myron/proxmox-config
1
0
Fork 0
mirror of https://github.com/myronblair/proxmox-config synced 2026-06-30 15:59:57 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add VM configs, WireGuard, and MSP360 setup

Browse Source 
- vm-configs/fstab/: fstab snapshots for JARVIS, NPM, NovaCPX, Jellyfin, MediaStack
- vm-configs/network-reference.md: full IP/service/NAS/WireGuard reference
- wireguard/: MediaStack wg0/wg1 and WireGuard CT nord0/wg-clients configs
- msp360/: install and setup scripts + staggered backup schedule

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01X8tDRrQqgLjqXebMCBNcP3
This commit is contained in:
Myron Blair
2026-06-30 07:53:48 -05:00
parent 468d8c9ba5
commit d45f88b604
13 changed files with 336 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
msp360/install-msp360.sh
+84
View File
@@ -0,0 +1,84 @@
#!/bin/bash
# MSP360 Backup - Complete Linux Install & Configure
# Run as root from the directory containing this script and the .deb file.
#
# Credentials are fetched from private Gitea repo (myron/msp360-config).
# Requires /etc/msp360-gitea-token on the target machine.
# OR place a filled-in msp360.conf in the same directory as this script.
set -e
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
CONF="$SCRIPT_DIR/msp360.conf"
TOKEN_FILE="/etc/msp360-gitea-token"
GITEA_RAW="https://gitea.orbishosting.com/myron/msp360-config/raw/branch/main/msp360.conf"
CBB="/opt/local/MSP360 Backup/bin/cbbCommandLine"
if [ -f "$CONF" ]; then
echo "Using local msp360.conf"
source "$CONF"
elif [ -f "$TOKEN_FILE" ]; then
echo "Fetching config from Gitea..."
GITEA_TOKEN=$(cat "$TOKEN_FILE")
curl -sf -H "Authorization: token $GITEA_TOKEN" "$GITEA_RAW" -o /tmp/msp360.conf
source /tmp/msp360.conf
rm -f /tmp/msp360.conf
else
echo "ERROR: No msp360.conf found and no /etc/msp360-gitea-token present."
echo " Option A: Place a filled-in msp360.conf in $SCRIPT_DIR"
echo " Option B: Put your Gitea token in /etc/msp360-gitea-token (chmod 600)"
exit 1
fi
BACKUP_PATH="${MOUNT_POINT}/${BACKUP_SUBDIR}"
CBB_DEB=$(ls "$SCRIPT_DIR"/ubuntu14_MSP360_*.deb 2>/dev/null | head -1)
echo "=== Step 1: Install MSP360 ==="
if [ -f "$CBB_DEB" ]; then
dpkg -i "$CBB_DEB"
sleep 5
else
echo "WARNING: No .deb found — assuming already installed"
fi
echo "=== Step 2: Activate license ==="
"$CBB" activateLicense -e "$LICENSE_EMAIL" -free
echo "=== Step 3: Install cifs-utils ==="
apt-get install -y cifs-utils
echo "=== Step 4: Mount NAS ==="
mkdir -p "$MOUNT_POINT" /etc/nas-creds
printf "username=%s\npassword=%s\n" "$NAS_USER" "$NAS_PASS" > /etc/nas-creds/msp360
chmod 600 /etc/nas-creds/msp360
if ! mountpoint -q "$MOUNT_POINT"; then
mount -t cifs "//${NAS_HOST}/${NAS_SHARE}" "$MOUNT_POINT" \
-o credentials=/etc/nas-creds/msp360,uid=0,gid=0,noperm,_netdev
fi
df -h "$MOUNT_POINT"
echo "=== Step 5: Create backup directory ==="
mkdir -p "$BACKUP_PATH"
echo "=== Step 6: Add fstab entry ==="
FSTAB_LINE="//${NAS_HOST}/${NAS_SHARE} ${MOUNT_POINT} cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,noperm,_netdev 0 0"
grep -q "$MOUNT_POINT" /etc/fstab || echo "$FSTAB_LINE" >> /etc/fstab
echo "=== Step 7: Register storage account ==="
"$CBB" addAccount -st FileSystem -d "NAS-MSPBackups" -c "$BACKUP_PATH"
echo "=== Step 8: Create backup plan ==="
"$CBB" addBackupPlan \
-n "$PLAN_NAME" \
-a "NAS-MSPBackups" \
-f "/" \
-ef "/proc" -ef "/sys" -ef "/dev" -ef "/run" -ef "/tmp" -ef "/mnt" \
-es no \
-purge 1m -purgeBy backupDate -keepLastVersion yes \
-runMissed yes \
-en yes -every day -at "$INC_TIME" \
-enFull yes -everyFull week -atFull "$FULL_TIME" -weekdayFull "su"
echo ""
echo "=== Done! Plan list: ==="
"$CBB" plan -l
msp360/msp360-schedule.md
+35
View File
@@ -0,0 +1,35 @@
# MSP360 Backup Schedule
License: myronblair@outlook.com (free)
NAS: //10.48.200.249/Storage → /mnt/nas-backups
Backup path: /mnt/nas-backups/MSPBackups/CBB_<hostname>/
Credentials: fetched from Gitea private repo myron/msp360-config via /etc/msp360-gitea-token
## Plan: All files, weekly full + daily incremental, 1 month retention
| Host | IP | Plan Name | Full (Sun) | Incremental (daily) | Status |
|--------------|-----------------|--------------------|------------|---------------------|----------|
| JARVIS | 10.48.200.211 | JARVIS-Backup | 01:00 | 02:00 | Stopped |
| NPM | 10.48.200.200 | NPM-Backup | 01:15 | 02:15 | Stopped |
| NovaCPX | 10.48.200.110 | NovaCPX-Backup | 01:30 | 02:30 | Stopped |
| Jellyfin | 10.48.200.33 | Jellyfin-Backup | 01:45 | 02:45 | Stopped |
| Homebridge | 10.48.200.18 | Homebridge-Backup | 02:00 | 03:00 | Unknown |
| MediaStack | 10.48.200.35 | MediaStack-Backup | 02:15 | 03:15 | Running |
| PVE1 | 10.48.200.90 | PVE1-Backup | 02:30 | 03:30 | Stopped |
| PVE2 | 10.48.200.91 | PVE2-Backup | 02:45 | 03:45 | Pending |
| Ollama | 10.48.200.210 | Ollama-Backup | 03:00 | 04:00 | Pending |
| NetworkBak | 10.48.200.99 | NetworkBak-Backup | 03:15 | 04:15 | Pending |
Pending = offline, needs install when back up.
DO server (165.22.1.228) and FusionPBX (134.209.72.226) cannot reach internal NAS.
## Install on new host
```bash
# 1. Place Gitea token
echo "<token>" > /etc/msp360-gitea-token && chmod 600 /etc/msp360-gitea-token
# 2. Run setup (MSP360 already installed)
curl -sk https://web.orbishosting.com/downloads/msp360-linux-installer.zip -o /tmp/msp360.zip
unzip /tmp/msp360.zip -d /tmp/msp360 && cd /tmp/msp360
bash msp360-setup.sh "HOSTNAME-Backup" "HH:MM" "HH:MM"
```
msp360/msp360-setup.sh
+61
View File
@@ -0,0 +1,61 @@
#!/bin/bash
# MSP360 Backup - Configure only (MSP360 already installed)
# Usage: bash msp360-setup.sh <plan_name> <full_time> <inc_time>
# Credentials: fetched from Gitea (/etc/msp360-gitea-token) or local msp360.conf
set -e
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
CONF="$SCRIPT_DIR/msp360.conf"
TOKEN_FILE="/etc/msp360-gitea-token"
GITEA_RAW="https://gitea.orbishosting.com/myron/msp360-config/raw/branch/main/msp360.conf"
CBB="/opt/local/MSP360 Backup/bin/cbbCommandLine"
if [ -f "$CONF" ]; then
source "$CONF"
elif [ -f "$TOKEN_FILE" ]; then
GITEA_TOKEN=$(cat "$TOKEN_FILE")
curl -sf -H "Authorization: token $GITEA_TOKEN" "$GITEA_RAW" -o /tmp/msp360.conf
source /tmp/msp360.conf
rm -f /tmp/msp360.conf
else
echo "ERROR: No msp360.conf and no /etc/msp360-gitea-token"
exit 1
fi
PLAN_NAME="${1:-${PLAN_NAME:-MyHost-Backup}}"
FULL_TIME="${2:-${FULL_TIME:-01:00}}"
INC_TIME="${3:-${INC_TIME:-02:00}}"
BACKUP_PATH="${MOUNT_POINT:-/mnt/nas-backups}/${BACKUP_SUBDIR:-MSPBackups}"
"$CBB" activateLicense -e "$LICENSE_EMAIL" -free
apt-get install -y cifs-utils 2>/dev/null | tail -1
mkdir -p "${MOUNT_POINT}" /etc/nas-creds
[ -f /etc/nas-creds/msp360 ] || \
printf "username=%s\npassword=%s\n" "$NAS_USER" "$NAS_PASS" > /etc/nas-creds/msp360
chmod 600 /etc/nas-creds/msp360
mountpoint -q "${MOUNT_POINT}" || \
mount -t cifs "//${NAS_HOST}/${NAS_SHARE}" "${MOUNT_POINT}" \
-o credentials=/etc/nas-creds/msp360,uid=0,gid=0,noperm,_netdev
mkdir -p "$BACKUP_PATH"
grep -q "${MOUNT_POINT}" /etc/fstab || \
echo "//${NAS_HOST}/${NAS_SHARE} ${MOUNT_POINT} cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,noperm,_netdev 0 0" >> /etc/fstab
"$CBB" addAccount -st FileSystem -d "NAS-MSPBackups" -c "$BACKUP_PATH" 2>&1
"$CBB" addBackupPlan \
-n "$PLAN_NAME" \
-a "NAS-MSPBackups" \
-f "/" \
-ef "/proc" -ef "/sys" -ef "/dev" -ef "/run" -ef "/tmp" -ef "/mnt" \
-es no \
-purge 1m -purgeBy backupDate -keepLastVersion yes \
-runMissed yes \
-en yes -every day -at "$INC_TIME" \
-enFull yes -everyFull week -atFull "$FULL_TIME" -weekdayFull "su" 2>&1
echo "Done. Plans:"
"$CBB" plan -l
vm-configs/fstab/jarvis.fstab
+4
View File
@@ -0,0 +1,4 @@
LABEL=cloudimg-rootfs / ext4 discard,commit=30,errors=remount-ro 0 1
LABEL=BOOT /boot ext4 defaults 0 2
LABEL=UEFI /boot/efi vfat umask=0077 0 1
//10.48.200.249/Storage /mnt/nas-backups cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,file_mode=0700,dir_mode=0700,_netdev 0 0
vm-configs/fstab/jellyfin.fstab
+6
View File
@@ -0,0 +1,6 @@
LABEL=cloudimg-rootfs / ext4 discard,commit=30,errors=remount-ro 0 1
LABEL=BOOT /boot ext4 defaults 0 2
LABEL=UEFI /boot/efi vfat umask=0077 0 1
10.48.200.35:/media/movies /mnt/mediastack/movies nfs defaults,_netdev 0 0
10.48.200.35:/media/tv /mnt/mediastack/tv nfs defaults,_netdev 0 0
//10.48.200.249/Storage /mnt/nas-backups cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,file_mode=0700,dir_mode=0700,_netdev 0 0
vm-configs/fstab/mediastack.fstab
+7
View File
@@ -0,0 +1,7 @@
LABEL=cloudimg-rootfs / ext4 discard,commit=30,errors=remount-ro 0 1
LABEL=BOOT /boot ext4 defaults 0 2
LABEL=UEFI /boot/efi vfat umask=0077 0 1
10.48.200.249:/volume1/video /mnt/nas/video nfs defaults,_netdev 0 0
/mnt/nas/video/movies /media/movies none bind 0 0
/mnt/nas/video/tv /media/tv none bind 0 0
//10.48.200.249/Storage /mnt/nas-backups cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,file_mode=0700,dir_mode=0700,_netdev 0 0
vm-configs/fstab/novacpx.fstab
+4
View File
@@ -0,0 +1,4 @@
LABEL=cloudimg-rootfs / ext4 discard,commit=30,errors=remount-ro 0 1
LABEL=BOOT /boot ext4 defaults 0 2
LABEL=UEFI /boot/efi vfat umask=0077 0 1
//10.48.200.249/Storage /mnt/nas-backups cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,file_mode=0700,dir_mode=0700,_netdev 0 0
vm-configs/fstab/npm.fstab
+4
View File
@@ -0,0 +1,4 @@
LABEL=cloudimg-rootfs / ext4 discard,commit=30,errors=remount-ro 0 1
LABEL=BOOT /boot ext4 defaults 0 2
LABEL=UEFI /boot/efi vfat umask=0077 0 1
//10.48.200.249/Storage /mnt/nas-backups cifs credentials=/etc/nas-creds/msp360,uid=0,gid=0,file_mode=0700,dir_mode=0700,_netdev 0 0
vm-configs/network-reference.md
+66
View File
@@ -0,0 +1,66 @@
# VM Network Reference
Updated: 2026-06-30
## Subnet: 10.48.200.0/24 (Internal LAN via FortiGate)
| VM/CT | VMID | IP | Role | Host |
|-----------------|------|-----------------|-------------------------------|-------|
| PVE1 (baremetal)| — | 10.48.200.90 | Proxmox hypervisor | — |
| PVE2 (baremetal)| — | 10.48.200.91 | Proxmox hypervisor (offline) | — |
| NPM | 101 | 10.48.200.200 | Nginx Proxy Manager | PVE1 |
| NovaCPX | 120 | 10.48.200.110 | web.orbishosting.com (Apache) | PVE1 |
| JARVIS | 200 | 10.48.200.211 | Home automation / agent host | PVE1 |
| Homebridge | 103 | 10.48.200.18 | Homebridge (SSH: myron only) | PVE1 |
| Jellyfin | 104 | 10.48.200.33 | Jellyfin media server | PVE1 |
| MediaStack | 105 | 10.48.200.35 | Sonarr/Radarr/Prowlarr/qBit | PVE1 |
| WireGuard CT | 110 | 10.48.200.67 | VPN kill-switch for MediaStack| PVE1 |
| Ollama | 106 | 10.48.200.210 | Ollama LLM server (offline) | PVE1 |
| NetworkBackup | 302 | 10.48.200.99 | Network backup (offline) | PVE1 |
| NAS (Synology) | — | 10.48.200.249 | File storage | — |
## External Servers
| Server | IP | Role |
|--------------|-----------------|--------------------------|
| FortiGate WAN| 97.154.207.5 | Internet gateway (Verizon)|
| DO server | 165.22.1.228 | DigitalOcean VPS |
| FusionPBX | 134.209.72.226 | VoIP server |
## NAS Storage (10.48.200.249 — Synology)
| Share | Protocol | Mount point (on client) | Used by |
|--------------|----------|-----------------------------|-----------------|
| /volume1/video| NFS | /mnt/nas/video | MediaStack |
| /volume1/video/movies | NFS | /media/movies | MediaStack |
| /volume1/video/tv | NFS | /media/tv | MediaStack |
| /media/movies | NFS (re-export) | /mnt/mediastack/movies | Jellyfin |
| /media/tv | NFS (re-export) | /mnt/mediastack/tv | Jellyfin |
| Storage/MSPBackups | CIFS | /mnt/nas-backups | All VMs (MSP360)|
| homes | CIFS | (unused) | — |
NAS CIFS credentials: /etc/nas-creds/msp360 (username=nas) on each VM
## WireGuard VPN Subnet: 10.200.0.0/24
| Host | WG IP | Role |
|----------------|-------------|-------------------------|
| WireGuard CT | 10.200.0.1 | Gateway (NordVPN relay) |
| Jellyfin | 10.200.0.3 | NFS client |
| MediaStack | 10.200.0.4 | Kill-switch client |
NordVPN exit node: 2.56.190.69 (Clouvider UK, AS62240)
NordVPN WireGuard endpoint: 2.56.190.66:51820
## NPM Proxy (10.48.200.200)
Reverse proxies HTTPS from FortiGate WAN → internal services.
All certs via Let's Encrypt. Admin panel: http://10.48.200.200:81
## MediaStack Services
| Service | Port | URL |
|-------------|-------|-----------------------------------|
| qBittorrent | 8080 | http://10.48.200.35:8080 |
| Sonarr | 8989 | http://10.48.200.35:8989 |
| Radarr | 7878 | http://10.48.200.35:7878 |
| Prowlarr | 9696 | http://10.48.200.35:9696 |
| Jellyfin | 8096 | http://10.48.200.33:8096 |
wireguard/mediastack-wg0.conf
+17
View File
@@ -0,0 +1,17 @@
# MediaStack (10.48.200.35) WireGuard client config
# Tunnels all internet traffic through WireGuard CT (10.48.200.67)
# Kill-switch: iptables blocks any non-WireGuard internet traffic
# File: /etc/wireguard/wg0.conf
[Interface]
PrivateKey = UAaoNldLsxWJerLJAjGlncrm41Ay9QMsK3O1XaTlxmg=
Address = 10.200.0.4/24
DNS = 10.48.200.90
PostUp = iptables -I OUTPUT ! -o wg0 -m mark ! --mark 51820 -m addrtype ! --dst-type LOCAL -j REJECT; iptables -I OUTPUT -d 10.48.200.0/24 -j ACCEPT
PostDown = iptables -D OUTPUT -d 10.48.200.0/24 -j ACCEPT; iptables -D OUTPUT ! -o wg0 -m mark ! --mark 51820 -m addrtype ! --dst-type LOCAL -j REJECT
[Peer]
PublicKey = Fqb1KLfHe1r3+Hwhem7YGZB2KikGYy/8pPsOIP4rn18=
Endpoint = 10.48.200.67:51821
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
wireguard/mediastack-wg1.conf
+16
View File
@@ -0,0 +1,16 @@
# MediaStack (10.48.200.35) WireGuard server config (for Jellyfin peer)
# Serves as internal VPN hub for Jellyfin to reach MediaStack NFS exports
# File: /etc/wireguard/wg1.conf
[Interface]
PrivateKey = UPTGveBLFZLGcimi80npmrEB3tOfE8GjQEl4aTPOWV0=
Address = 10.200.0.1/24
ListenPort = 51820
PostUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i wg1 -o nordlynx -j ACCEPT; iptables -A FORWARD -i nordlynx -o wg1 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -A POSTROUTING -o nordlynx -s 10.200.0.0/24 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg1 -o nordlynx -j ACCEPT; iptables -D FORWARD -i nordlynx -o wg1 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -D POSTROUTING -o nordlynx -s 10.200.0.0/24 -j MASQUERADE
[Peer]
# Jellyfin
PublicKey = T+mr/+Z+9F0FXG/8AxJClH7kgxvqFVeSouJQo2+D82M=
AllowedIPs = 10.200.0.3/32
PersistentKeepalive = 25
wireguard/wgct-nord0.conf
+17
View File
@@ -0,0 +1,17 @@
# WireGuard CT (LXC 110, 10.48.200.67) NordVPN tunnel config
# Connects to NordVPN server at 2.56.190.66:51820 (Clouvider UK)
# Policy routes 10.200.0.0/24 (MediaStack tunnel clients) through NordVPN
# File: /etc/wireguard/nord0.conf
[Interface]
PrivateKey = Ebk+g1cMK14ured/u+QLvHPYxmoh9dCmeq65qbS/Aqg=
Address = 10.5.0.2/32
Table = off
PostUp = sysctl -w net.ipv4.conf.all.rp_filter=0 || true; ip route add default dev nord0 table 201 || true; ip rule add from 10.200.0.0/24 lookup 201 prio 100 || true; iptables -t nat -A POSTROUTING -o nord0 -j MASQUERADE || true
PostDown = ip route del default dev nord0 table 201 2>/dev/null; ip rule del from 10.200.0.0/24 lookup 201 2>/dev/null; iptables -t nat -D POSTROUTING -o nord0 -j MASQUERADE 2>/dev/null
[Peer]
PublicKey = 8pRFH/FfMBs3eBJCM2ABFoOs/13n78LYQvoovZVLdgI=
Endpoint = 2.56.190.66:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
wireguard/wgct-wg-clients.conf
+15
View File
@@ -0,0 +1,15 @@
# WireGuard CT (LXC 110, 10.48.200.67) client-server config
# Accepts connections from MediaStack and Jellyfin
# File: /etc/wireguard/wg-clients.conf
[Interface]
Address = 10.200.0.1/24
ListenPort = 51821
PrivateKey = uMdYzpGScR4D8cIm7WNbTJ5KHZQGAIFUInMI+4MZjkU=
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sysctl -w net.ipv4.ip_forward=1
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# MediaStack (10.48.200.35)
PublicKey = CaG79S1fJeJDlYCMhHz8BrDfizBq+OiGnO5VzFIk3gE=
AllowedIPs = 10.200.0.4/32