From c044fdb34bbcf2ec6e4d8c586803f8ba7cf09a07 Mon Sep 17 00:00:00 2001 From: rellek Date: Thu, 5 Feb 2026 20:44:50 +0000 Subject: [PATCH 01/15] feat: add NetAlertX ProxmoxVE helper scripts --- install/proxmox/INSTALLATION_GUIDE.md | 159 +++++++++ install/proxmox/README.md | 9 +- install/proxmox/ct/netalertx.sh | 148 ++++++++ install/proxmox/install/netalertx-install.sh | 335 +++++++++++++++++++ install/proxmox/netalertx.conf | 7 + install/proxmox/proxmox-install-netalertx.sh | 74 ++-- install/proxmox/requirements.txt | 1 + 7 files changed, 694 insertions(+), 39 deletions(-) create mode 100644 install/proxmox/INSTALLATION_GUIDE.md create mode 100644 install/proxmox/ct/netalertx.sh create mode 100644 install/proxmox/install/netalertx-install.sh diff --git a/install/proxmox/INSTALLATION_GUIDE.md b/install/proxmox/INSTALLATION_GUIDE.md new file mode 100644 index 000000000..caa0ab739 --- /dev/null +++ b/install/proxmox/INSTALLATION_GUIDE.md @@ -0,0 +1,159 @@ +# NetAlertX Installation Guide for Proxmox VE + +## Quick Start (ProxmoxVE LXC Container) + +To create a NetAlertX LXC container on Proxmox VE, run this command on your Proxmox host: + +```bash +bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/netalertx.sh)" +``` + +This will: +- Create a Debian 13 LXC container +- Install all dependencies automatically +- Configure NetAlertX with NGINX on port 20211 +- Start the service automatically + +### Update Existing Installation + +To update an existing NetAlertX container: + +```bash +bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/netalertx.sh)" -s update +``` + +--- + +## Installation Process Overview + +### 1. **System Preparation** +- Updates system packages + +### 2. **Dependency Installation** +- Installs NGINX web server +- Installs Python 3 and development tools +- Installs network scanning tools (nmap, arp-scan, fping, etc.) +- Installs system utilities (sqlite3, dnsutils, avahi-daemon, etc.) + +### 3. **Application Setup** +- Clones NetAlertX repository to `/app` +- Creates Python virtual environment at `/opt/netalertx-env` +- Installs Python dependencies from requirements.txt +- Configures NGINX with default port 20211 + +### 4. **File Structure Creation** +- Creates persistent directories for `/app/log` and `/app/api` +- Creates log files and plugin directories +- Copies initial database and configuration files +- Sets secure file permissions (www-data user/group) +- Configures systemd RuntimeDirectory (`/run/netalertx`) for volatile service files + +### 5. **Service Configuration** +- Creates startup script at `/app/start.netalertx.sh` +- Installs systemd service (`netalertx.service`) +- Enables auto-start on boot +- Starts NetAlertX and NGINX services + +### 6. **Hardware Vendor Database** +- Updates IEEE OUI database for MAC address vendor identification (if not present) + +--- + +## Post-Installation + +### Accessing NetAlertX + +After successful installation, access the web interface at: + +``` +http://YOUR_SERVER_IP:YOUR_PORT +``` + +**Default port**: 20211 + +To find your server IP: +```bash +ip -4 route get 1.1.1.1 | awk '{for(i=1;i<=NF;i++) if ($i=="src") {print $(i+1); exit}}' +``` + +### Service Management + +```bash +# Check service status +systemctl status netalertx.service + +# View real-time logs +journalctl -u netalertx.service -f + +# Restart service +systemctl restart netalertx.service + +# Stop service +systemctl stop netalertx.service +``` + +--- + +## Important File Locations + +| Component | Location | +|-----------|----------| +| Installation Directory | `/app` | +| Configuration File | `/app/config/app.conf` | +| Database File | `/app/db/app.db` | +| NGINX Configuration | `/etc/nginx/conf.d/netalertx.conf` | +| Web UI (symlink) | `/var/www/html/netalertx` → `/app/front` | +| Python Virtual Env | `/opt/netalertx-env` | +| Systemd Service | `/etc/systemd/system/netalertx.service` | +| Startup Script | `/app/start.netalertx.sh` | +| Application Logs | `/app/log/` (persistent) | +| API Files | `/app/api/` (persistent) | +| Service Runtime | `/run/netalertx/` (tmpfs, systemd-managed) | + +### Storage Strategy (Hybrid Approach) + +**Persistent Storage** (survives reboots): +- `/app/log/app.log` - Main application log +- `/app/log/execution_queue.log` - Task execution log +- `/app/log/app_front.log` - Frontend log +- `/app/log/app.php_errors.log` - PHP error log +- `/app/log/stderr.log` - Standard error output +- `/app/log/stdout.log` - Standard output +- `/app/log/db_is_locked.log` - Database lock log +- `/app/api/user_notifications.json` - User notification data + +**Volatile Storage** (tmpfs, cleared on reboot): +- `/run/netalertx/` - Systemd-managed runtime directory for service temporary files + +Systemd service logs are always available via: `journalctl -u netalertx.service` + +--- + +## Environment Variables + +The installation script supports the following environment variables: + +| Variable | Description | Default | +|----------|-------------|---------| +| `NETALERTX_ASSUME_YES` | Skip all interactive prompts | (not set) | +| `ASSUME_YES` | Alternative to NETALERTX_ASSUME_YES | (not set) | +| `PORT` | HTTP port for web interface | 20211 | +| `NETALERTX_FORCE` | Force installation without prompts | (not set) | + +--- + +## Security Considerations + +- **Runtime directory**: Systemd manages `/run/netalertx/` as tmpfs with `noexec,nosuid,nodev` flags +- **File permissions**: Application files restricted to `www-data` user/group only (mode 0750) +- **Service isolation**: Runs as unprivileged `www-data` user +- **Automatic restart**: Service configured to restart on failure +- **Persistent logs**: Application logs survive reboots for debugging and audit trails + +--- + +## Additional Resources + +- **GitHub Repository**: https://github.com/jokob-sk/NetAlertX +- **Issue Tracker**: https://github.com/jokob-sk/NetAlertX/issues +- **Documentation**: `/app/docs/` directory diff --git a/install/proxmox/README.md b/install/proxmox/README.md index dfca219cc..8041801c0 100755 --- a/install/proxmox/README.md +++ b/install/proxmox/README.md @@ -11,7 +11,14 @@ An installer script for deploying NetAlertX on Proxmox VE (Debian-based) system ### Installation -## Download and run the installer +#### Proxmox VE Helper Script (Recommended) +This is the easiest way to deploy NetAlertX on Proxmox. Run this command on your Proxmox host: +```bash +bash -c "$(wget -qLO - https://github.com/JVKeller/NetAlertX/raw/proxmox-baremetal-installer/install/proxmox/ct/netalertx.sh)" +``` + +#### Standalone Script (Inside existing LXC/VM) +Download and run the installer inside a fresh Debian/Ubuntu system: ```bash wget https://raw.githubusercontent.com/jokob-sk/NetAlertX/refs/heads/main/install/proxmox/proxmox-install-netalertx.sh -O proxmox-install-netalertx.sh && chmod +x proxmox-install-netalertx.sh && ./proxmox-install-netalertx.sh ``` diff --git a/install/proxmox/ct/netalertx.sh b/install/proxmox/ct/netalertx.sh new file mode 100644 index 000000000..3bf320769 --- /dev/null +++ b/install/proxmox/ct/netalertx.sh @@ -0,0 +1,148 @@ +#!/usr/bin/env bash +# Copyright (c) 2021-2026 community-scripts ORG +# Author: jokob-sk +# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE +# Source: https://github.com/netalertx/NetAlertX + +# Import main orchestrator +source <(curl -fsSL https://github.com/community-scripts/ProxmoxVE/raw/main/misc/build.func) + +# Application Configuration +APP="NetAlertX" +var_tags="network;monitoring;security" +var_cpu="2" +var_ram="2048" +var_disk="10" +# Container Type & OS +var_os="debian" +var_version="13" +var_unprivileged="1" +# var_password="root" # Uncomment if you want to hardcode a password for testing + +# Standard initialization +header_info "$APP" +variables +color +catch_errors + +# Support running from a mirror +if [[ -n "${REPOS_URL}" ]]; then + # Only show info message in verbose mode to avoid UI overlap + if [[ "${VERBOSE:-no}" == "yes" ]]; then + msg_info "Using custom repository: ${REPOS_URL}" + fi + # Override build_container to use the custom repo URL + original_func=$(declare -f build_container) + # Map official ProxmoxVE path to NetAlertX fork path - EXTREMELY SURGICAL to avoid core breakages + eval "$(echo "$original_func" | sed "s|https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/\${var_install}.sh|${REPOS_URL}/install/proxmox/install/\${var_install}.sh|g")" +fi + +# Define local installer path for testing +LOCAL_INSTALLER="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/../../install/${NSAPP:-netalertx}-install.sh" + +# Override build_container to use local install script if available +if [[ -f "$LOCAL_INSTALLER" ]]; then + msg_info "Using local installer from $LOCAL_INSTALLER" + original_func=$(declare -f build_container) + replacement="pct push \"\$CTID\" \"$LOCAL_INSTALLER\" /root/install.sh && lxc-attach -n \"\$CTID\" -- bash /root/install.sh" + eval "$(echo "$original_func" | sed "s|lxc-attach.*install/\${var_install}.sh.*|$replacement|")" +fi + +# Export variables to ensure they're passed to the installation script +export NSAPP APP var_os var_version var_cpu var_ram var_disk var_unprivileged PORT VERBOSE REPO_URL + +# Support verbose logging +if [[ "${VERBOSE:-no}" == "yes" ]]; then + set -x + STD="" +fi + +# Automatically detect bridge if vmbr0 is missing +if ! ip link show vmbr0 >/dev/null 2>&1 || [[ "$(cat /sys/class/net/vmbr0/bridge/bridge_id 2>/dev/null)" == "" ]]; then + # Get List of Bridges using multiple methods + # shellcheck disable=SC2207,SC2010 # Working pattern for bridge detection + BRIDGES=($(ip -o link show type bridge | awk -F': ' '{print $2}') $(ls /sys/class/net | grep vmbr | grep -v "vmbr0")) + # Remove duplicates + # shellcheck disable=SC2207 # Working pattern for deduplication + BRIDGES=($(echo "${BRIDGES[@]}" | tr ' ' '\n' | sort -u | tr '\n' ' ')) + + if [ ${#BRIDGES[@]} -eq 0 ]; then + # Fallback to pvesh if available + if command -v pvesh >/dev/null 2>&1; then + # shellcheck disable=SC2207,SC2046 # Working pattern for pvesh output + BRIDGES=($(pvesh get /nodes/$(hostname)/network --type bridge --output-format json | grep -oP '"iface":"\K[^"]+')) + fi + fi + + if [ ${#BRIDGES[@]} -eq 0 ]; then + msg_error "No network bridges (vmbr) detected. Please create a Linux Bridge in Proxmox first." + exit 1 + elif [ ${#BRIDGES[@]} -eq 1 ]; then + export var_bridge="${BRIDGES[0]}" + msg_info "Using detected bridge: ${var_bridge}" + else + # Multiple bridges found, let the user pick + BRIDGE_MENU=() + for b in "${BRIDGES[@]}"; do + BRIDGE_MENU+=("$b" "Network Bridge") + done + # shellcheck disable=SC2155 # Standard whiptail pattern + export var_bridge=$(whiptail --title "Select Network Bridge" --menu "vmbr0 not found. Please select a valid bridge:" 15 60 5 "${BRIDGE_MENU[@]}" 3>&1 1>&2 2>&3) + if [ -z "$var_bridge" ]; then + msg_error "No bridge selected. Aborting." + exit 1 + fi + fi +fi + +function update_script() { + header_info + check_container_storage + check_container_resources + + if [[ ! -d /app ]]; then + msg_error "No ${APP} Installation Found!" + exit + fi + + msg_info "Stopping ${APP} Service" + systemctl stop netalertx.service + msg_ok "Stopped ${APP} Service" + + msg_info "Updating ${APP}" + cd /app || exit + git pull + msg_ok "Updated ${APP}" + + msg_info "Updating Python Dependencies" + # shellcheck disable=SC1091 # venv activation script + source /opt/netalertx-env/bin/activate + pip install -r install/proxmox/requirements.txt + deactivate + msg_ok "Updated Python Dependencies" + + msg_info "Starting ${APP} Service" + systemctl start netalertx.service + msg_ok "Started ${APP} Service" + + msg_ok "Update Complete" + exit +} + +# Start the container creation workflow +start + +# Build the container with selected configuration +build_container + +# Set container description/notes in Proxmox UI +description + +# Display success message +msg_ok "Completed successfully!\n" + +echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}" +echo -e "${INFO}${YW} Access it using the following URL:${CL}" +echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:${PORT:-20211}${CL}" +echo -e "${INFO}${YW} Service Management:${CL}" +echo -e "${TAB}systemctl status netalertx.service${CL}" diff --git a/install/proxmox/install/netalertx-install.sh b/install/proxmox/install/netalertx-install.sh new file mode 100644 index 000000000..33a937f9e --- /dev/null +++ b/install/proxmox/install/netalertx-install.sh @@ -0,0 +1,335 @@ +#!/usr/bin/env bash + +# Copyright (c) 2021-2026 community-scripts ORG +# Author: jokob-sk +# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE +# Source: https://github.com/netalertx/NetAlertX + +# shellcheck disable=SC1091 # FUNCTIONS_FILE_PATH is provided by build.func + +# Load all available functions (from core.func + tools.func) +# shellcheck disable=SC1090 +source /dev/stdin <<< "$FUNCTIONS_FILE_PATH" + +color +verb_ip6 +catch_errors +setting_up_container +network_check +update_os + +# ============================================================================ +msg_info "Installing Dependencies" +$STD apt-get install -y \ + nginx \ + sqlite3 \ + dnsutils \ + net-tools \ + mtr \ + python3 \ + python3-dev \ + python3-pip \ + python3-venv \ + iproute2 \ + nmap \ + fping \ + zip \ + usbutils \ + traceroute \ + nbtscan \ + avahi-daemon \ + avahi-utils \ + build-essential \ + git \ + curl \ + wget \ + arp-scan \ + perl \ + libwww-perl \ + apt-utils \ + cron \ + sudo \ + ca-certificates \ + tini \ + snmp \ + libcap2-bin \ + gettext-base +msg_ok "Installed Dependencies" + +msg_info "Setting up PHP 8.4" +PHP_VERSION="8.4" PHP_MODULE="cgi,fpm,sqlite3,curl,gd,mbstring,xml,intl,zip" setup_php +msg_ok "PHP 8.4 setup complete" + +# ============================================================================ +msg_info "Cloning NetAlertX Repository" +INSTALL_DIR="/app" +# Default repository if not specified +REPO_URL="${REPO_URL:-https://github.com/netalertx/NetAlertX.git}" +# Ensure directory is empty +rm -rf "$INSTALL_DIR" +git clone "$REPO_URL" "$INSTALL_DIR/" --quiet +cd "$INSTALL_DIR" || exit + +# Remove symlink placeholders from the repository to ensure they become persistent directories +rm -rf api log db config + +# Create a /data symlink as a fail-safe for application hardcoded paths +if [ ! -e /data ]; then + ln -s /app /data +fi + +# Create buildtimestamp if it doesn't exist +if [ ! -f "$INSTALL_DIR/front/buildtimestamp.txt" ]; then + date +%s > "$INSTALL_DIR/front/buildtimestamp.txt" +fi +msg_ok "Cloned NetAlertX Repository" + +# ============================================================================ +msg_info "Installing Python Dependencies" +# Python venv creation +python3 -m venv /opt/netalertx-env +# shellcheck disable=SC1091 +source /opt/netalertx-env/bin/activate +$STD python -m pip install --upgrade pip +if [ -f "${INSTALL_DIR:-/app}/install/proxmox/requirements.txt" ]; then + $STD python -m pip install -r "${INSTALL_DIR:-/app}/install/proxmox/requirements.txt" +fi +deactivate +msg_ok "Installed Python Dependencies" + +# ============================================================================ +msg_info "Applying Security Capabilities" +# Dynamically find binary paths as they can vary between /usr/bin and /usr/sbin +BINARY_NMAP=$(command -v nmap) +BINARY_ARPSCAN=$(command -v arp-scan) +BINARY_NBTSCAN=$(command -v nbtscan) +BINARY_TRACEROUTE=$(command -v traceroute) +BINARY_PYTHON=$(readlink -f /opt/netalertx-env/bin/python) + +[[ -n "$BINARY_NMAP" ]] && setcap cap_net_raw,cap_net_admin+eip "$BINARY_NMAP" || true +[[ -n "$BINARY_ARPSCAN" ]] && setcap cap_net_raw,cap_net_admin+eip "$BINARY_ARPSCAN" || true +[[ -n "$BINARY_NBTSCAN" ]] && setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip "$BINARY_NBTSCAN" || true +[[ -n "$BINARY_TRACEROUTE" ]] && setcap cap_net_raw,cap_net_admin+eip "$BINARY_TRACEROUTE" || true +[[ -n "$BINARY_PYTHON" ]] && setcap cap_net_raw,cap_net_admin+eip "$BINARY_PYTHON" || true +msg_ok "Security capabilities applied" +msg_ok "Installed Python Dependencies" + +# ============================================================================ +msg_info "Configuring NGINX" + +# Set default port +PORT="${PORT:-20211}" + +# Remove default NGINX site +if [ -L /etc/nginx/sites-enabled/default ]; then + rm /etc/nginx/sites-enabled/default +elif [ -f /etc/nginx/sites-enabled/default ]; then + mv /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default.bkp_netalertx +fi + +# Create web directory and symbolic link +mkdir -p /var/www/html +ln -sfn "${INSTALL_DIR}/front" /var/www/html/netalertx + +# Create symlinks in /tmp as well for double fail-safe (some PHP modules use /tmp/api) +mkdir -p /app/api /app/log +ln -sfn /app/api /tmp/api +ln -sfn /app/log /tmp/log + +# Copy and configure NGINX config +mkdir -p "${INSTALL_DIR}/config" +cp "${INSTALL_DIR}/install/proxmox/netalertx.conf" "${INSTALL_DIR}/config/netalertx.conf" + +# Update port in NGINX config +sed -i "s/listen 20211;/listen ${PORT};/g" "${INSTALL_DIR}/config/netalertx.conf" + +# Create symbolic link to NGINX configuration +ln -sfn "${INSTALL_DIR}/config/netalertx.conf" /etc/nginx/conf.d/netalertx.conf + +# Detect PHP-FPM socket and update NGINX config +PHP_FPM_SOCKET=$(find /run/php/ -name "php*-fpm.sock" | head -n 1) +if [[ -n "$PHP_FPM_SOCKET" ]]; then + msg_info "Detected PHP-FPM socket: $PHP_FPM_SOCKET" + sed -i "s|unix:/var/run/php/php-fpm.sock;|unix:$PHP_FPM_SOCKET;|g" /etc/nginx/conf.d/netalertx.conf +else + msg_warn "Could not detect PHP-FPM socket path automatically" +fi + +# Enable and start NGINX +systemctl enable nginx +systemctl restart nginx +msg_ok "Configured NGINX" + +# ============================================================================ +msg_info "Creating Directory Structure" + +# Create persistent directories +mkdir -p "${INSTALL_DIR}/log/plugins" "${INSTALL_DIR}/api" + +# Set permissions FIRST so www-data can create files (Fixes Turn 499) +chown -R www-data:www-data "${INSTALL_DIR}/log" "${INSTALL_DIR}/api" +chmod -R ug+rwX "${INSTALL_DIR}/log" "${INSTALL_DIR}/api" + +# Create log and API files as www-data user +sudo -u www-data touch ${INSTALL_DIR}/log/{app.log,execution_queue.log,app_front.log,app.php_errors.log,stderr.log,stdout.log,db_is_locked.log} +sudo -u www-data touch ${INSTALL_DIR}/api/user_notifications.json + +msg_ok "Created Directory Structure" + +# Create missing __init__.py files for Python package recognition +touch "${INSTALL_DIR}/front/__init__.py" +touch "${INSTALL_DIR}/front/plugins/__init__.py" + +# ============================================================================ +msg_info "Setting up Database and Configuration" + +# Copy starter database and config files +mkdir -p "${INSTALL_DIR}/config" "${INSTALL_DIR}/db" +cp -u "${INSTALL_DIR}/back/app.conf" "${INSTALL_DIR}/config/app.conf" +cp -u "${INSTALL_DIR}/back/app.db" "${INSTALL_DIR}/db/app.db" + +# Sync timezone from system +LXC_TZ=$(timedatectl show --property=Timezone --value 2>/dev/null || cat /etc/timezone 2>/dev/null || echo "UTC") +if [[ -n "$LXC_TZ" ]]; then + msg_info "Syncing Timezone: $LXC_TZ" + sed -i "s|TIMEZONE.*=.*|TIMEZONE = '$LXC_TZ'|g" "${INSTALL_DIR}/config/app.conf" + # Also update PHP's fallbacks if necessary (NetAlertX uses the one from app.conf mostly) +fi + +# Set permissions +chgrp -R www-data "$INSTALL_DIR" +# NetAlertX needs write access to front/ for some features, and broad access to /app +chmod -R a+rwx "$INSTALL_DIR" +chown -R www-data:www-data "${INSTALL_DIR}/db/app.db" + +# Configure sudoers for www-data (Needed for Init Checks & Tools) +msg_info "Configuring Sudoers" +cat > /etc/sudoers.d/netalertx < "$INSTALL_DIR/start.netalertx.sh" < /etc/systemd/system/netalertx.service </dev/null || true; umount "${INSTALL_DIR}/api" 2>/dev/null || true' EXIT # Making sure the system is clean if [ -d "$INSTALL_DIR" ]; then @@ -204,10 +202,10 @@ pkill -f "^python(3)?\s+.*${INSTALL_DIR}/server/?$" 2>/dev/null || true printf "%b\n" "--------------------------------------------------------------------------" printf "%b\n" "${GREEN}[INSTALLING] ${RESET}Setting up Python environment" printf "%b\n" "--------------------------------------------------------------------------" -python3 -m venv /opt/myenv +python3 -m venv /opt/netalertx-env # Shell check doesn't recognize source command because it's not in the repo, it is in the system at runtime # shellcheck disable=SC1091 -source /opt/myenv/bin/activate +source /opt/netalertx-env/bin/activate python -m pip install --upgrade pip python -m pip install -r "${INSTALLER_DIR}/requirements.txt" @@ -283,46 +281,19 @@ else fi fi -# Create empty log files and plugin folders +# Create persistent log and API directories printf "%b\n" "--------------------------------------------------------------------------" -printf "%b\n" "${GREEN}[INSTALLING] ${RESET}Creating mounts and file structure" +printf "%b\n" "${GREEN}[INSTALLING] ${RESET}Creating persistent log and API directories" printf "%b\n" "--------------------------------------------------------------------------" -printf "%b\n" "Cleaning up old mounts if any" -umount "${INSTALL_DIR}/log" 2>/dev/null || true -umount "${INSTALL_DIR}/api" 2>/dev/null || true +# Create directory structure +mkdir -p "${INSTALL_DIR}/log/plugins" "${INSTALL_DIR}/api" -printf "%b\n" "Creating log api folders if they don't exist" -mkdir -p "${INSTALL_DIR}/log" "${INSTALL_DIR}/api" - -printf "%b\n" "--------------------------------------------------------------------------" -printf "%b\n" "${GREEN}[INSTALLING] ${RESET}Mounting log and api folders as tmpfs" -printf "%b\n" "--------------------------------------------------------------------------" -mountpoint -q "${INSTALL_DIR}/log" || mount -t tmpfs -o noexec,nosuid,nodev tmpfs "${INSTALL_DIR}/log" -mountpoint -q "${INSTALL_DIR}/api" || mount -t tmpfs -o noexec,nosuid,nodev tmpfs "${INSTALL_DIR}/api" -chown -R www-data:www-data "${INSTALL_DIR}/log" "${INSTALL_DIR}/api" - -# Ensure plugins directory exists within the tmpfs mount -mkdir -p "${INSTALL_DIR}"/log/plugins -chown -R www-data:www-data "${INSTALL_DIR}"/log/plugins - -# Create the execution_queue.log file if it doesn't exist -touch ${INSTALL_DIR}/log/{app.log,execution_queue.log,app_front.log,app.php_errors.log,stderr.log,stdout.log,db_is_locked.log} -touch ${INSTALL_DIR}/api/user_notifications.json -chown -R www-data:www-data "${INSTALL_DIR}"/log "${INSTALL_DIR}"/api -chmod -R ug+rwX "${INSTALL_DIR}"/log "${INSTALL_DIR}"/api - -# Set ownership of the tmpfs mountpoints first. -chown www-data:www-data "${INSTALL_DIR}/log" "${INSTALL_DIR}/api" - -# Ensure plugins directory exists within the tmpfs mount -mkdir -p "${INSTALL_DIR}/log/plugins" - -# Create log and api files directly as the www-data user to ensure correct ownership from the start. +# Create log and API files as www-data user to ensure correct ownership sudo -u www-data touch ${INSTALL_DIR}/log/{app.log,execution_queue.log,app_front.log,app.php_errors.log,stderr.log,stdout.log,db_is_locked.log} sudo -u www-data touch ${INSTALL_DIR}/api/user_notifications.json -# Set final permissions for all created files and directories. +# Set final permissions for all created files and directories chown -R www-data:www-data "${INSTALL_DIR}/log" "${INSTALL_DIR}/api" chmod -R ug+rwX "${INSTALL_DIR}/log" "${INSTALL_DIR}/api" @@ -360,14 +331,28 @@ nginx -t || { cat > "$INSTALL_DIR/start.netalertx.sh" << EOF #!/usr/bin/env bash +# NetAlertX environment variables +export NETALERTX_CONFIG=/app/config +export NETALERTX_LOG=/app/log +export NETALERTX_DATA=/app +export NETALERTX_API=/app/api +export NETALERTX_TMP=/app +export PORT=${PORT} +export PYTHONPATH=/app + +# Ensure package structure exists (Self-healing) +touch /app/front/__init__.py +touch /app/front/plugins/__init__.py + # Activate the virtual python environment -source /opt/myenv/bin/activate +source /opt/netalertx-env/bin/activate echo -e "--------------------------------------------------------------------------" echo -e "Starting NetAlertX - navigate to http://${SERVER_IP}:${PORT}" echo -e "--------------------------------------------------------------------------" # Start the NetAlertX python script +cd /app python server/ EOF @@ -396,6 +381,19 @@ RestartSec=5 StandardOutput=journal StandardError=journal +# NetAlertX environment variables +Environment=NETALERTX_CONFIG=/app/config +Environment=NETALERTX_LOG=/app/log +Environment=NETALERTX_DATA=/app +Environment=NETALERTX_API=/app/api +Environment=NETALERTX_TMP=/app +Environment=PORT=${PORT} +Environment=PYTHONPATH=/app + +# Create runtime directory in tmpfs for systemd-managed volatile files +RuntimeDirectory=netalertx +RuntimeDirectoryMode=0750 + [Install] WantedBy=multi-user.target EOF diff --git a/install/proxmox/requirements.txt b/install/proxmox/requirements.txt index fdd30017a..01392609b 100755 --- a/install/proxmox/requirements.txt +++ b/install/proxmox/requirements.txt @@ -24,3 +24,4 @@ librouteros yattag zeroconf git+https://github.com/foreign-sub/aiofreepybox.git +pydantic From b48a83fe22286757eb3ce92079a3a61dd80b3fd9 Mon Sep 17 00:00:00 2001 From: rellek Date: Thu, 5 Feb 2026 21:02:54 +0000 Subject: [PATCH 02/15] fix: address CodeRabbit review regarding directory permissions and touch sequence --- install/proxmox/proxmox-install-netalertx.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/install/proxmox/proxmox-install-netalertx.sh b/install/proxmox/proxmox-install-netalertx.sh index b7d803636..05ce43c2c 100755 --- a/install/proxmox/proxmox-install-netalertx.sh +++ b/install/proxmox/proxmox-install-netalertx.sh @@ -289,12 +289,14 @@ printf "%b\n" "----------------------------------------------------------------- # Create directory structure mkdir -p "${INSTALL_DIR}/log/plugins" "${INSTALL_DIR}/api" +# Set ownership FIRST so www-data can create files +chown -R www-data:www-data "${INSTALL_DIR}/log" "${INSTALL_DIR}/api" + # Create log and API files as www-data user to ensure correct ownership -sudo -u www-data touch ${INSTALL_DIR}/log/{app.log,execution_queue.log,app_front.log,app.php_errors.log,stderr.log,stdout.log,db_is_locked.log} sudo -u www-data touch ${INSTALL_DIR}/api/user_notifications.json +sudo -u www-data touch ${INSTALL_DIR}/log/{app.log,execution_queue.log,app_front.log,app.php_errors.log,stderr.log,stdout.log,db_is_locked.log} -# Set final permissions for all created files and directories -chown -R www-data:www-data "${INSTALL_DIR}/log" "${INSTALL_DIR}/api" +# Set final permissions chmod -R ug+rwX "${INSTALL_DIR}/log" "${INSTALL_DIR}/api" printf "%b\n" "--------------------------------------------------------------------------" From e51c265f7f8550b97c1bd3f1f58e305584fbdc12 Mon Sep 17 00:00:00 2001 From: rellek Date: Thu, 5 Feb 2026 21:03:42 +0000 Subject: [PATCH 03/15] docs: update repository references to official NetAlertX organization and fix permissions in legacy script --- install/proxmox/INSTALLATION_GUIDE.md | 4 ++-- install/proxmox/README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/install/proxmox/INSTALLATION_GUIDE.md b/install/proxmox/INSTALLATION_GUIDE.md index caa0ab739..7bb6e1d56 100644 --- a/install/proxmox/INSTALLATION_GUIDE.md +++ b/install/proxmox/INSTALLATION_GUIDE.md @@ -154,6 +154,6 @@ The installation script supports the following environment variables: ## Additional Resources -- **GitHub Repository**: https://github.com/jokob-sk/NetAlertX -- **Issue Tracker**: https://github.com/jokob-sk/NetAlertX/issues +- **GitHub Repository**: https://github.com/netalertx/NetAlertX +- **Issue Tracker**: https://github.com/netalertx/NetAlertX/issues - **Documentation**: `/app/docs/` directory diff --git a/install/proxmox/README.md b/install/proxmox/README.md index 8041801c0..fe45fec8f 100755 --- a/install/proxmox/README.md +++ b/install/proxmox/README.md @@ -14,13 +14,13 @@ An installer script for deploying NetAlertX on Proxmox VE (Debian-based) system #### Proxmox VE Helper Script (Recommended) This is the easiest way to deploy NetAlertX on Proxmox. Run this command on your Proxmox host: ```bash -bash -c "$(wget -qLO - https://github.com/JVKeller/NetAlertX/raw/proxmox-baremetal-installer/install/proxmox/ct/netalertx.sh)" +bash -c "$(wget -qLO - https://github.com/netalertx/NetAlertX/raw/main/install/proxmox/ct/netalertx.sh)" ``` #### Standalone Script (Inside existing LXC/VM) Download and run the installer inside a fresh Debian/Ubuntu system: ```bash -wget https://raw.githubusercontent.com/jokob-sk/NetAlertX/refs/heads/main/install/proxmox/proxmox-install-netalertx.sh -O proxmox-install-netalertx.sh && chmod +x proxmox-install-netalertx.sh && ./proxmox-install-netalertx.sh +wget https://raw.githubusercontent.com/netalertx/NetAlertX/main/install/proxmox/proxmox-install-netalertx.sh -O proxmox-install-netalertx.sh && chmod +x proxmox-install-netalertx.sh && ./proxmox-install-netalertx.sh ``` ## 📋 What This Installer Does From a3ed98efdc4f7b3cb50ebdde58b009c8c2f8aab9 Mon Sep 17 00:00:00 2001 From: rellek Date: Fri, 6 Feb 2026 17:00:54 +0000 Subject: [PATCH 04/15] update comments --- install/proxmox/ct/netalertx.sh | 9 +++++++-- install/proxmox/install/netalertx-install.sh | 9 +++++---- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/install/proxmox/ct/netalertx.sh b/install/proxmox/ct/netalertx.sh index 3bf320769..6c6347cda 100644 --- a/install/proxmox/ct/netalertx.sh +++ b/install/proxmox/ct/netalertx.sh @@ -1,9 +1,14 @@ #!/usr/bin/env bash + # Copyright (c) 2021-2026 community-scripts ORG -# Author: jokob-sk -# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE +# Author: JVKeller + +# License: GPL 3.0 | NetAlertX | https://github.com/netalertx/NetAlertX/blob/main/LICENSE.txt # Source: https://github.com/netalertx/NetAlertX +# License: MIT | ProxmoxVE | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE +# Source: https://github.com/ProxmoxVE + # Import main orchestrator source <(curl -fsSL https://github.com/community-scripts/ProxmoxVE/raw/main/misc/build.func) diff --git a/install/proxmox/install/netalertx-install.sh b/install/proxmox/install/netalertx-install.sh index 33a937f9e..271b4194a 100644 --- a/install/proxmox/install/netalertx-install.sh +++ b/install/proxmox/install/netalertx-install.sh @@ -1,14 +1,15 @@ #!/usr/bin/env bash # Copyright (c) 2021-2026 community-scripts ORG -# Author: jokob-sk -# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE +# Author: JVKeller +# License: GPL 3.0 | NetAlertX | https://github.com/netalertx/NetAlertX/blob/main/LICENSE.txt # Source: https://github.com/netalertx/NetAlertX +# License: MIT | ProxmoxVE | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE +# Source: https://github.com/ProxmoxVE + # shellcheck disable=SC1091 # FUNCTIONS_FILE_PATH is provided by build.func -# Load all available functions (from core.func + tools.func) -# shellcheck disable=SC1090 source /dev/stdin <<< "$FUNCTIONS_FILE_PATH" color From 2fb44e654be361dc58a842ff02608b80ddd5cbb8 Mon Sep 17 00:00:00 2001 From: rellek Date: Fri, 6 Feb 2026 17:05:53 +0000 Subject: [PATCH 05/15] Add link to docs --- install/proxmox/INSTALLATION_GUIDE.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/install/proxmox/INSTALLATION_GUIDE.md b/install/proxmox/INSTALLATION_GUIDE.md index 7bb6e1d56..9a87a8d4a 100644 --- a/install/proxmox/INSTALLATION_GUIDE.md +++ b/install/proxmox/INSTALLATION_GUIDE.md @@ -17,7 +17,8 @@ This will: ### Update Existing Installation To update an existing NetAlertX container: - +- Type ```update``` in the NetAlertX LXC Console +- Or run this command on your Proxmox host: ```bash bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/netalertx.sh)" -s update ``` @@ -156,4 +157,4 @@ The installation script supports the following environment variables: - **GitHub Repository**: https://github.com/netalertx/NetAlertX - **Issue Tracker**: https://github.com/netalertx/NetAlertX/issues -- **Documentation**: `/app/docs/` directory +- **Documentation**: https://docs.netalertx.com From fb9da06ec07da22deddf6f101d5b4e2a12758053 Mon Sep 17 00:00:00 2001 From: rellek Date: Mon, 16 Feb 2026 18:01:24 +0000 Subject: [PATCH 06/15] fix: address CodeRabbit review regarding security, error handling, and hardcoded paths --- install/proxmox/ct/netalertx.sh | 13 ++++++++----- install/proxmox/install/netalertx-install.sh | 19 +++++++++---------- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/install/proxmox/ct/netalertx.sh b/install/proxmox/ct/netalertx.sh index 6c6347cda..adc5e11a1 100644 --- a/install/proxmox/ct/netalertx.sh +++ b/install/proxmox/ct/netalertx.sh @@ -116,20 +116,23 @@ function update_script() { msg_info "Updating ${APP}" cd /app || exit - git pull + # Ensure clean state before pulling + git fetch origin || exit 1 + git reset --hard origin/main || exit 1 msg_ok "Updated ${APP}" - + msg_info "Updating Python Dependencies" # shellcheck disable=SC1091 # venv activation script source /opt/netalertx-env/bin/activate - pip install -r install/proxmox/requirements.txt + # Suppress pip output unless verbose + $STD pip install -r install/proxmox/requirements.txt || exit 1 deactivate msg_ok "Updated Python Dependencies" - + msg_info "Starting ${APP} Service" systemctl start netalertx.service msg_ok "Started ${APP} Service" - + msg_ok "Update Complete" exit } diff --git a/install/proxmox/install/netalertx-install.sh b/install/proxmox/install/netalertx-install.sh index 271b4194a..1b0448a6f 100644 --- a/install/proxmox/install/netalertx-install.sh +++ b/install/proxmox/install/netalertx-install.sh @@ -111,7 +111,7 @@ BINARY_PYTHON=$(readlink -f /opt/netalertx-env/bin/python) [[ -n "$BINARY_ARPSCAN" ]] && setcap cap_net_raw,cap_net_admin+eip "$BINARY_ARPSCAN" || true [[ -n "$BINARY_NBTSCAN" ]] && setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip "$BINARY_NBTSCAN" || true [[ -n "$BINARY_TRACEROUTE" ]] && setcap cap_net_raw,cap_net_admin+eip "$BINARY_TRACEROUTE" || true -[[ -n "$BINARY_PYTHON" ]] && setcap cap_net_raw,cap_net_admin+eip "$BINARY_PYTHON" || true +# Dropped setcap on python binary as it is a security risk. Sudoers is used instead. msg_ok "Security capabilities applied" msg_ok "Installed Python Dependencies" @@ -147,13 +147,13 @@ sed -i "s/listen 20211;/listen ${PORT};/g" "${INSTALL_DIR}/config/netalertx.conf # Create symbolic link to NGINX configuration ln -sfn "${INSTALL_DIR}/config/netalertx.conf" /etc/nginx/conf.d/netalertx.conf -# Detect PHP-FPM socket and update NGINX config -PHP_FPM_SOCKET=$(find /run/php/ -name "php*-fpm.sock" | head -n 1) -if [[ -n "$PHP_FPM_SOCKET" ]]; then - msg_info "Detected PHP-FPM socket: $PHP_FPM_SOCKET" - sed -i "s|unix:/var/run/php/php-fpm.sock;|unix:$PHP_FPM_SOCKET;|g" /etc/nginx/conf.d/netalertx.conf +# Postpone PHP-FPM socket detection until after service start, or use a fallback. +# For now, we configure a default and assume the standard Debian 13/Ubuntu 24 location. +if [ -S "/run/php/php8.4-fpm.sock" ]; then + sed -i "s|unix:/var/run/php/php-fpm.sock;|unix:/run/php/php8.4-fpm.sock;|g" /etc/nginx/conf.d/netalertx.conf else - msg_warn "Could not detect PHP-FPM socket path automatically" + # Fallback pattern for detection during startup if possible + msg_warn "PHP-FPM socket not found at standard location, will rely on service startup" fi # Enable and start NGINX @@ -206,7 +206,7 @@ chown -R www-data:www-data "${INSTALL_DIR}/db/app.db" # Configure sudoers for www-data (Needed for Init Checks & Tools) msg_info "Configuring Sudoers" cat > /etc/sudoers.d/netalertx < Date: Mon, 16 Feb 2026 18:48:49 +0000 Subject: [PATCH 07/15] refactor: improve robustness of update logic and sudoers generation based on CodeRabbit review --- install/proxmox/ct/netalertx.sh | 15 ++++--- install/proxmox/install/netalertx-install.sh | 41 +++++++++++++------- 2 files changed, 36 insertions(+), 20 deletions(-) diff --git a/install/proxmox/ct/netalertx.sh b/install/proxmox/ct/netalertx.sh index adc5e11a1..de81d612f 100644 --- a/install/proxmox/ct/netalertx.sh +++ b/install/proxmox/ct/netalertx.sh @@ -107,7 +107,7 @@ function update_script() { if [[ ! -d /app ]]; then msg_error "No ${APP} Installation Found!" - exit + exit 1 fi msg_info "Stopping ${APP} Service" @@ -115,11 +115,14 @@ function update_script() { msg_ok "Stopped ${APP} Service" msg_info "Updating ${APP}" - cd /app || exit - # Ensure clean state before pulling - git fetch origin || exit 1 - git reset --hard origin/main || exit 1 - msg_ok "Updated ${APP}" + cd /app || exit 1 + # Get current branch (default to main if detection fails) + BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "main") + + # Ensure clean state before pulling from the detected branch + git fetch origin "${BRANCH}" || exit 1 + git reset --hard "origin/${BRANCH}" || exit 1 + msg_ok "Updated ${APP} (Branch: ${BRANCH})" msg_info "Updating Python Dependencies" # shellcheck disable=SC1091 # venv activation script diff --git a/install/proxmox/install/netalertx-install.sh b/install/proxmox/install/netalertx-install.sh index 1b0448a6f..f186730b8 100644 --- a/install/proxmox/install/netalertx-install.sh +++ b/install/proxmox/install/netalertx-install.sh @@ -205,10 +205,29 @@ chown -R www-data:www-data "${INSTALL_DIR}/db/app.db" # Configure sudoers for www-data (Needed for Init Checks & Tools) msg_info "Configuring Sudoers" -cat > /etc/sudoers.d/netalertx < /etc/sudoers.d/netalertx.tmp </dev/null; then + mv /etc/sudoers.d/netalertx.tmp /etc/sudoers.d/netalertx + chmod 440 /etc/sudoers.d/netalertx + msg_ok "Sudoers configured" +else + rm /etc/sudoers.d/netalertx.tmp + msg_error "Sudoers syntax validation failed" + # Don't exit, just warn, as app might still run partially +fi msg_ok "Sudoers configured" msg_ok "Database and Configuration Ready" @@ -241,7 +260,6 @@ export NETALERTX_LOG=/app/log export NETALERTX_DATA=/app export NETALERTX_API=/app/api export NETALERTX_TMP=/app -# Duplicate exports removed export PORT=${PORT} export PYTHONPATH=/app @@ -252,8 +270,12 @@ touch /app/front/plugins/__init__.py # Activate the virtual python environment source /opt/netalertx-env/bin/activate +# Dynamically get IP for banner +SERVER_IP=\$(hostname -I 2>/dev/null | awk '{print \$1}') +if [ -z "\${SERVER_IP}" ]; then SERVER_IP="127.0.0.1"; fi + echo -e "--------------------------------------------------------------------------" -echo -e "Starting NetAlertX - navigate to http://${SERVER_IP}:${PORT}" +echo -e "Starting NetAlertX - navigate to http://\${SERVER_IP}:\${PORT}" echo -e "--------------------------------------------------------------------------" # Start the NetAlertX python script @@ -281,15 +303,6 @@ RestartSec=5 StandardOutput=journal StandardError=journal -# NetAlertX environment variables -Environment=NETALERTX_CONFIG=/app/config -Environment=NETALERTX_LOG=/app/log -Environment=NETALERTX_DATA=/app -Environment=NETALERTX_API=/app/api -Environment=NETALERTX_TMP=/app -Environment=PORT=${PORT} -Environment=PYTHONPATH=/app - # Create runtime directory in tmpfs for systemd-managed volatile files RuntimeDirectory=netalertx RuntimeDirectoryMode=0750 From a17f980d542c47234048b9a0d567dca6d21ddc33 Mon Sep 17 00:00:00 2001 From: rellek Date: Mon, 16 Feb 2026 19:12:47 +0000 Subject: [PATCH 08/15] feat: add REPO_BRANCH support for flexible deployment and testing --- install/proxmox/ct/netalertx.sh | 2 +- install/proxmox/install/netalertx-install.sh | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/install/proxmox/ct/netalertx.sh b/install/proxmox/ct/netalertx.sh index de81d612f..8b3d9fb67 100644 --- a/install/proxmox/ct/netalertx.sh +++ b/install/proxmox/ct/netalertx.sh @@ -54,7 +54,7 @@ if [[ -f "$LOCAL_INSTALLER" ]]; then fi # Export variables to ensure they're passed to the installation script -export NSAPP APP var_os var_version var_cpu var_ram var_disk var_unprivileged PORT VERBOSE REPO_URL +export NSAPP APP var_os var_version var_cpu var_ram var_disk var_unprivileged PORT VERBOSE REPO_URL REPO_BRANCH # Support verbose logging if [[ "${VERBOSE:-no}" == "yes" ]]; then diff --git a/install/proxmox/install/netalertx-install.sh b/install/proxmox/install/netalertx-install.sh index f186730b8..8d38d4981 100644 --- a/install/proxmox/install/netalertx-install.sh +++ b/install/proxmox/install/netalertx-install.sh @@ -64,11 +64,14 @@ msg_ok "PHP 8.4 setup complete" # ============================================================================ msg_info "Cloning NetAlertX Repository" INSTALL_DIR="/app" -# Default repository if not specified +# Default repository and branch if not specified REPO_URL="${REPO_URL:-https://github.com/netalertx/NetAlertX.git}" +REPO_BRANCH="${REPO_BRANCH:-main}" + # Ensure directory is empty rm -rf "$INSTALL_DIR" -git clone "$REPO_URL" "$INSTALL_DIR/" --quiet +msg_info "Cloning NetAlertX (${REPO_BRANCH})" +git clone --branch "$REPO_BRANCH" "$REPO_URL" "$INSTALL_DIR" --quiet cd "$INSTALL_DIR" || exit # Remove symlink placeholders from the repository to ensure they become persistent directories From 220da27863645b84940f736ca14377b57d6995c2 Mon Sep 17 00:00:00 2001 From: rellek Date: Wed, 18 Feb 2026 18:53:25 +0000 Subject: [PATCH 09/15] Fix for update script --- install/proxmox/ct/netalertx.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/proxmox/ct/netalertx.sh b/install/proxmox/ct/netalertx.sh index 8b3d9fb67..c12010413 100644 --- a/install/proxmox/ct/netalertx.sh +++ b/install/proxmox/ct/netalertx.sh @@ -66,7 +66,8 @@ fi if ! ip link show vmbr0 >/dev/null 2>&1 || [[ "$(cat /sys/class/net/vmbr0/bridge/bridge_id 2>/dev/null)" == "" ]]; then # Get List of Bridges using multiple methods # shellcheck disable=SC2207,SC2010 # Working pattern for bridge detection - BRIDGES=($(ip -o link show type bridge | awk -F': ' '{print $2}') $(ls /sys/class/net | grep vmbr | grep -v "vmbr0")) + # || true prevents grep exit code 1 (no matches) from killing script under set -e + BRIDGES=($(ip -o link show type bridge | awk -F': ' '{print $2}') $(ls /sys/class/net | grep vmbr | grep -v "vmbr0" || true)) # Remove duplicates # shellcheck disable=SC2207 # Working pattern for deduplication BRIDGES=($(echo "${BRIDGES[@]}" | tr ' ' '\n' | sort -u | tr '\n' ' ')) From 6397971cd3cff848b68cfb5e8f6b053cc129abcc Mon Sep 17 00:00:00 2001 From: rellek Date: Wed, 18 Feb 2026 19:05:40 +0000 Subject: [PATCH 10/15] feat: add local 'update' command inside the LXC container for console updates --- install/proxmox/install/netalertx-install.sh | 34 ++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/install/proxmox/install/netalertx-install.sh b/install/proxmox/install/netalertx-install.sh index 8d38d4981..f27a56e4a 100644 --- a/install/proxmox/install/netalertx-install.sh +++ b/install/proxmox/install/netalertx-install.sh @@ -328,6 +328,40 @@ else exit 1 fi +# ============================================================================ +msg_info "Creating Update Script" +cat </usr/bin/update +#!/usr/bin/env bash +# NetAlertX Update Script +set -e +function msg_info() { echo -e "\e[32m[INFO]\e[0m \$1"; } +function msg_ok() { echo -e "\e[32m[OK]\e[0m \$1"; } + +msg_info "Updating System Packages" +apt-get update +apt-get upgrade -y + +msg_info "Stopping NetAlertX Service" +systemctl stop netalertx.service + +msg_info "Updating NetAlertX" +cd /app +BRANCH=\$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "main") +git fetch origin "\${BRANCH}" +git reset --hard "origin/\${BRANCH}" + +msg_info "Updating Python Dependencies" +source /opt/netalertx-env/bin/activate +pip install -r install/proxmox/requirements.txt +deactivate + +msg_info "Starting NetAlertX Service" +systemctl start netalertx.service +msg_ok "Update Complete" +EOF +chmod +x /usr/bin/update +msg_ok "Created Update Script" + # ============================================================================ msg_info "Checking Hardware Vendor Database" OUI_FILE="/usr/share/arp-scan/ieee-oui.txt" From bdf76fde7d73003558f2f5f4c961d78ba6e45fa9 Mon Sep 17 00:00:00 2001 From: rellek Date: Wed, 18 Feb 2026 19:08:19 +0000 Subject: [PATCH 11/15] refactor: use native styled update link (compliant with ProxmoxVE guidelines) --- install/proxmox/install/netalertx-install.sh | 36 +++----------------- 1 file changed, 5 insertions(+), 31 deletions(-) diff --git a/install/proxmox/install/netalertx-install.sh b/install/proxmox/install/netalertx-install.sh index f27a56e4a..9d79105e8 100644 --- a/install/proxmox/install/netalertx-install.sh +++ b/install/proxmox/install/netalertx-install.sh @@ -329,38 +329,12 @@ else fi # ============================================================================ -msg_info "Creating Update Script" -cat </usr/bin/update -#!/usr/bin/env bash -# NetAlertX Update Script -set -e -function msg_info() { echo -e "\e[32m[INFO]\e[0m \$1"; } -function msg_ok() { echo -e "\e[32m[OK]\e[0m \$1"; } - -msg_info "Updating System Packages" -apt-get update -apt-get upgrade -y - -msg_info "Stopping NetAlertX Service" -systemctl stop netalertx.service - -msg_info "Updating NetAlertX" -cd /app -BRANCH=\$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "main") -git fetch origin "\${BRANCH}" -git reset --hard "origin/\${BRANCH}" - -msg_info "Updating Python Dependencies" -source /opt/netalertx-env/bin/activate -pip install -r install/proxmox/requirements.txt -deactivate - -msg_info "Starting NetAlertX Service" -systemctl start netalertx.service -msg_ok "Update Complete" -EOF +# Create the native ProxmoxVE 'update' command link +# We use REPOS_URL to ensure it points to your branch during the PR phase +msg_info "Creating Update Link" +echo "bash -c \"\$(curl -fsSL ${REPOS_URL:-https://github.com/netalertx/NetAlertX/raw/main}/install/proxmox/ct/netalertx.sh)\" -s update" > /usr/bin/update chmod +x /usr/bin/update -msg_ok "Created Update Script" +msg_ok "Created Update Link" # ============================================================================ msg_info "Checking Hardware Vendor Database" From a6ea228b7cb4eff16097ff31143257e87c14ef58 Mon Sep 17 00:00:00 2001 From: rellek Date: Wed, 18 Feb 2026 19:10:07 +0000 Subject: [PATCH 12/15] fix: export REPOS_URL to ensure update command persists the custom repo path --- install/proxmox/ct/netalertx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/proxmox/ct/netalertx.sh b/install/proxmox/ct/netalertx.sh index c12010413..b7f8bd0af 100644 --- a/install/proxmox/ct/netalertx.sh +++ b/install/proxmox/ct/netalertx.sh @@ -54,7 +54,7 @@ if [[ -f "$LOCAL_INSTALLER" ]]; then fi # Export variables to ensure they're passed to the installation script -export NSAPP APP var_os var_version var_cpu var_ram var_disk var_unprivileged PORT VERBOSE REPO_URL REPO_BRANCH +export NSAPP APP var_os var_version var_cpu var_ram var_disk var_unprivileged PORT VERBOSE REPO_URL REPO_BRANCH REPOS_URL # Support verbose logging if [[ "${VERBOSE:-no}" == "yes" ]]; then From eefe4040f962f4f9d1718d894706acfaea92a2b7 Mon Sep 17 00:00:00 2001 From: rellek Date: Wed, 18 Feb 2026 19:14:55 +0000 Subject: [PATCH 13/15] fix: resolve 404 errors by correcting installer filename mapping and default raw URL --- install/proxmox/ct/netalertx.sh | 4 ++-- install/proxmox/install/netalertx-install.sh | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/install/proxmox/ct/netalertx.sh b/install/proxmox/ct/netalertx.sh index b7f8bd0af..d64e103f8 100644 --- a/install/proxmox/ct/netalertx.sh +++ b/install/proxmox/ct/netalertx.sh @@ -38,8 +38,8 @@ if [[ -n "${REPOS_URL}" ]]; then fi # Override build_container to use the custom repo URL original_func=$(declare -f build_container) - # Map official ProxmoxVE path to NetAlertX fork path - EXTREMELY SURGICAL to avoid core breakages - eval "$(echo "$original_func" | sed "s|https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/\${var_install}.sh|${REPOS_URL}/install/proxmox/install/\${var_install}.sh|g")" + # Map official ProxmoxVE path to NetAlertX fork path - Corrected to include -install suffix + eval "$(echo "$original_func" | sed "s|https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/\${var_install}.sh|${REPOS_URL}/install/proxmox/install/\${var_install}-install.sh|g")" fi # Define local installer path for testing diff --git a/install/proxmox/install/netalertx-install.sh b/install/proxmox/install/netalertx-install.sh index 9d79105e8..fcc3f4d0d 100644 --- a/install/proxmox/install/netalertx-install.sh +++ b/install/proxmox/install/netalertx-install.sh @@ -332,7 +332,9 @@ fi # Create the native ProxmoxVE 'update' command link # We use REPOS_URL to ensure it points to your branch during the PR phase msg_info "Creating Update Link" -echo "bash -c \"\$(curl -fsSL ${REPOS_URL:-https://github.com/netalertx/NetAlertX/raw/main}/install/proxmox/ct/netalertx.sh)\" -s update" > /usr/bin/update +# Use raw.githubusercontent.com for more reliable fetching +DEFAULT_BASE="https://raw.githubusercontent.com/netalertx/NetAlertX/main" +echo "bash -c \"\$(curl -fsSL ${REPOS_URL:-$DEFAULT_BASE}/install/proxmox/ct/netalertx.sh)\" -s update" > /usr/bin/update chmod +x /usr/bin/update msg_ok "Created Update Link" From b8225fdadfa22239287e4ce3f2081d76a0ec6589 Mon Sep 17 00:00:00 2001 From: rellek Date: Wed, 18 Feb 2026 19:18:37 +0000 Subject: [PATCH 14/15] fix: make bridge detection more inclusive and robust --- install/proxmox/ct/netalertx.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install/proxmox/ct/netalertx.sh b/install/proxmox/ct/netalertx.sh index d64e103f8..09533bf92 100644 --- a/install/proxmox/ct/netalertx.sh +++ b/install/proxmox/ct/netalertx.sh @@ -66,8 +66,8 @@ fi if ! ip link show vmbr0 >/dev/null 2>&1 || [[ "$(cat /sys/class/net/vmbr0/bridge/bridge_id 2>/dev/null)" == "" ]]; then # Get List of Bridges using multiple methods # shellcheck disable=SC2207,SC2010 # Working pattern for bridge detection - # || true prevents grep exit code 1 (no matches) from killing script under set -e - BRIDGES=($(ip -o link show type bridge | awk -F': ' '{print $2}') $(ls /sys/class/net | grep vmbr | grep -v "vmbr0" || true)) + # We include vmbr0 in the search now to avoid errors if it exists but failed the strict check + BRIDGES=($(ip -o link show type bridge | awk -F': ' '{print $2}') $(ls /sys/class/net 2>/dev/null | grep vmbr || true)) # Remove duplicates # shellcheck disable=SC2207 # Working pattern for deduplication BRIDGES=($(echo "${BRIDGES[@]}" | tr ' ' '\n' | sort -u | tr '\n' ' ')) From 29480bbcfb107beb9859b2e99d117c8f95e560bc Mon Sep 17 00:00:00 2001 From: rellek Date: Mon, 23 Feb 2026 17:48:31 +0000 Subject: [PATCH 15/15] Add config to fix ARP on Network upstream --- install/proxmox/ct/netalertx.sh | 11 +++++++++++ install/proxmox/install/netalertx-install.sh | 14 +++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/install/proxmox/ct/netalertx.sh b/install/proxmox/ct/netalertx.sh index 09533bf92..92aa761b6 100644 --- a/install/proxmox/ct/netalertx.sh +++ b/install/proxmox/ct/netalertx.sh @@ -133,6 +133,17 @@ function update_script() { deactivate msg_ok "Updated Python Dependencies" + msg_info "Applying System Optimizations" + mkdir -p /etc/sysctl.d + cat < /etc/sysctl.d/99-arp-fix.conf +net.ipv4.conf.all.arp_ignore = 1 +net.ipv4.conf.all.arp_announce = 2 +net.ipv4.conf.default.arp_ignore = 1 +net.ipv4.conf.default.arp_announce = 2 +EOF + sysctl -p /etc/sysctl.d/99-arp-fix.conf 2>/dev/null || true + msg_ok "System optimizations applied" + msg_info "Starting ${APP} Service" systemctl start netalertx.service msg_ok "Started ${APP} Service" diff --git a/install/proxmox/install/netalertx-install.sh b/install/proxmox/install/netalertx-install.sh index fcc3f4d0d..55891043d 100644 --- a/install/proxmox/install/netalertx-install.sh +++ b/install/proxmox/install/netalertx-install.sh @@ -116,7 +116,19 @@ BINARY_PYTHON=$(readlink -f /opt/netalertx-env/bin/python) [[ -n "$BINARY_TRACEROUTE" ]] && setcap cap_net_raw,cap_net_admin+eip "$BINARY_TRACEROUTE" || true # Dropped setcap on python binary as it is a security risk. Sudoers is used instead. msg_ok "Security capabilities applied" -msg_ok "Installed Python Dependencies" + +# ============================================================================ +msg_info "Applying System Optimizations" +mkdir -p /etc/sysctl.d +cat < /etc/sysctl.d/99-arp-fix.conf +net.ipv4.conf.all.arp_ignore = 1 +net.ipv4.conf.all.arp_announce = 2 +net.ipv4.conf.default.arp_ignore = 1 +net.ipv4.conf.default.arp_announce = 2 +EOF +# Apply settings immediately, ignore errors if sysctl is not accessible in some LXC types +sysctl -p /etc/sysctl.d/99-arp-fix.conf 2>/dev/null || true +msg_ok "System optimizations applied" # ============================================================================ msg_info "Configuring NGINX"