Created September 2, 2017
Hetzner Dedicated with Debian 9 (Stretch) and Proxmox 5 (LXC) Docker-CE Portainer [NAT]
### Proxmox V & Docker-CE Portainer #
## Rescue System
# Erase other disks
dd if=/dev/zero of=/dev/sda bs=1M count=100
dd if=/dev/zero of=/dev/sdb bs=1M count=100
# You can install debian 9 via the guide:
# Choose debian 9 (stretch) - minimal
# Configure drive/raid/hostname as you like
# reboot
# If you prefer CLI:
installimage -a \
-n host.domain.tld \
-b grub \
-r no \
-i /root/.oldroot/nfs/install/../images/Debian-91-stretch-64-minimal.tar.gz \
-p swap:swap:16G,/boot:ext3:1024M,/:ext4:all \
-d sdc \
-t yes
# reboot and login via ssh
################### (0) Security ###################
apt update && apt upgrade -y
apt install ufw -y
ufw allow ssh
ufw allow 8006/tcp # proxmox
ufw allow 9500/tcp # portainer
ufw enable
apt install certbot -y
certbot certonly
# Choose Standalone (2)
# Enter E-Mail
# Accept TOS
# Wait for Certificate
# ls /etc/letsencrypt/live/
################### (1) Proxmox ###################
# Add ProxmoxVE Repository
echo "deb stretch pve-no-subscription" >> /etc/apt/sources.list
# Get GPG Key
wget -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
# Update Sources and Install
apt update && apt dist-upgrade -y
apt install proxmox-ve postfix open-iscsi -y
sed -i '1 s/^/# /' /etc/apt/sources.list.d/pve-enterprise.list # comment pve enterprise repo
nano /etc/hosts # comment IPv6 Address
# Allow IPv4 Routing
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
nano /etc/network/interfaces
# Host-Adapter [IPv4]
auto lo
iface lo inet loopback
# device: enp0s31f6 (ethernet, port0, slot31, ..) << Change to your specific device
auto enp0s31f6
iface enp0s31f6 inet static
address <Hetzner IPv4>
netmask <Hetzner Netmask>
broadcast <Hetzner Broadcast>
gateway <Hetzner Gateway>
up route add -net <Hetzner IPv4> netmask <Hetzner Netmask> gw <Hetzner Gateway> dev enp0s31f6
post-up echo 1 > /proc/sys/net/ipv4/conf/enp0s31f6/proxy_arp
# Host-Adapter [IPv6]
iface enp0s31f6 inet6 static
address <Hetzner IPv6>
netmask 128
gateway fe80::1
up sysctl -p
# Guest-Network [NAT]
auto vmbr0
iface vmbr0 inet static
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '' -o enp0s31f6 -j MASQUERADE
post-up iptables -A FORWARD --in-interface vmbr0 -j ACCEPT
post-down iptables -t nat -D POSTROUTING -s '' -o enp0s31f6 -j MASQUERADE
post-down iptables -D FORWARD --in-interface vmbr0 -j ACCEPT
# Update Cert for ProxmoxUI
cd /etc/pve/nodes/*
mv pve-ssl.key pve-ssl.proxmox.key
mv pve-ssl.pem pve-ssl.proxmox.pem
cp /etc/letsencrypt/live/<your host.domain.tld here>/privkey.pem pve-ssl.key
cp /etc/letsencrypt/live/<your host.domain.tld here>/cert.pem pve-ssl.pem
service pveproxy restart
service pvedaemon restart
# Goto https://<hostname|ip-addr>:8006
################### (2) Docker-CE ###################
# Install necessary packages
apt-get install -y apt-transport-https ca-certificates curl gnupg2 software-properties-common
# Install Docker Key
curl -fsSL | apt-key add -
# Verify Key (as of 2017-09)
apt-key fingerprint 0EBFCD88
# Add Docker Repo
add-apt-repository "deb [arch=amd64] $(lsb_release -cs) stable"
# Install Docker-CE
apt update && apt install docker-ce -y
# Verify if running:
docker ps
################### (3) Portainer-UI ###################
## Optional Web-UI for managing docker container
cd /opt
# Download Current Release -> Check Portainer Docs
# Extract Release
tar xvpfz portainer-1.14.0-linux-amd64.tar.gz
# remove tar
rm portainer-*
# Set permissions
chown -R root portainer
# Create Data Directory
mkdir /opt/portainer-data
# Create System Service
nano /etc/systemd/system/portainer.service
Description=Portainer Docker UI
Environment="SSLCERT=/etc/letsencrypt/live/<your domain here>/cert.pem"
Environment="CERTKEY=/etc/letsencrypt/live/<your domain here>/privkey.pem"
ExecStart=/opt/portainer/portainer -p -d /opt/portainer-data --ssl --sslcert="${SSLCERT}" --sslkey="${CERTKEY}"
systemctl daemon-reload
# Enable Service for System Startup
systemctl enable portainer.service
# Start Service
systemctl start portainer.service
## Resources:
