This repository is my way of documenting strategies for setting up a server using Proxmox
Checklist:
- Disable the firewall before deploying the Proxmox container (otherwise Portainer templates will not load).
- Configure static IP, ex. 192.168.1.2/24 and gateway should be the router IP.
- If router is configured to block ads and trackers it may be a good idea to set alternate DNS servers
- The recommended way to install docker is using their official install script:
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
- Check if docker is running after install:
systemctl status docker
- https://thehomelab.wiki/books/promox-ve/page/setup-and-install-docker-in-a-promox-7-lxc-conainer
- https://github.com/docker/docker-install
- Install Portainer with ports 9000 and 8000:
docker run -d \
--name="portainer" \
--restart on-failure \
-p 9000:9000 \
-p 8000:8000 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v portainer_data:/data \
portainer/portainer-ce:latest
- Get the CONTAINER ID of portainer
docker container ls
- Stop the portainer docker using the ID, refrencing the first 4 characters if the id should be enough
docker stop >CTID<
- Remove the image
docker rm >CTID<
- Pull the latest image
docker pull portainer/portainer-ce:latest
- Start the container again
docker run -d \
--name="portainer" \
--restart on-failure \
-p 9000:9000 \
-p 8000:8000 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v portainer_data:/data \
portainer/portainer-ce:latest
Sources:
- https://thehomelab.wiki/books/docker/page/installing-docker-and-portainer-to-use-with-the-edge-agent
- Once wireguard has been installed edit the config file, it may have a different name but wg0 is common:
nano /etc/wireguard/wg0.conf
- Add the following snippet to the config:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
- The config file should resemble the one below after the edit:
[Interface]
PrivateKey = abcdefghijklmnopqrstuvwxyz0123456789=
Address = 172.x.y.z/32
DNS = 172.16.0.1
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
[Peer]
PublicKey = JPT1veXLmasj2uQDstX24mpR7VWD+GmV8JDkidkz91Q=
Endpoint = us-tx1.wg.ivpn.net:2049
AllowedIPs = 0.0.0.0/0
- Set up the wg0 interface to startup at boot:
systemctl enable --now wg-quick@wg0
- Start the service:
systemctl start wg-quick@wg0
- Status check:
systemctl status wg-quick@wg0
- Check the public ip and location:
curl ipinfo.io/ip
curl ipinfo.io/country
curl ipinfo.io/city
curl ipinfo.io
- https://www.ivpn.net/knowledgebase/linux/linux-autostart-wireguard-in-systemd/
- https://www.ivpn.net/knowledgebase/linux/linux-wireguard-kill-switch/
Use one of the following snippets to check the public ip in the terminal:
curl ifconfig.me
curl -4/-6 icanhazip.com
curl ipinfo.io/ip
curl api.ipify.org
curl checkip.dyndns.org
dig +short myip.opendns.com @resolver1.opendns.com
host myip.opendns.com resolver1.opendns.com
curl ident.me
curl bot.whatismyipaddress.com
curl ipecho.net/plain
Next time: Try skipping to b onwards and see if these steps alone are enough. 1a. List the UUIDs of all connected devices:
blkid
2a. Copy the UUID of the disk you want to mount and insert it in a mount command:
mount UUID={paste uuid} /mnt/path/to/empty/folder
3a. To have linux automatically mount the disk on reboot, add the line to the fstab file (/etc/fstab):
UUID={paste uuid} /mnt/path/to/empty/folder ext4 defaults 0 0
4b. (Optional (wipe disk):) Go to proxmox web interface > host > Disks - select the new disk and wipe.
6b. (Optional:) Go to host > Disks > Directory > Create: Directory > Make a filesystem on the disk, fx ext4 and give it a name.
- Open the config file of the container you want to add the mount point to:
nano /etc/pve/lxc/{container_id}.conf
- Add a bind mount command to the LXC container config (you can map any existing folder on the mounted device to a folder inside the container):
mp0: /mnt/path/to/folder/on/mounted/device,mp=/mnt/folder/inside/ct
- Allow host to remap the uid/gid by adding the follwing two lines to the subuid and subgid files:
- Into:
nano /etc/subuid
- Paste:
root:100000:65536 root:1000:1
- Into:
nano /etc/subgid
- Paste:
root:100000:65536 root:1000:1
- Configure the remapping inside the containder config file:
- From the host, enter:
nano /etc/pve/lxc/{container_id}.conf
- Paste these lines into the container config file:
lxc.idmap: u 0 100000 1000 lxc.idmap: g 0 100000 1000 lxc.idmap: u 1000 1000 1 lxc.idmap: g 1000 1000 1 lxc.idmap: u 1001 101001 64535 lxc.idmap: g 1001 101001 64535
- Once step 1 has been done for a particular host, step 2 can be repeated for all containers nessesary containers by copy/pasting the lxc.idmap lines (and the bind mount 'mp0: ...')
- (To be tested) Remember to setup any docker container that need access to the bind mount to run as this user.
- This guide was synthesized from https://proxmox-idmap-helper.nieradko.com/ using the following input:
- Unwrapping the lxc.idmap commands:
- "u" means user id mapping
- "g" means group id mapping
- first integer is the start of the range of identifiers to remap
- second integer is the end of the range of identifiers to remap
- third integer is the number of identifiers to remap (i.e. the size of the range)
- To allow our remapped user read/write access to the bind mount inside the container we first need to set ownership of the mounted disk on the host to 1000:1000
chown 1000:1000 /mnt/path/to/empty/folder -R
Sources:
- https://itsembedded.com/sysadmin/proxmox_bind_unprivileged_lxc/
- https://virtualizeeverything.com/2022/05/18/passing-usb-storage-drive-to-proxmox-lxc/
- https://www.youtube.com/watch?v=w9X94bAm3dI
- https://www.youtube.com/watch?v=iz861jRUujw
- https://proxmox-idmap-helper.nieradko.com/
- https://kcore.org/2022/02/05/lxc-subuid-subgid/ # some explanations for the commands used for user remapping, but i have not veryfied the correctness of the commands
- Remember to set permissions of new files and folders as 775
- Remember to create the group (gid 1000) before creating the user (uid 1000), then when creating the user set the group (gid 1000) as primary group.
rclone mount crypt: /mnt/crypt --config=/root/.config/rclone/rclone.conf --umask=022 --gid=1000 --uid=1000 --allow-other --timeout=1h --poll-interval=15s --dir-cache-time=1000h --cache-dir=/mnt/personal/personal/embycache --vfs-cache-mode=full --vfs-cache-max-size=50G --vfs-cache-max-age=12h --daemon