIZE}MB${CL}" + echo -e "${TAB}${CPUCORE}${YW} CPU: ${GN}${CORE_COUNT} jadier${CL}" + if [[ -n "$SELECTED_USERS" ]]; then + echo -e "${TAB}${ROOTSSH}${YW} Užívatelia: ${GN}${SELECTED_USERS}${CL}" + fi + echo "" + + # Potvrdenie + if ! whiptail --backtitle "Ubuntu LXC Setup" \ + --title "POTVRDENIE" \ + --yesno "Pokračovať s inštaláciou?" 8 58; then + exit_script + fi +} + +# Spustenie +simple_install build_container description diff --git a/install/ubuntu-install.sh b/install/ubuntu-install.sh index 101462b..6646e00 100644 --- a/install/ubuntu-install.sh +++ b/install/ubuntu-install.sh @@ -1,9 +1,6 @@ #!/usr/bin/env bash - -# Copyright (c) 2021-2026 tteck -# Author: tteck (tteckster) -# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE -# Source: https://ubuntu.com/ +# Inštalačný skript pre Ubuntu 24.04 LXC kontajner +# Beží VNÚTRI kontajnera po jeho vytvorení source /dev/stdin <<<"$FUNCTIONS_FILE_PATH" color @@ -13,6 +10,84 @@ setting_up_container network_check update_os +# ============================================================================= +# Inštalácia balíčkov +# ============================================================================= +msg_info "Inštalujem dodatočné balíčky" +$STD apt-get install -y mc wget git curl openssh-server +msg_ok "Balíčky nainštalované" + +# ============================================================================= +# Vytvorenie užívateľov z USERS_JSON + SELECTED_USERS +# ============================================================================= +if [[ -n "${USERS_JSON:-}" && -n "${SELECTED_USERS:-}" ]]; then + msg_info "Vytváram užívateľov" + + # Parsovanie SELECTED_USERS (whiptail vracia "user1" "user2" formát) + selected_list=$(echo "$SELECTED_USERS" | tr -d '"') + + user_count=$(echo "$USERS_JSON" | jq length) + for i in $(seq 0 $((user_count - 1))); do + username=$(echo "$USERS_JSON" | jq -r ".[$i].username") + has_sudo=$(echo "$USERS_JSON" | jq -r ".[$i].sudo") + + # Kontrola, či bol užívateľ vybraný + if ! echo "$selected_list" | grep -qw "$username"; then + continue + fi + + # Vytvorenie užívateľa s náhodným heslom + random_pw=$(openssl rand -base64 16) + useradd -m -s /bin/bash "$username" + echo "${username}:${random_pw}" | chpasswd + + # SSH kľúče + user_home="/home/${username}" + mkdir -p "${user_home}/.ssh" + chmod 700 "${user_home}/.ssh" + + key_count=$(echo "$USERS_JSON" | jq ".[$i].ssh_keys | length") + for k in $(seq 0 $((key_count - 1))); do + key=$(echo "$USERS_JSON" | jq -r ".[$i].ssh_keys[$k]") + echo "$key" >> "${user_home}/.ssh/authorized_keys" + done + + chmod 600 "${user_home}/.ssh/authorized_keys" + chown -R "${username}:${username}" "${user_home}/.ssh" + + # Sudo bez hesla + if [[ "$has_sudo" == "true" ]]; then + echo "${username} ALL=(ALL) NOPASSWD: ALL" > "/etc/sudoers.d/${username}" + chmod 440 "/etc/sudoers.d/${username}" + fi + + msg_ok "Užívateľ vytvorený: ${username}" + done +fi + +# ============================================================================= +# SSH Hardening +# ============================================================================= +msg_info "Konfigurujem SSH" + +# Záloha pôvodnej konfigurácie +cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak + +# Zakázať root login a prihlásenie heslom +sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config +sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config +sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config +sed -i 's/^#\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config + +# Reštart SSH +systemctl enable ssh +systemctl restart ssh + +msg_ok "SSH nakonfigurované (len kľúče, root zakázaný)" + +# ============================================================================= +# Štandardné dokončenie +# ============================================================================= motd_ssh customize cleanup_lxc