Last active
February 2, 2023 00:44
-
-
Save kylefmohr/ae87f0e46540d27beaf80aa9eb6286e1 to your computer and use it in GitHub Desktop.
WARNING do not use this on any system you care about, there's a good chance it will irreversibly screw up your installation. Just documenting this for myself.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
#Converts an Ubuntu Focal installation to a Debian Bullseye installation | |
#This script is intended to be run on a fresh Ubuntu Focal installation | |
rm -rf /etc/apt/sources.list.* | |
# Append the Debian Bullseye sources to the sources.list file, keeping the Ubuntu sources for now | |
cat << EOF >> /etc/apt/sources.list | |
deb http://deb.debian.org/debian bullseye main contrib non-free | |
deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free | |
deb http://deb.debian.org/debian bullseye-updates main contrib non-free" | |
EOF | |
cat << EOF > /etc/apt/preferences.d/10-no-ubuntu | |
Package: * | |
Pin: release o=Ubuntu | |
Pin-Priority: -1000 | |
EOF | |
# These may need to be updated in the future | |
wget http://http.us.debian.org/debian/pool/main/d/debian-keyring/debian-keyring_2022.12.24_all.deb | |
dpkg -i debian-keyring_2022.12.24_all.deb | |
wget http://http.us.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2021.1.1_all.deb | |
dpkg -i debian-archive-keyring_2021.1.1_all.deb | |
apt update | |
apt dist-upgrade -y --allow-downgrades | |
# Removing the Ubuntu sources | |
cat << EOF > /etc/apt/sources.list | |
deb http://deb.debian.org/debian bullseye main contrib non-free | |
deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free | |
deb http://deb.debian.org/debian bullseye-updates main contrib non-free" | |
EOF | |
rm /etc/apt/preferences.d/10-no-ubuntu | |
# WARNING this may be dangerous, but for my use case, it is necessary avoid an error when we reinstall linux-image-amd64 | |
rm -rf /lib/firmware/* | |
apt install -y linux-image-amd64 | |
apt autoremove -y | |
apt autoremove -y | |
# From here on out it's just the Proxmox installation: | |
echo "Enter the domain name that will resolve to this servers IP address" | |
read hostname | |
sudo apt update && sudo apt full-upgrade -y | |
hostnamectl set-hostname $hostname | |
myip=$(curl --silent ifconfig.me) | |
echo "127.0.0.1 localhost" > hosts | |
echo $myip $hostname >> hosts | |
mv -f hosts /etc/hosts | |
#This ensures the hostname changes don't get reverted by cloud-init | |
sed -i '/host/d' /etc/cloud/cloud.cfg | |
echo "deb [arch=amd64] http://download.proxmox.com/debian/pve bullseye pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list | |
wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg | |
apt update && apt full-upgrade -y | |
apt install proxmox-ve postfix open-iscsi fail2ban -y | |
apt remove os-prober -y | |
dpkg --force-overwrite -i /var/cache/apt/archives/pve-firmware*.deb | |
apt -f install -y | |
dpkg --force-overwrite -i /var/cache/apt/archives/pve-firmware*.deb | |
cat <<EOF > /etc/fail2ban/jail.local | |
[proxmox] | |
enabled = true | |
port = https,http,8006 | |
filter = proxmox | |
logpath = /var/log/daemon.log | |
maxretry = 3 | |
# 1 hour | |
bantime = 3600 | |
[sshd] | |
enabled = true | |
port = ssh | |
filter = sshd | |
logpath = /var/log/auth.log | |
maxretry = 3 | |
findtime = 300 | |
bantime = 3600 | |
ignoreip = 127.0.0.1 | |
EOF | |
cat <<EOF > /etc/fail2ban/filter.d/proxmox.conf | |
[Definition] | |
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* | |
ignoreregex = | |
EOF | |
echo "REBOOT before doing anything else" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment