From ec4febcc2e9b47da82d851d5e7fd84aa2a3257e6 Mon Sep 17 00:00:00 2001 From: Hugo LAMY Date: Tue, 22 Apr 2025 22:56:27 +0200 Subject: [PATCH] enhanced tuto server for proxmox --- tutos/server.md | 135 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) diff --git a/tutos/server.md b/tutos/server.md index dcf1852..d714ec2 100644 --- a/tutos/server.md +++ b/tutos/server.md @@ -1,5 +1,140 @@ ssh huho@62.210.206.99 +--- + +install new os steps : +- exemple os : proxmox +- connect to ecowan +- activate IPMI (Intelligent Platform Management Interface) : + - fill ip address (ip of internet connexion) + - ecowan generates : + - the session ip : 51.159.47.149 + - the username : sd-51086 + - the password is shown on ecowan panel +- you can use it to connect to the IDRAC6 panel with different methods : + 1. either go to the url `https://51.159.47.149` + 2. or with this script (which download the java packages and create the console for you) : + - the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io** + - I added it to this config folder + - i also added it to the PATH **~/.local/bin/idracclient.py** so you can call it from anywhere like that : **idracclient.py -u ** + 3. or use a java console, manually (you need to download all the java packages), + - folder architecture : + idrac-folder/ + ├── jre/ ← contains bin/java + ├── jnlp/ ← optional: keep the original .jnlp here for backup + ├── avctKVM.jar + ├── lib/ + │ ├── libavctKVMIO.so + │ └── libavmLinux.so + └── start-virtual-console.sh + - jre/ : + - download from oracle : https://www.oracle.com/java/technologies/javase/javase7-archive-downloads.html + - download `1.7.0_80 or 1.7.0_79` : `jre-7u80-macosx-x64.tar.gz` or `jre-7u79-macosx-x64.tar.gz` (need to create an account) + - jnlp/ : + - connect to idrac online from ecowan session + - download jnlp by clicking `launch virtual console` + - avctKVM.jar : + - find the file avctKVM to download in the jnlp file by looking for line : `` + - download with this curl command to avoid problems with dh : `curl -k --ciphers 'DEFAULT:!DH' "https://51.159.47.149:443/software/avctKVM.jar" -o avctKVM.jar` + - lib/ : + - find the lines in jnlp file to download : + `` + `` + - download them : + `curl -k --ciphers 'DEFAULT:!DH' "https://51.159.47.149:443/software/avctKVMIOLinux64.jar" -o avctKVMIOLinux64.jar` + `curl -k --ciphers 'DEFAULT:!DH' "https://51.159.47.149:443/software/avctVMLinux64.jar" -o avctVMLinux64.jar` + - `mkdir -p lib` + - extract from the native library jars + `unzip -j avctKVMIOLinux64.jar "*.so" -d lib/` + `unzip -j avctVMLinux64.jar "*.so" -d lib/` + - start-virtual-console.sh : + ``` + #!/bin/bash + echo -n 'jre folder: ' + read dracjrefolder + echo -n 'host ip: ' + read drachost + echo -n 'username: ' + read dracuser + echo -n 'password: ' + read -s dracpwd + echo + ./$dracjrefolder/bin/java -cp avctKVM.jar -Djava.library.path=./lib com.avocent.idrac.kvm.Main ip=$drachost kmport=5900 vport=5900 user=$dracuser passwd=$dracpwd apcp=1 version=2 vmprivilege=true "helpurl=https://$drachost:443/help/contents.html" + ``` + - make it executable : `chmod +x start-virtual-console.sh` + - then on the console, you don't need to login, just click on attaching a media, map your iso file, and then click on warn reboot, and when prompter press f11 to enter boot menu and choose the virtual cd with the iso file + +--- + +proxmox network configuration : + +- hostname (FQDN - Fully Qualified Domain Name) : proxmox.hugulumu.fr +- ip address (CIDR) : 62.210.206.99/24 +- gateway : 62.210.206.1 +- DNS server : 1.1.1.1 (cloudflare) + +still need to do : + +- Create the A record (e.g. proxmox.hugulumu.fr) : + You can point your domain whenever you want — the hostname is just internal until then. +- Configure HTTPS (Let’s Encrypt or proxy) : + By default, Proxmox uses a self-signed cert. You’ll get browser warnings, but it still works securely. +- Set up a firewall or 2FA : + Strongly recommended later, especially since it’s a public server — but not required to get started. + -> Enable 2FA, Or even set up a reverse proxy with HTTPS (Let’s Encrypt) and restrict access with a VPN or fail2ban + +todo list : + +✅ 1. DNS Configuration + + - [ ] Create an A record: + - proxmox.hugulumu.fr → your server’s public IP. + - Do it from your domain registrar (where you manage hugulumu.fr). + - [ ] Wait for DNS propagation (can take a few minutes to hours). + +🔐 2. HTTPS Access + + - [ ] Set up a valid SSL certificate for your Proxmox web UI: + - Option 1: Use Let’s Encrypt via acme.sh or Proxmox built-in ACME support. + - Option 2: Use a reverse proxy like Nginx or Caddy (if you plan to expose more services later). + +🛡️ 3. Firewall Setup + + - [ ] Enable firewall on Proxmox (Datacenter → Firewall → Enable). + - [ ] Create basic rules: + - Allow Web UI (port 8006) + - Allow SSH (port 22) + - Block everything else by default + - [ ] If your hoster (like Online.net / Scaleway / Hetzner?) has a cloud firewall, configure it too. + +🔐 4. Secure Access + + - [ ] Create a new user for yourself, disable root login (or set 2FA for root) + - [ ] Enable 2FA (TOTP) for web UI + - [ ] Set up SSH key authentication and disable password SSH login (optional but good) + +🧰 5. System Updates + + - [ ] apt update && apt full-upgrade + - [ ] Enable automatic security updates: + ``` + apt install unattended-upgrades + dpkg-reconfigure --priority=low unattended-upgrades + ``` + +🧠 6. Backups and Templates + + - [ ] Set up a storage volume (local or NFS/SSH backup target) + - [ ] Download some VM templates (Debian, Ubuntu, etc.) + - [ ] Create a snapshot or scheduled backup job + +🚨 Optional (But Nice): + + - [ ] Set up fail2ban or similar tool + - [ ] Monitor with cockpit or netdata + - [ ] Set up email notifications for Proxmox alerts + + --- ipv6 : fe80::d6ae:52ff:fec9:29d6