Sign in Subscribe
Proxmox

Proxmox VE 9.1 Lands – What It Means

Leon SCOTT

12 min read
Proxmox VE 9.1 Lands – What It Means

I’ve tried hard not to tinker too much with my base configuration, but Proxmox VE 9.1 brings some changes that are too significant to ignore. Hopefully, these won’t disrupt my setup too badly—but as always, the lab is where things break first.

What’s New in Proxmox VE 9.1

Brandon Lee has a great rundown of the release:

Proxmox VE 9.1 Launches with OCI Image Support, vTPM Snapshots, and Big SDN Upgrades
See what is new in Proxmox VE 9.1, from OCI containers to vTPM and networking upgrades, and follow easy upgrade steps to get your cluster ready.
Virtualization HowtoBrandon Lee

Highlights include:

  • OCI-based LXC containers – You can now build LXC containers directly from OCI images. OCI (Open Container Initiative) is the standard underpinning modern container ecosystems, including Docker Hub and private registries.
  • vTPM snapshots – Adding flexibility for virtual machines that rely on trusted platform modules.
  • Major SDN upgrades – Networking gets a serious boost, making cluster management more powerful.
Complete Guide to Proxmox Containers in 2025: Docker VMs, LXC, and New OCI Support
Learn how to run Proxmox containers in 2025 using Docker VMs, LXC, and new OCI support with tips for performance, updates, and home lab.
Virtualization HowtoBrandon Lee

Linuxiac also covers the release in detail, noting the inclusion of Linux kernel 6.17 alongside virtualization, security, and networking improvements.

Proxmox VE 9.1 Released With OCI-Based LXC Deployment
Proxmox VE 9.1 debuts OCI-based LXC containers, Linux kernel 6.17, and upgrades to virtualization, security, and networking.
LinuxiacBobby Borisov

My Lab Reality Check

All my lab containers run on Debian 13 LXC’s, now powered by Podman instead of Docker. I’ve reached the point where I can redeploy my old Docker stacks under Podman, bringing the systems back online.

Did it all work smoothly? Not quite. Things broke—as they always do—but that’s the beauty of a lab environment.

Recovery Steps

Here’s the rebuild process I followed:

  • Rebuild the server
  • Revise and rebuild networking and SSH
  • Rebuild the LXC Podman servers (thankfully scripted)
  • Test, test, test
  • Rebuild the Docker stacks with a few Podman-specific modifications

Updated networking script - Revised 2025-11-28

#!/bin/bash
# setup-pxe-script.sh
# Proxmox VE 9.1 + Debian 13.2
# One-shot setup: IPv4 DHCP + IPv6 RA/DHCPv6 networking, regenerate SSH host keys, hardened sshd_config
# Code review date: 2025-11-28

set -euo pipefail

# ------------------------------------------------------------------------
# Logging
info()  { echo -e "\033[0;32m[INFO]\033[0m $*"; }
warn() { echo -e "\033[0;33m[WARN]\033[0m $*" >&2; }
error(){ echo -e "\033[0;31m[ERROR]\033[0m $*" >&2; }

LOGFILE="/var/log/proxmox-setup-$(date +%Y%m%d-%H%M%S).log"
exec > >(tee -a "$LOGFILE") 2>&1

BACKUP_TS="$(date +%Y%m%d-%H%M%S)"

# Timezone configuration
info "Set the timezone manually to ensure consistency..."
timedatectl set-timezone Australia/Perth

# ------------------------------------------------------------------------
# Define primary NIC explicitly
PRIMARY_NIC="eth0"
VM_BRIDGE="vmbr0"

# ------------------------------------------------------------------------
# 1. Backup and write /etc/network/interfaces
info "Backing up and writing /etc/network/interfaces..."
cp /etc/network/interfaces /etc/network/interfaces.bak.${BACKUP_TS} || true
cat <<EOF > /etc/network/interfaces
# Managed by configure-proxmox-network-and-ssh.sh (${BACKUP_TS})

auto lo
iface lo inet loopback

iface ${PRIMARY_NIC} inet manual

auto ${VM_BRIDGE}
iface ${VM_BRIDGE} inet dhcp
    bridge-ports ${PRIMARY_NIC}
    bridge-stp on
    bridge-fd 0

iface ${VM_BRIDGE} inet6 auto
    accept_ra 2
    autoconf 1
    privext 0
EOF
info "Interfaces file written."

# ------------------------------------------------------------------------
# 2. dhcpcd setup
info "Ensuring dhcpcd installed..."
apt-get update -y
DEBIAN_FRONTEND=noninteractive apt-get install -y dhcpcd5 || true

info "Writing /etc/dhcpcd.conf..."
cat <<EOF > /etc/dhcpcd.conf
# Managed by configure-proxmox-network-and-ssh.sh (${BACKUP_TS})
denyinterfaces ${PRIMARY_NIC}
interface ${VM_BRIDGE}
ipv6rs
hostname $(hostname)
clientid
# Required to forward the DNS settings to LXC containers
static domain_name_servers=192.168.1.1 fe80::f6e2:c6ff:feee:63e3
static domain_search=braedach.com
EOF

systemctl enable dhcpcd
systemctl restart dhcpcd

# ------------------------------------------------------------------------
# 3. Sysctl tuning
info "Applying IPv6 sysctl tuning..."
cat <<EOF > /etc/sysctl.d/99-ipv6-${VM_BRIDGE}.conf
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.${VM_BRIDGE}.accept_ra=2
net.ipv6.conf.${VM_BRIDGE}.autoconf=1
EOF
sysctl --system

# ------------------------------------------------------------------------
# 4. Bring up bridge
info "Bringing up ${VM_BRIDGE}..."
if ip link set "${VM_BRIDGE}" up; then
  info "${VM_BRIDGE} brought up successfully."
else
  warn "Failed to bring up ${VM_BRIDGE} — check interface definition."
fi

info "Restarting networking service..."
if systemctl restart networking; then
  info "Networking service restarted."
else
  warn "Networking restart failed — continuing, but verify manually."
fi


# ------------------------------------------------------------------------
# 5. SSH regeneration and hardening
SSHD_DIR="/etc/ssh"
SSHD_CFG="${SSHD_DIR}/sshd_config"
BACKUP_DIR="${SSHD_DIR}/backup-${BACKUP_TS}"
mkdir -p "${BACKUP_DIR}"

info "Backing up sshd_config and host keys..."
cp -a "${SSHD_CFG}" "${BACKUP_DIR}/sshd_config.bak" || true
for key in ssh_host_ed25519_key ssh_host_rsa_key; do
  [[ -f "${SSHD_DIR}/${key}" ]] && mv "${SSHD_DIR}/${key}" "${BACKUP_DIR}/"
  [[ -f "${SSHD_DIR}/${key}.pub" ]] && mv "${SSHD_DIR}/${key}.pub" "${BACKUP_DIR}/"
done

info "Deleting old SSH host keys..."
rm -f /etc/ssh/ssh_host_* 

info "Generating new ED25519 host key..."
ssh-keygen -t ed25519 -f "${SSHD_DIR}/ssh_host_ed25519_key" -N "" -o -a 100
info "Generating new RSA-4096 host key - not used - can be deleted..."
ssh-keygen -t rsa -b 4096 -f "${SSHD_DIR}/ssh_host_rsa_key" -N "" -o -a 100

chmod 600 "${SSHD_DIR}/ssh_host_ed25519_key" "${SSHD_DIR}/ssh_host_rsa_key"
chmod 644 "${SSHD_DIR}/ssh_host_ed25519_key.pub" "${SSHD_DIR}/ssh_host_rsa_key.pub"

info "Writing hardened sshd_config..."
cat <<EOF > "${SSHD_CFG}"
# Managed by configure-proxmox-network-and-ssh.sh (${BACKUP_TS})

Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
LoginGraceTime 30
MaxAuthTries 4
MaxSessions 10

HostKey ${SSHD_DIR}/ssh_host_ed25519_key

AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
UseDNS no
PrintMotd no
PrintLastLog yes
AcceptEnv LANG LC_*

# Permit root password auth only from RFC1918 and link-local IPv6
Match Address 10.0.0.0/8,192.168.0.0/16,fe80::/10
  PermitRootLogin yes
  PasswordAuthentication yes
  AuthenticationMethods any
EOF

info "Validating sshd_config..."
if sshd -t; then
  info "sshd_config syntax OK, restarting ssh..."
  if systemctl restart ssh; then
    info "sshd restarted successfully."
  else
    error "systemctl restart ssh failed — check service status."
  fi
else
  error "sshd_config test failed — not restarting ssh."
fi


# ------------------------------------------------------------------------
# 6. Configure firewall

info "Configuring UFW firewall rules..."
warn "Ensure you insert fireall rules appropriate for your environment."

# ------------------------------------------------------------------------
# 7. Final diagnostics
info "Diagnostics:"
ip addr show "${VM_BRIDGE}" || true
ip route show || true
ip -6 route show || true
ss -lntup | grep -E ':(22)\b' || true

info "✅ Network + SSH setup complete. Log saved to ${LOGFILE}"

LXC Debian 13 container setup script

#!/bin/bash
# ============================================================
# Proxmox LXC Podman + Conditional Portainer CE Setup Script
# ============================================================
# Purpose:
#   - This script uses a Debian 13 base Privileged LXC container.
#   - Automate the setup of a Proxmox LXC container with Podman.
#   - Conditionally deploy Portainer CE or Portainer Agent based on hostname.
#   - Harden security settings and configure firewall rules.
#   - Ensure idempotent operations and robust error handling.
#   - Ensure Portainer and Podman are set up for dual-stack networking.
#   - Ensure Portainer CE and Agents still require manual image updates.
#
# Created: 14-11-2025
# Updated: 28-11-2025
# ============================================================

set -euo pipefail

# -----------------------------------------------------------------------
# Utility Functions
# -----------------------------------------------------------------------

info()  { echo -e "\033[0;32m[INFO]\033[0m $*"; }
warn()  { echo -e "\033[0;33m[WARN]\033[0m $*" >&2; }
error() { echo -e "\033[0;31m[ERROR]\033[0m $*" >&2; }

configure_firewall_ports() {
    local ports=("$@")
    info "Opening firewall ports: ${ports[*]}"
    for port in "${ports[@]}"; do
        iptables -I INPUT -p tcp --dport "${port}" -j ACCEPT
        ip6tables -I INPUT -p tcp --dport "${port}" -j ACCEPT
    done
    netfilter-persistent save
    info "Firewall rules for ports ${ports[*]} persisted."
}

# -----------------------------------------------------------------------
# 1. Base Packages
# -----------------------------------------------------------------------
info "Installing base packages..."
apt-get update -qq || warn "apt-get update failed, check DNS/network"
apt-get install -y -qq \
    bind9-dnsutils iptables-persistent netfilter-persistent rsyslog sudo curl gpg net-tools \
    apt-transport-https cron mtr git openssh-server openssh-client \
    podman podman-docker podman-compose

info "Removing conflicting packages..."
for pkg in ufw inetutils-telnet; do
    if dpkg-query -W -f='${Status}' "$pkg" 2>/dev/null | grep -q "install ok installed"; then
        apt-get purge --auto-remove -y -qq "$pkg"
    fi
done


# -----------------------------------------------------------------------
# 2. Miscellaneous Configurations
# -----------------------------------------------------------------------
info "Configuring automatic updates via cron..."

# Safely dump root's existing crontab (ignore error if none exists)
crontab -l 2>/dev/null | sed '/apt-get .*upgrade/d' > /tmp/mycron || true

info "Creating the temporary crontab file..."
cat <<'EOF' >> /tmp/mycron
0 1 * * * apt-get update -qq && apt-get -y -qq upgrade && apt-get -y -qq autoremove && apt-get -y -qq autoclean
EOF

info "Updated crontab for user $(whoami):"
crontab /tmp/mycron
rm /tmp/mycron

# Restart cron service for good measure (portable across distros)
systemctl restart cron.service 2>/dev/null || systemctl restart crond.service 2>/dev/null || { error "Cron restart failed"; exit 1; }

# Timezone configuration
info "Set the timezone manually to ensure consistency..."
timedatectl set-timezone Australia/Perth

# Ensure timezone is set in /etc/containers/containers.conf
CONF_FILE="/etc/containers/containers.conf"

# Create file if missing
if [ ! -f "$CONF_FILE" ]; then
    echo "[engine]" > "$CONF_FILE"
    echo 'tz = "Australia/Perth"' >> "$CONF_FILE"
else
    # Ensure [engine] section exists
    if ! grep -q "^

\[engine\]

" "$CONF_FILE"; then
        echo "[engine]" >> "$CONF_FILE"
    fi
    # Update or append tz line idempotently
    if grep -q "^tz" "$CONF_FILE"; then
        sed -i 's|^tz.*|tz = "Australia/Perth"|' "$CONF_FILE"
    else
        sed -i '/^

\[engine\]

/a tz = "Australia/Perth"' "$CONF_FILE"
    fi
fi

# -----------------------------------------------------------------------
# 3. Firewall Setup
# -----------------------------------------------------------------------
info "Configuring firewall rules..."
iptables -F; ip6tables -F
iptables -P INPUT DROP; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT
ip6tables -P INPUT DROP; ip6tables -P FORWARD ACCEPT; ip6tables -P OUTPUT ACCEPT

# IPv4 INPUT rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
iptables -A INPUT -p udp --dport 5353 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -j ACCEPT

# Log and drop invalid IPv4 packets
iptables -A INPUT -m conntrack --ctstate INVALID -m limit --limit 5/min -j LOG --log-prefix "Invalid v4: "
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Reverse proxy / web - only allow from local network (IPv4)
iptables -A INPUT -p tcp --dport 80  -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p udp --dport 443 -s 192.168.0.0/16 -j ACCEPT

# Log all other dropped IPv4 packets
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "Dropped v4: "

# IPv6 INPUT rules
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -s ::/0 -j ACCEPT
ip6tables -A INPUT -p udp --dport 53 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT
# DHCPv6 client/server
ip6tables -A INPUT -p udp --sport 546:547 --dport 546:547 -j ACCEPT
# mDNS (IPv6)
ip6tables -A INPUT -p udp --dport 5353 -j ACCEPT

# Allow essential ICMPv6 on eth0: RA, NDP, ping
ip6tables -A INPUT -i eth0 -p icmpv6 --icmpv6-type 133 -j ACCEPT  # Router Solicitation
ip6tables -A INPUT -i eth0 -p icmpv6 --icmpv6-type 134 -j ACCEPT  # Router Advertisement
ip6tables -A INPUT -i eth0 -p icmpv6 --icmpv6-type 135 -j ACCEPT  # Neighbor Solicitation
ip6tables -A INPUT -i eth0 -p icmpv6 --icmpv6-type 136 -j ACCEPT  # Neighbor Advertisement
ip6tables -A INPUT -i eth0 -p icmpv6 --icmpv6-type 128 -j ACCEPT  # Echo Request
ip6tables -A INPUT -i eth0 -p icmpv6 --icmpv6-type 129 -j ACCEPT  # Echo Reply

# Permit link-local/multicast control traffic used by RA/NDP
ip6tables -A INPUT -i eth0 -d ff02::/16 -j ACCEPT
ip6tables -A INPUT -i eth0 -d ff02::1:ff00:0/104 -j ACCEPT

# Log and drop invalid IPv6 packets
ip6tables -A INPUT -m conntrack --ctstate INVALID -m limit --limit 5/min -j LOG --log-prefix "Invalid v6: "
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Reverse proxy / web - allow from anywhere (IPv6)
ip6tables -A INPUT -p tcp --dport 80  -s ::/0 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 443 -s ::/0 -j ACCEPT
ip6tables -A INPUT -p udp --dport 443 -s ::/0 -j ACCEPT

# Log all other dropped IPv6 packets
ip6tables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "Dropped v6: "

netfilter-persistent save
systemctl enable --now netfilter-persistent
info "Firewall rules configured and saved."

# -----------------------------------------------------------------------
# 4. Fix the sysctl configuration
# -----------------------------------------------------------------------

info "Configuring sysctl settings for IPv4 and IPv6 forwarding..."

# Configure IPv6 forwarding and RA behaviour for LXC + Podman
# Whoops getting rusty with sysctl settings!
cat <<'EOF' >/etc/sysctl.d/99-lxc-ipv6.conf
# Global forwarding enabled
net.ipv6.conf.all.forwarding=1

# External NIC (eth0) acts as host: accept RA, don’t forward
net.ipv6.conf.eth0.forwarding=0
net.ipv6.conf.eth0.accept_ra=2

# Podman bridge acts as router: forward packets, ignore RA
net.ipv6.conf.podman1.forwarding=1
net.ipv6.conf.podman1.accept_ra=0
EOF


# -----------------------------------------------------------------------
# 5. Logging Setup
# -----------------------------------------------------------------------
info "Configuring iptables logging..."
cat <<'EOF' > /etc/rsyslog.d/iptables.conf
:msg, regex, "Invalid|Dropped" -/var/log/iptables-dropped.log
& stop
EOF
# Create logrotate config for iptables logs
cat <<'EOF' > /etc/logrotate.d/iptables
/var/log/iptables-dropped.log {
    daily
    missingok
    rotate 7
    compress
    delaycompress
    notifempty
    create 0640 root adm
    postrotate
        systemctl reload rsyslog >/dev/null 2>&1 || true
    endscript
}
EOF

systemctl restart rsyslog

# -----------------------------------------------------------------------
# 6. Podman Registry Config & Network Setup
# -----------------------------------------------------------------------
info "Configuring Podman registries..."
mkdir -p /etc/containers/registries.conf.d
cat <<'EOF' > /etc/containers/registries.conf.d/99-unqualified.conf
unqualified-search-registries = ["docker.io", "quay.io", "ghcr.io", "registry.fedoraproject.org"]

[aliases]
# Map unqualified image names to fully qualified ones
"portainer/agent"      = "docker.io/portainer/agent"
"portainer/portainer-ce" = "docker.io/portainer/portainer-ce"
EOF

# Create Podman networks - these can be used by containers as needed
info "Creating Podman networks - dual stack enabled..."
podman network create --subnet 10.10.0.0/24 --gateway 10.10.0.1 --subnet fd00:10::/64 --gateway fd00:10::1 backend-net
podman network create --subnet 10.20.0.0/24 --gateway 10.20.0.1 --subnet fd00:20::/64 --gateway fd00:20::1 proxy-net
podman network create --subnet 10.30.0.0/24 --gateway 10.30.0.1 --subnet fd00:30::/64 --gateway fd00:30::1 tunnel-net

TARGET="/var/run/docker.sock"
SOURCE="/run/podman/podman.sock"

# Ensure Podman socket is symlinked to Docker-compatible path
if [ -L "$TARGET" ] && [ "$(readlink -f "$TARGET")" = "$SOURCE" ]; then
    info "Symlink is correct: $TARGET -> $SOURCE"
else
    warn "$TARGET does not exist. Creating symlink..."
    ln -s "$SOURCE" "$TARGET"
    info "Created symlink: $TARGET -> $SOURCE"
fi

# Make adjustments here if needed for Podman & socket activation
systemctl start podman && systemctl enable podman
systemctl restart podman.socket  && systemctl enable podman.socket

# -----------------------------------------------------------------------
# 7. Conditional Portainer Deployment
# -----------------------------------------------------------------------
HOST_SHORT=$(hostname -s || echo "unknown")
info "Detected short hostname: $HOST_SHORT"


if [[ "$HOST_SHORT" == "alex" ]]; then
    info "Primary host — deploying Portainer CE..."

    # Ensure volume exists
    podman volume inspect portainer_data >/dev/null 2>&1 || podman volume create portainer_data

    # Create persistent container (no --rm, with restart policy)
    podman create --name portainer-ce \
      --restart=always \
      --privileged \
      --network backend-net \
      -p 9000:9000 -p 9443:9443 \
      -v /run/podman/podman.sock:/var/run/docker.sock \
      -v portainer_data:/data \
      docker.io/portainer/portainer-ce:latest

    # Generate systemd unit
    podman generate systemd --name portainer-ce --files --new
    mv container-portainer-ce.service /etc/systemd/system/portainer-ce.service

    # Enable and start
    systemctl daemon-reexec && systemctl daemon-reload
    systemctl start portainer-ce.service && systemctl enable --now portainer-ce.service
    configure_firewall_ports 9000 9443
    info "Portainer CE deployed."

else
    info "Non-alex host — deploying Portainer Agent..."

    # Create persistent container (no --rm, with restart policy)
    podman create --name portainer-agent \
      --restart=always \
      --privileged \
      --network backend-net \
      -p 9001:9001 \
      -v /run/podman/podman.sock:/var/run/docker.sock \
      -v /var/lib/containers/storage/volumes:/var/lib/docker/volumes \
      -v /:/host \
      docker.io/portainer/agent:latest

    # Generate systemd unit
    podman generate systemd --name portainer-agent --files --new
    mv container-portainer-agent.service /etc/systemd/system/portainer-agent.service

    # Enable and start
    systemctl daemon-reexec && systemctl daemon-reload
    systemctl start portainer-agent.service && systemctl enable --now portainer-agent.service
    configure_firewall_ports 9001
    info "Portainer Agent deployed."
fi


# -----------------------------------------------------------------------
# 8. SSH Configuration Hardening
# -----------------------------------------------------------------------
info "Hardening SSH configuration..."

SSHD_DIR="/etc/ssh"
SSHD_CFG="${SSHD_DIR}/sshd_config"
BACKUP_TS="$(date +%Y%m%d-%H%M%S)"
BACKUP_DIR="${SSHD_DIR}/backup-${BACKUP_TS}"
mkdir -p "${BACKUP_DIR}"

info "Backing up sshd_config and host keys..."
cp -a "${SSHD_CFG}" "${BACKUP_DIR}/sshd_config.bak" || true
for key in ssh_host_ed25519_key ssh_host_rsa_key; do
  [[ -f "${SSHD_DIR}/${key}" ]] && mv "${SSHD_DIR}/${key}" "${BACKUP_DIR}/"
  [[ -f "${SSHD_DIR}/${key}.pub" ]] && mv "${SSHD_DIR}/${key}.pub" "${BACKUP_DIR}/"
done

info "Deleting old SSH host keys..."
rm -f /etc/ssh/ssh_host_* 

info "Generating new ED25519 host key..."
ssh-keygen -t ed25519 -f "${SSHD_DIR}/ssh_host_ed25519_key" -N "" -o -a 100
info "Generating new RSA-4096 host key - not used - can be deleted..."
ssh-keygen -t rsa -b 4096 -f "${SSHD_DIR}/ssh_host_rsa_key" -N "" -o -a 100

chmod 600 "${SSHD_DIR}/ssh_host_ed25519_key" "${SSHD_DIR}/ssh_host_rsa_key"
chmod 644 "${SSHD_DIR}/ssh_host_ed25519_key.pub" "${SSHD_DIR}/ssh_host_rsa_key.pub"

info "Writing hardened sshd_config..."
cat <<EOF > "${SSHD_CFG}"
# Managed by setup-lxc-v5.sh (${BACKUP_TS})

Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
LoginGraceTime 30
MaxAuthTries 4
MaxSessions 10

HostKey ${SSHD_DIR}/ssh_host_ed25519_key

AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
UseDNS no
PrintMotd no
PrintLastLog yes
AcceptEnv LANG LC_*

# Permit root password auth only from RFC1918 and link-local IPv6
Match Address 10.0.0.0/8,192.168.0.0/16,fe80::/10
  PermitRootLogin yes
  PasswordAuthentication yes
  AuthenticationMethods any
EOF

info "Validating sshd_config..."
if sshd -t; then
  info "sshd_config syntax OK, restarting ssh..."
  if systemctl restart ssh; then
    info "sshd restarted successfully."
  else
    error "systemctl restart ssh failed — check service status."
  fi
else
  error "sshd_config test failed — not restarting ssh."
fi


# -----------------------------------------------------------------------
# 9. Final Notes
# -----------------------------------------------------------------------
info "  Deployment complete."
info "  podman pull docker.io/portainer/portainer-ce:latest"
info "  podman pull docker.io/portainer/agent:latest"
info "  systemctl restart portainer-ce.service"
info "  systemctl restart portainer-agent.service"
info "  can be used to manually update Portainer images as needed."

warn "  Please reboot the system to ensure all settings take full effect."

November has been one thing after another.

#enoughsaid