Proxmox baremetal installer

[JVKeller]

I made a thing...

This installer will make it too easy to install NetAlertX on a Proxmox or any Debian 13 server.
Should be good to get a server up quickly for testing, and for a dev server.

Hope it helps someone!

Summary by CodeRabbit

• New Features

  • Added an automated Proxmox installer that prepares dependencies, configures web server and PHP-FPM, sets up services/launchers, mounts logs, manages install state, and starts the application. Supports interactive and non-interactive modes, custom ports, IP resolution, and systemd-aware startup.
  • Added a production-ready web server configuration: UTF-8 charset, static asset handling, URL fallback, and reverse-proxy header support.

• Documentation

  • Added a comprehensive installer README with prerequisites, quickstart, non-interactive usage, features, troubleshooting, and file layout.

[coderabbitai]

Walkthrough

Adds a Proxmox-focused NetAlertX installer script, an Nginx site configuration serving the PHP web UI on port 20211, and a README documenting installer usage and behavior.

Changes

Cohort / File(s)	Summary
Proxmox installer install/proxmox/proxmox-install-netalertx.sh	New Bash installer automating NetAlertX deployment on Proxmox-like Debian systems: validates root, prompts/accepts port, installs repos/packages (nginx, PHP 8.4 via Sury), creates Python venv, clones app, prepares tmpfs logs/api, copies configs/DB, links web UI and nginx config, creates start script and systemd service, then starts services.
Nginx site config install/proxmox/netalertx.conf	New Nginx server block listening on port 20211, serving /var/www/html/netalertx with index.php, handles /netalertx prefix via X-Forwarded-Prefix, serves static assets, routes PHP to php8.4-fpm Unix socket with standard fastcgi params and UTF-8 charset.
Documentation install/proxmox/readme.md	New README describing prerequisites, quickstart and non-interactive usage, installer features, service management, access URL format, troubleshooting, log locations, update notes, and installer file layout for Proxmox environments.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Admin
  participant Script as Proxmox Installer
  participant OS as Package Manager / System
  participant Git as Git Repo
  participant Nginx
  participant PHPFPM as PHP-FPM
  participant Systemd

  Admin->>Script: Run proxmox-install-netalertx.sh
  Script->>Script: Validate root, prompt/resolve PORT & SERVER_IP
  Script->>OS: Add repos, install packages (nginx, php8.4-fpm, python, etc.)
  Script->>OS: Create Python venv & install requirements
  Script->>Git: Clone/Update NetAlertX into INSTALL_DIR
  Script->>OS: Prepare webroot, tmpfs for logs/api, copy configs/DB
  Script->>Nginx: Install site config, stop/start service
  Script->>PHPFPM: Ensure php8.4-fpm running
  alt systemd available
    Script->>Systemd: Create/enable netalertx.service
  else no systemd
    Script->>Script: Launch background starter script
  end
  Script-->>Admin: Print access URL (http://SERVER_IP:PORT)

Loading

sequenceDiagram
  autonumber
  participant Client
  participant Nginx
  participant PHPFPM as PHP-FPM (php8.4)
  participant App as NetAlertX (index.php)

  Client->>Nginx: GET / or /netalertx/...
  alt static asset
    Nginx-->>Client: Serve file directly (cache headers)
  else PHP route
    Nginx->>PHPFPM: fastcgi_pass -> unix:/run/php/php8.4-fpm.sock (SCRIPT_FILENAME=index.php)
    PHPFPM->>App: Execute index.php (receives X-Forwarded-Prefix)
    App-->>PHPFPM: HTTP response
    PHPFPM-->>Nginx: Response forwarded
    Nginx-->>Client: 200 OK (charset=utf-8)
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Bare metal Installer rework #1173 — Related installer and nginx config restructuring for system-specific installers.

Poem

A rabbit hops in, scripts set to run,
nginx hums softly, PHP does its fun.
Port two-zero-two-one opens the gate,
tmpfs keeps logs tidy and straight.
NetAlertX springs — carrots celebrate! 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The title mentions an installer for Proxmox bare metal, aligning with the addition of a deploy script, but it omits that the installer is for the NetAlertX application. Because it lacks the NetAlertX context, it could be misread as a general Proxmox installer. A title that explicitly references NetAlertX would more clearly summarize the main change.	Please revise the title to explicitly reference NetAlertX and the installer functionality, for example "Add NetAlertX Proxmox bare-metal installer". This will make it clear what is being installed and avoid ambiguity. Ensure the title remains concise and directly reflects the primary change of this PR.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between adc7dae and f4ec93e.

📒 Files selected for processing (1)

• install/proxmox/proxmox-install-netalertx.sh (1 hunks)

🧰 Additional context used

🪛 Shellcheck (0.11.0)

install/proxmox/proxmox-install-netalertx.sh

[warning] 21-21: BOLD appears unused. Verify use (or export if used externally).

(SC2034)

---

[warning] 21-21: WHITE appears unused. Verify use (or export if used externally).

(SC2034)

🔇 Additional comments (1)

install/proxmox/proxmox-install-netalertx.sh (1)

266-288: Copy the nginx template instead of editing through the symlink.

We still symlink /etc/nginx/conf.d/netalertx.conf back into the repo and then sed it, so choosing a custom port rewrites install/proxmox/${NGINX_CONF_NAME} and leaves the working tree dirty—same problem previously raised. Please break the link, copy the template, and only mutate the deployed copy.

-# create symbolic link to NGINX configuration coming with NetAlertX
-ln -sfn "${INSTALLER_DIR}/${NGINX_CONF_NAME}" "${NGINX_CONFIG_FILE}"
+# deploy NGINX configuration from the template so we can customize it safely
+install -m 0644 "${INSTALLER_DIR}/${NGINX_CONF_NAME}" "${NGINX_CONFIG_FILE}"
@@
-  sed -i "s/listen 20211;/listen ${PORT};/g" "${NGINX_CONFIG_FILE}"
-  # Also update the template file so it reflects the chosen port
-  sed -i "s/listen 20211;/listen ${PORT};/g" "${INSTALLER_DIR}/${NGINX_CONF_NAME}"
+  sed -i "s/listen 20211;/listen ${PORT};/g" "${NGINX_CONFIG_FILE}"
@@
-  sed -i "s/listen /listen ${LISTEN_ADDR}:/g" "${NGINX_CONFIG_FILE}"
-  sed -i "s/listen /listen ${LISTEN_ADDR}:/g" "${INSTALLER_DIR}/${NGINX_CONF_NAME}"
+  sed -i "s/listen /listen ${LISTEN_ADDR}:/g" "${NGINX_CONFIG_FILE}"

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

install/proxmox/readme.md (2)

50-63: Rename the second “Service Management” heading to avoid duplication.

Markdown lint is flagging the repeated ### Service Management heading (Line 51). Please give the second instance a distinct title so navigation and anchors stay unambiguous.

As per markdownlint.

-### Service Management
+### Service Commands

---

68-179: Add language hints to the remaining fenced code blocks.

markdownlint (MD040) is still warning on Lines 68‑179 because a few fences lack language tags. Please annotate them (e.g., text for URLs/file trees, bash for shell snippets) to silence the lint and improve readability.

As per markdownlint.

-```
-http://[SERVER_IP]:[PORT]
-```
+```text
+http://[SERVER_IP]:[PORT]
+```

-```
-./start.netalertx.sh
-```
+```bash
+./start.netalertx.sh
+```

-```
-/app/                          # Main application directory
+```text
+/app/                          # Main application directory
@@
-└── start.netalertx.sh        # Service startup script
+└── start.netalertx.sh        # Service startup script
@@
-└── netalertx.service         # Systemd service definition
+└── netalertx.service         # Systemd service definition
@@
-└── netalertx.conf            # NGINX configuration
-```
+└── netalertx.conf            # NGINX configuration
+```

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3dd5c4b and 4dcc2d0.

📒 Files selected for processing (3)

• install/proxmox/netalertx.conf (1 hunks)
• install/proxmox/proxmox-install-netalertx.sh (1 hunks)
• install/proxmox/readme.md (1 hunks)

🧰 Additional context used

🪛 Shellcheck (0.11.0)

install/proxmox/proxmox-install-netalertx.sh

[warning] 21-21: BOLD appears unused. Verify use (or export if used externally).

(SC2034)

---

[warning] 21-21: WHITE appears unused. Verify use (or export if used externally).

(SC2034)

🪛 markdownlint-cli2 (0.18.1)

install/proxmox/readme.md

50-50: Multiple headings with the same content

(MD024, no-duplicate-heading)

---

68-68: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

143-143: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

164-164: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix the PHP-FPM socket path before shipping.

fastcgi_pass unix:/var/run/php/php8.4-fpm.sock; hard-codes the PHP minor version. On a stock Debian 13/Proxmox host today you typically get php8.2 or php8.3, so this socket never exists and every request will 502. Please make the installer write the detected PHP version into the nginx conf (or switch both nginx and the FPM pool to a version-agnostic socket path) so we don't brick the UI on fresh installs.

🤖 Prompt for AI Agents

In install/proxmox/netalertx.conf around lines 24-27, the nginx fastcgi_pass
hard-codes php8.4's socket which will 502 on hosts with php8.2/8.3; change the
installer/template to write the actual PHP-FPM socket path at install-time by
detecting the installed PHP-FPM version (e.g. probe /run/php or check php -v or
dpkg-query for php-fpm package), then render fastcgi_pass
unix:/run/php/php{MAJOR}.{MINOR}-fpm.sock; into the nginx conf; include a
fallback to a version-agnostic socket (or create a symlink /run/php/php-fpm.sock
-> the real socket) if detection fails so fresh installs won’t break the UI.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid mutating the tracked nginx template when applying runtime settings.

Because /etc/nginx/conf.d/netalertx.conf is symlinked to the repo copy (Line 265), the sed calls on Lines 272‑275 & 282‑284 rewrite install/proxmox/netalertx.conf itself. Any user who selects a custom port ends up with a dirty working tree, and later git pull (the documented update path) will abort. Copy the template before templating so the repository file stays pristine.

-# create symbolic link to NGINX configuration coming with NetAlertX
-ln -sfn "${INSTALLER_DIR}/${NGINX_CONF_NAME}" "${NGINX_CONFIG_FILE}"
+# deploy NGINX configuration from the template
+cp "${INSTALLER_DIR}/${NGINX_CONF_NAME}" "${NGINX_CONFIG_FILE}"
@@
-  sed -i "s/listen 20211;/listen ${PORT};/g" "${NGINX_CONFIG_FILE}"
-  # Also update the template file so it reflects the chosen port
-  sed -i "s/listen 20211;/listen ${PORT};/g" "${INSTALLER_DIR}/${NGINX_CONF_NAME}"
+  sed -i "s/listen 20211;/listen ${PORT};/g" "${NGINX_CONFIG_FILE}"
@@
-  sed -i "s/listen /listen ${LISTEN_ADDR}:/g" "${NGINX_CONFIG_FILE}"
-  sed -i "s/listen /listen ${LISTEN_ADDR}:/g" "${INSTALLER_DIR}/${NGINX_CONF_NAME}"
+  sed -i "s/listen /listen ${LISTEN_ADDR}:/g" "${NGINX_CONFIG_FILE}"

🤖 Prompt for AI Agents

In install/proxmox/proxmox-install-netalertx.sh around lines 262-284, the script
currently edits the tracked installer template via the symlinked
NGINX_CONFIG_FILE, mutating the repo; instead, break the symlink and copy the
template to the target config path before any sed changes and only perform sed
on the target copy. Concretely: if "${NGINX_CONFIG_FILE}" is a symlink or
exists, remove it (or unlink), then copy "${INSTALLER_DIR}/${NGINX_CONF_NAME}"
to "${NGINX_CONFIG_FILE}" (e.g. cp --dereference or cp -f) preserving
permissions, and change the subsequent sed calls so they only edit
"${NGINX_CONFIG_FILE}" (do not run sed on
"${INSTALLER_DIR}/${NGINX_CONF_NAME}"), ensuring the repo template remains
unchanged.

[ingoratsdorf]

That is a correct comment that git pull will fail. I noticed that, too.
Workaround is a git stash -q for example before the git pull. Could of course use more drastic git commands like reset.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4dcc2d0 and adc7dae.

📒 Files selected for processing (1)

• install/proxmox/proxmox-install-netalertx.sh (1 hunks)

🧰 Additional context used

🪛 Shellcheck (0.11.0)

install/proxmox/proxmox-install-netalertx.sh

[warning] 21-21: BOLD appears unused. Verify use (or export if used externally).

(SC2034)

---

[warning] 21-21: WHITE appears unused. Verify use (or export if used externally).

(SC2034)

🔇 Additional comments (1)

install/proxmox/proxmox-install-netalertx.sh (1)

263-284: Stop templating the tracked nginx config in-place.

ln -sfn keeps /etc/nginx/conf.d/netalertx.conf pointing at the repo copy, so the subsequent sed -i calls still rewrite install/proxmox/netalertx.conf. Any custom port leaves the working tree dirty and blocks the documented git pull update path. Break the symlink, copy the template to the live location, and only mutate the copy.

-# create symbolic link to the installer directory
-ln -sfn "${INSTALL_DIR}/front" "$WEB_UI_DIR"
-# create symbolic link to NGINX configuration coming with NetAlertX
-ln -sfn "${INSTALLER_DIR}/${NGINX_CONF_NAME}" "${NGINX_CONFIG_FILE}"
+# create symbolic link to the installer directory
+ln -sfn "${INSTALL_DIR}/front" "$WEB_UI_DIR"
+# deploy the NGINX configuration from the template (keep repo copy pristine)
+cp -f "${INSTALLER_DIR}/${NGINX_CONF_NAME}" "${NGINX_CONFIG_FILE}"
@@
-  sed -i "s/listen 20211;/listen ${PORT};/g" "${NGINX_CONFIG_FILE}"
-  # Also update the template file so it reflects the chosen port
-  sed -i "s/listen 20211;/listen ${PORT};/g" "${INSTALLER_DIR}/${NGINX_CONF_NAME}"
+  sed -i "s/listen 20211;/listen ${PORT};/g" "${NGINX_CONFIG_FILE}"
@@
-  sed -i "s/listen /listen ${LISTEN_ADDR}:/g" "${NGINX_CONFIG_FILE}"
-  sed -i "s/listen /listen ${LISTEN_ADDR}:/g" "${INSTALLER_DIR}/${NGINX_CONF_NAME}"
+  sed -i "s/listen /listen ${LISTEN_ADDR}:/g" "${NGINX_CONFIG_FILE}"

[jokob-sk]

Thanks a lot for the PR @JVKeller - is it good to merge?

[ingoratsdorf]

Great minds think alike - as they say.

I updated the Ubuntu 24 installer to use a systemd unit as well, however I have that file as an external separate file, not an inline creation. I have no preference or idea which one is better.
I have also combined install and start and found a way to work around the lack of startup environment in systemd.
Many ways to skin a cat ;-)

I also develop and test on Proxmox LXC containers :-)

[krishill1776-lab]

Following the Setting up python environment statement this is what the console outputed

update-alternatives: using /usr/bin/python3 to provide /usr/bin/python (python) in auto mode
Traceback (most recent call last):
File "", line 198, in _run_module_as_main
File "", line 88, in _run_code
File "/opt/myenv/lib/python3.13/site-packages/pip/main.py", line 8, in
if sys.path[0] in ("", os.getcwd()):
~~~~~~~~~^^
FileNotFoundError: [Errno 2] No such file or directory

Update: I deleted the .sh file when it ran the script so it failed

[krishill1776-lab]

Reccomend these changes to correct app.conf in in /var/www/html/netalertx/config/
error on startup.
` # Delete content of "/config/"
rm -rf "${WEB_UI_DIR}/config/"*

 # Delete content of "/db/"
 rm -rf "${INSTALL_DIR}/db/"*

fi

Copy starter $DB_FILE and $CONF_FILE if they don't exist

mkdir -p "${WEB_UI_DIR}/config" "${INSTALL_DIR}/db"
cp -u "${INSTALL_DIR}/back/${CONF_FILE}" "${WEB_UI_DIR}/config/${CONF_FILE}"
`

[JVKeller]

So, you did get an error running the installer? I thought you said it was because you deleted a script file.

[krishill1776-lab]

I initially had a problem as i created the script in the location that the script deleted after i moved a different location it worked. the scrip completed all the way through

[krishill1776-lab]

[JVKeller]

Great minds think alike - as they say.

I updated the Ubuntu 24 installer to use a systemd unit as well, however I have that file as an external separate file, not an inline creation. I have no preference or idea which one is better. I have also combined install and start and found a way to work around the lack of startup environment in systemd. Many ways to skin a cat ;-)

I also develop and test on Proxmox LXC containers :-)

Did you happen to test this on an Ubuntu image? I think it should work...

[JVKeller]

Thanks a lot for the PR @JVKeller - is it good to merge?

Let's see what the testers say!

[krishill1776-lab]

I didn’t receive an error during the script however the link to the /app.conf file was not there so the web interface had an error of file didn’t exists. I don’t know how to fix it but some way to bind the /app/config folder to the location in the web ui file location Sent from my iPhoneOn Sep 28, 2025, at 14:05, rell3k ***@***.***> wrote: @JVKeller commented on this pull request. In install/proxmox/proxmox-install-netalertx.sh:

+ if [ "${ALWAYS_FRESH_INSTALL:-false}" = true ]; then

+ printf "%b\n" "--------------------------------------------------------------------------" + printf "%b\n" "${GREEN}[INSTALLING] ${RESET}❗ ALERT /db and /config folders are cleared because the" + printf "%b\n" " ALWAYS_FRESH_INSTALL is set to: ${ALWAYS_FRESH_INSTALL}❗" + printf "%b\n" "--------------------------------------------------------------------------" + # Delete content of "/config/" + rm -rf "${INSTALL_DIR}/config/"* + + # Delete content of "/db/" + rm -rf "${INSTALL_DIR}/db/"* + fi + + + # Copy starter $DB_FILE and $CONF_FILE if they don't exist + mkdir -p "${INSTALL_DIR}/config" "${INSTALL_DIR}/db" + cp -u "${INSTALL_DIR}/back/${CONF_FILE}" "${INSTALL_DIR}/config/${CONF_FILE}" So, you did get an error running the installer? I thought you said it was because you deleted a script file. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>

[JVKeller]

I'll have to take a look at it tomorrow morning. The config file should be netalertx.conf for the Web folder binding.

[JVKeller]

Thanks a lot for the PR @JVKeller - is it good to merge?

I think it's good to merge. if anyone wants to tweak it after, they can do so.

[Noschvie]

May I ask a fundamental question: why is a Docker-based solution not sufficient and why is a native installation under an OS necessary? Thannks!

[JVKeller]

May I ask a fundamental question: why is a Docker-based solution not sufficient and why is a native installation under an OS necessary? Thannks!

Not necessary at all, but with people that are not familiar with Docker, but have a Proxmox server, with a script like this they could set up a container and have the app running and ready to go in minutes.

I was more familiar with this type of set up, saw the script for Deb 12, and wanted to try it out and ended up making it work on Deb 13. Figured since I got that far and saw there was a little interest in it, I might as well tweak it and see if @jokob-sk wanted to add it in.

[jokob-sk]

Hi @Noschvie & @JVKeller ,

If someone is helping me to maintain the installation script then I'm happy to include it if it helps people to deploy NAX in other systems. I just don't want it to be a maintenance overhead - the app codebase has grown quite a bit :)

[JVKeller]

Hi @Noschvie & @JVKeller ,

If someone is helping me to maintain the installation script then I'm happy to include it if it helps people to deploy NAX in other systems. I just don't want it to be a maintenance overhead - the app codebase has grown quite a bit :)

Maintaining this should be easy. Just updating as requirements are added really.

Even updating the app would be as easy as 'git pull' and a restart.

[JVKeller]

@jokob-sk

I got an idea... :) Don't merge this.

[Noschvie]

In my experience, people who are familiar with Proxmox are also familiar with Docker.

[ingoratsdorf]

In my experience, people who are familiar with Proxmox are also familiar with Docker.

I am familiar with both. Hence I choose LXC over docker.
Some of my LXCs run docker, but only if there is no proper installer available.

Fundamentally, I can backup containers, change network settings and replace things as I please.
IE use Technitium for trial, spin it down and spin up AdBlock as a comparison with the same network settings, spin down and replace with Pi-Hole, again with same net settings and still all clients continue to work with DNS and blocking.
Backups with PBS are sooo much more convenient and faster. Simply move LXC's from one server to another in seconds.
All stuff that is way more complicated in docker.

And I believe I can say I know what I am talking about, having worked with all Proxmox and docker for several years.

[jokob-sk]

I got an idea... :) Don't merge this.

okay :)