matt/echo6-docs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
echo6-docs/runbooks/ct-runbook.md
Matt Johnson e9231ac24a Migration: consolidate Echo6 docs to cortex with full infrastructure cleanup sync 
- Documents recent infrastructure cleanup (8 CTs destroyed, 35 DNS records removed, Headscale cleanup)
- Adds 24 new runbooks covering Authentik, PeerTube, Meshtastic, RECON, Proxmox, Mailcow, Internet Archive, GPU routing
- Adds project documentation for headscale, vaultwarden, peertube, matrix, mmud, advbbs, arr stack
- Updates services.md, environment.md, caddy.md, authentik.md to match live infrastructure
- Removes 4 deprecated runbook duplicates (canonical versions live in projects/)
- Adds .gitignore for binary archives and editor temp files

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 06:02:16 +00:00

259 lines
6.3 KiB
Markdown
Raw Blame History

# Proxmox CT/LXC Provisioning Runbook
Every container gets the same baseline: local user, Tailscale, SSH, Docker, and common tools. No exceptions.
---
## Prerequisites
- Proxmox VE host with Ubuntu 24.04 LXC template downloaded
- Tailscale auth key (reusable, from https://login.tailscale.com/admin/settings/keys)
- SSH access to Proxmox host
If you don't have the template cached yet:
```bash
pveam update
pveam download local system ubuntu-24.04-standard_24.04-2_amd64.tar.zst
```
---
## 1. Create the Container
Pick the next available CTID. Adjust `--memory`, `--cores`, and `--rootfs` to fit the workload.
```bash
# Variables — edit these per container
CTID=110
HOSTNAME="mycontainer"
STORAGE="local-lvm" # or zfs-pool, ceph, etc.
DISK_SIZE=8 # GB
MEMORY=2048 # MB
CORES=2
BRIDGE="vmbr0"
pct create $CTID local:vztmpl/ubuntu-24.04-standard_24.04-2_amd64.tar.zst \
--hostname $HOSTNAME \
--storage $STORAGE \
--rootfs ${STORAGE}:${DISK_SIZE} \
--memory $MEMORY \
--cores $CORES \
--net0 name=eth0,bridge=${BRIDGE},ip=dhcp \
--unprivileged 1 \
--features nesting=1,keyctl=1 \
--onboot 1 \
--start 1
```
`nesting=1` is required for Docker. `keyctl=1` prevents keyring errors in systemd containers.
Wait a few seconds for the container to boot, then enter it:
```bash
pct enter $CTID
```
Everything from here on runs **inside the container**.
---
## 2. Base System Update
```bash
apt update && apt upgrade -y
```
---
## 3. Common Tools
```bash
apt install -y \
curl \
wget \
vim \
htop \
git \
unzip \
jq \
net-tools \
dnsutils \
ca-certificates \
gnupg \
lsb-release \
sudo \
sshpass
```
---
## 4. Create User
```bash
useradd -m -s /bin/bash -G sudo zvx
echo "zvx:7redditGold" | chpasswd
```
Verify:
```bash
su - zvx -c "whoami && sudo -l"
```
---
## 5. SSH Configuration
SSH should already be running in the Ubuntu 24.04 template, but make sure password auth is enabled for sshpass workflows:
```bash
# Ensure SSH is installed and running
apt install -y openssh-server
systemctl enable --now ssh
# Allow password auth (needed for sshpass)
sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart ssh
```
Test from the Proxmox host (exit the container first):
```bash
CT_IP=$(pct exec $CTID -- hostname -I | awk '{print $1}')
sshpass -p '7redditGold' ssh -o StrictHostKeyChecking=accept-new zvx@$CT_IP "echo 'SSH OK'"
```
---
## 6. Install Docker
```bash
# Add Docker's official GPG key and repo
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
> /etc/apt/sources.list.d/docker.list
apt update
apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# Add zvx to docker group (no sudo needed for docker commands)
usermod -aG docker zvx
# Verify
docker run --rm hello-world
```
If Docker fails to start with an AppArmor or permissions error, confirm `nesting=1` is set on the container (Step 1). You can check/fix from the Proxmox host:
```bash
pct set $CTID --features nesting=1,keyctl=1
pct reboot $CTID
```
---
## 7. Install Tailscale
```bash
curl -fsSL https://tailscale.com/install.sh | sh
```
Bring it up with your auth key:
```bash
# Replace with your actual auth key
tailscale up --authkey=tskey-auth-XXXXXXXXXXXX --ssh
```
If you don't have an auth key handy, run without `--authkey` and it will print a URL to authenticate in a browser:
```bash
tailscale up --ssh
```
Verify:
```bash
tailscale status
tailscale ip -4
```
The `--ssh` flag enables Tailscale SSH, which lets you SSH into the container over Tailscale without managing keys. The container will appear in your tailnet by its hostname.
---
## 8. Verification Checklist
Run this from inside the container to confirm everything:
```bash
echo "=== CT Provisioning Check ==="
echo ""
echo "Hostname: $(hostname)"
echo "User zvx: $(id zvx 2>/dev/null && echo 'OK' || echo 'MISSING')"
echo "sudo: $(sudo -l -U zvx 2>/dev/null | grep -q ALL && echo 'OK' || echo 'MISSING')"
echo "sshpass: $(which sshpass >/dev/null 2>&1 && echo 'OK' || echo 'MISSING')"
echo "SSH: $(systemctl is-active ssh)"
echo "Docker: $(docker --version 2>/dev/null || echo 'MISSING')"
echo "Tailscale: $(tailscale status --self 2>/dev/null | head -1 || echo 'NOT CONNECTED')"
echo "Tailscale IP: $(tailscale ip -4 2>/dev/null || echo 'N/A')"
```
Expected output — everything should say OK/active with a Tailscale IP:
```
=== CT Provisioning Check ===
Hostname: mycontainer
User zvx: uid=1000(zvx) gid=1000(zvx) groups=1000(zvx),27(sudo),998(docker) OK
sudo: OK
sshpass: OK
SSH: active
Docker: Docker version 27.x.x, build xxxxxxx
Tailscale: 100.x.x.x mycontainer tagged-devices linux -
Tailscale IP: 100.x.x.x
```
---
## Quick Reference (Copy/Paste Block)
For the impatient — the whole thing end to end after `pct enter`:
```bash
# Update + tools
apt update && apt upgrade -y
apt install -y curl wget vim htop git unzip jq net-tools dnsutils \
ca-certificates gnupg lsb-release sudo sshpass openssh-server
# User
useradd -m -s /bin/bash -G sudo zvx
echo "zvx:7redditGold" | chpasswd
# SSH
systemctl enable --now ssh
sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart ssh
# Docker
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
> /etc/apt/sources.list.d/docker.list
apt update && apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
usermod -aG docker zvx
# Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up --ssh
```
Reference in a new issue View git blame Copy permalink