Skip to content

MarkLFT/Scripts

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.md
README.md
 
 
fix-sql-backup-smb-fatal.sh
fix-sql-backup-smb-fatal.sh
 
 
install-sql-linux-with-backup.sh
install-sql-linux-with-backup.sh
 
 
install-tacticalrmm-agent-linux.sh
install-tacticalrmm-agent-linux.sh
 
 
install-tacticalrmm-agent-windows.ps1
install-tacticalrmm-agent-windows.ps1
 
 
install-zabbix-agent-linux-tactical-rmm.sh
install-zabbix-agent-linux-tactical-rmm.sh
 
 
install-zabbix-agent-windows-tactical-rmm.ps1
install-zabbix-agent-windows-tactical-rmm.ps1
 
 
install-zabbix-proxy-full.sh
install-zabbix-proxy-full.sh
 
 
install-zabbix-proxy.sh
install-zabbix-proxy.sh
 
 
migrate-ufw-to-iptables.sh
migrate-ufw-to-iptables.sh
 
 
setup-zabbix-discovery.sh
setup-zabbix-discovery.sh
 
 

Repository files navigation

Scripts

Collection of Scripts for Regular Tasks

Zabbix

Zabbix Proxy

Install a Zabbix proxy onto a Debian host to act as a remote proxy to talk to a central Zabbix server. Supports: Debian 11 (Bullseye), Debian 12 (Bookworm), Debian 13 (Trixie)

Lite Version

Fixed settings: Active mode, SQLite3 database, performance tuned for a small LAN (~12 agents). Prompts for: Zabbix version, proxy hostname, server address, and PSK encryption.

curl -fsSL https://raw.githubusercontent.com/MarkLFT/Scripts/main/install-zabbix-proxy.sh -o /tmp/install-zabbix-proxy.sh && sudo bash /tmp/install-zabbix-proxy.sh

Full Version

Prompts for all settings including proxy mode, database type (SQLite3/MySQL/PostgreSQL), and performance tuning.

curl -fsSL https://raw.githubusercontent.com/MarkLFT/Scripts/main/install-zabbix-proxy-full.sh -o /tmp/install-zabbix-proxy-full.sh && sudo bash /tmp/install-zabbix-proxy-full.sh

Zabbix Agent

Installs Zabbix Agent 2 on systems to be monitored. Configures it to connect to a local proxy. Designed to be run from within TacticalRMM — obtains values from site and global variables. Will auto-detect monitorable services (SQL Server, MySQL, PostgreSQL, Nginx, Apache, Docker, Redis, RabbitMQ) and configure the appropriate plugin. When SQL Server is detected the script installs the MSSQL loadable plugin, creates the zabbix SQL login with the required permissions (including msdb grants for SQL Agent job monitoring), and writes live credentials into the plugin config — no manual post-install steps required. When Redis is detected the script installs the Redis loadable plugin and writes the session config. When RabbitMQ is detected the script enables the management plugin and creates the zbx_monitor monitoring user (RabbitMQ uses HTTP-based monitoring via the Zabbix template, not an agent plugin). Sends a Discord notification on install or upgrade.

TacticalRMM Variables Required

Variable Scope Example
ZabbixProxy Site 10.10.1.5
ZabbixServer Site 10.10.0.10
DiscordWebhook Global https://discord.com/api/webhooks/...
ZabbixVersion Global 7.4 (Linux) / 7.4.0 (Windows)
ZabbixMSSQLPassword Global Password for the zabbix SQL login
MSSQLSAPassword Site SA password (Linux only)
ZabbixHostName Agent Custom Zabbix hostname (optional)

Linux Agent

Via TacticalRMM with site variables:

curl -fsSL https://raw.githubusercontent.com/MarkLFT/Scripts/main/install-zabbix-agent-linux-tactical-rmm.sh | sudo bash -s -- "{{site.ZabbixProxy}}" "{{site.ZabbixServer}}" "{{global.DiscordWebhook}}" "{{global.ZabbixVersion}}" "{{global.ZabbixMSSQLPassword}}" "{{site.MSSQLSAPassword}}" "{{agent.ZabbixHostName}}"

Manual use with real values:

curl -fsSL https://raw.githubusercontent.com/MarkLFT/Scripts/main/install-zabbix-agent-linux-tactical-rmm.sh | sudo bash -s -- "10.10.1.5" "10.10.0.10" "https://discord.com/api/webhooks/..." "7.4" "ZabbixMSSQLPass!" "SAPassword!" "My SQL Server"

Force reconfigure (skips repo/install, rewrites all configs and recreates SQL logins):

curl -fsSL https://raw.githubusercontent.com/MarkLFT/Scripts/main/install-zabbix-agent-linux-tactical-rmm.sh | sudo bash -s -- "{{site.ZabbixProxy}}" "{{site.ZabbixServer}}" "{{global.DiscordWebhook}}" "{{global.ZabbixVersion}}" "{{global.ZabbixMSSQLPassword}}" "{{site.MSSQLSAPassword}}" "{{agent.ZabbixHostName}}" "force"

Windows Agent (Zabbix)

Via TacticalRMM (recommended):

& ([scriptblock]::Create((Invoke-RestMethod https://raw.githubusercontent.com/MarkLFT/Scripts/main/install-zabbix-agent-windows-tactical-rmm.ps1))) -ZabbixProxy "{{site.ZabbixProxy}}" -ZabbixServer "{{site.ZabbixServer}}" -DiscordWebhook "{{global.DiscordWebhook}}" -ZabbixVersion "{{global.ZabbixVersion}}" -ZabbixMSSQLPassword "{{global.ZabbixMSSQLPassword}}" -ZabbixHostName "{{agent.ZabbixHostName}}"

Manual use — download first then run:

Invoke-WebRequest https://raw.githubusercontent.com/MarkLFT/Scripts/main/install-zabbix-agent-windows-tactical-rmm.ps1 -OutFile "$env:TEMP\install-zabbix-agent-windows-tactical-rmm.ps1"
& "$env:TEMP\install-zabbix-agent-windows-tactical-rmm.ps1" -ZabbixProxy "10.10.1.5" -ZabbixServer "10.10.0.10" -DiscordWebhook "https://discord.com/api/webhooks/..." -ZabbixVersion "7.4.0" -ZabbixMSSQLPassword "ZabbixMSSQLPass!" -ZabbixHostName "My SQL Server"

Force reconfigure (skips MSI download/install, rewrites all configs and recreates SQL logins):

& ([scriptblock]::Create((Invoke-RestMethod https://raw.githubusercontent.com/MarkLFT/Scripts/main/install-zabbix-agent-windows-tactical-rmm.ps1))) -ZabbixProxy "{{site.ZabbixProxy}}" -ZabbixServer "{{site.ZabbixServer}}" -DiscordWebhook "{{global.DiscordWebhook}}" -ZabbixVersion "{{global.ZabbixVersion}}" -ZabbixMSSQLPassword "{{global.ZabbixMSSQLPassword}}" -ZabbixHostName "{{agent.ZabbixHostName}}" -Force

Zabbix Discovery

Sets up automatic network discovery of devices that either have the Zabbix agent installed or have SNMP configured. Connects to the Zabbix API, fetches proxies and host groups, and creates the discovery rule and auto-add actions.

Checks performed: Zabbix agent (port 10050), SNMPv2c (port 161), SNMPv1 (port 161) Prompts for: Zabbix server URL, API credentials, proxy, IP range, scan interval, SNMP community string, host groups. Templates are not assigned automatically — apply them manually after discovery.

curl -fsSL https://raw.githubusercontent.com/MarkLFT/Scripts/main/setup-zabbix-discovery.sh \
  -o /tmp/setup-zabbix-discovery.sh && bash /tmp/setup-zabbix-discovery.sh

Zabbix SQL Server

The Zabbix Agent 2 MSSQL plugin monitors SQL Server instances via a dedicated SQL login. The agent install scripts handle everything automatically when the ZabbixMSSQLPassword variable is set (and MSSQLSAPassword on Linux):

  1. Installs the zabbix-agent2-plugin-mssql loadable plugin package
  2. Creates (or updates) the zabbix SQL login with the provided password
  3. Grants server-level permissions: VIEW SERVER STATE, VIEW ANY DEFINITION
  4. Grants msdb permissions for SQL Agent job monitoring (sysjobs, sysjobactivity, sysjobservers, agent_datetime)
  5. Writes live credentials into the plugin config at plugins.d/mssql.conf
  6. Disables all loadable plugins not needed for detected services (prevents crashes from e.g. NVIDIA plugin on a server without a GPU)
  7. Adds the plugins.d/ Include directive to the main agent config

No manual post-install steps are required.

On Windows the script uses Windows Authentication (trusted connection as SYSTEM) to create the SQL login, so no SA password is needed. On Linux, the MSSQLSAPassword site variable is required to authenticate to SQL Server via sqlcmd.

Plugin Config Location

Session credentials are written into the package-installed plugin config, not a separate file:

OS Config file path
Linux /etc/zabbix/zabbix_agent2.d/plugins.d/mssql.conf
Windows C:\Program Files\Zabbix Agent 2\zabbix_agent2.d\plugins.d\mssql.conf

Apply the Zabbix Template

In the Zabbix frontend, assign the MSSQL by Zabbix agent 2 template to the host. This template provides out-of-the-box items, triggers, and dashboards for SQL Server monitoring.

TacticalRMM

TacticalRMM Agent

Installs the TacticalRMM agent on a host and registers it with your TacticalRMM server. Connects to the TacticalRMM API to fetch available clients and sites so you can pick from a list — no need to look up IDs manually. Mesh URL and token are retrieved automatically from the API — no manual configuration of MeshCentral required.

Prompts for: TacticalRMM API URL, API key, client (list), site (list), agent type (Server/Workstation).

API Key: Generate in TacticalRMM under Settings → Global Settings → API Keys → Add API Key. The key is entered interactively and never stored in the script.

Linux Agent (Ubuntu / Debian)

Installs both the MeshCentral agent (required for Take Control / Remote Background) and the TacticalRMM agent (monitoring, scripts, tasks, patch management).

The Linux agent is built from source using the community install script originally created by netvolt and maintained by Nerdy-Technician. This compiles the agent from the official amidaware/rmmagent source code using Go. Compilation takes a few minutes on first run — this is normal.

Note: This script targets the community (free) licence. The paid signed-agent installer from the TRMM UI is not required.

Auth Token (Linux only): In TacticalRMM go to Agents → Install Agent → select Windows → Manual installation → click Show Manual Instructions → copy the value after --auth. This token is used to register the agent and can be reused for multiple installs until it expires.

curl -fsSL https://raw.githubusercontent.com/MarkLFT/Scripts/main/install-tacticalrmm-agent-linux.sh \
  -o /tmp/install-tacticalrmm-agent-linux.sh && sudo bash /tmp/install-tacticalrmm-agent-linux.sh

After installation verify both services are running:

systemctl status tacticalagent
systemctl status meshagent

Windows Agent (TacticalRMM)

Uses the TacticalRMM deployment API to generate the installer automatically — no auth token needed.

Run as Administrator:

Invoke-WebRequest https://raw.githubusercontent.com/MarkLFT/Scripts/main/install-tacticalrmm-agent-windows.ps1 -OutFile "$env:TEMP\install-tacticalrmm-agent-windows.ps1"
& "$env:TEMP\install-tacticalrmm-agent-windows.ps1"

SQL Server

SQL Server on Linux (Ubuntu 24.04) — Full Setup with Backup

End-to-end provisioning script for a dedicated SQL Server 2025 instance on Ubuntu 24.04 LTS. Installs SQL Server, configures MSDTC, replaces UFW with iptables, sets up automated backups using Ola Hallengren's Maintenance Solution, and hardens the OS.

Run as root:

curl -fsSL https://raw.githubusercontent.com/MarkLFT/Scripts/main/install-sql-linux-with-backup.sh -o /tmp/install-sql-linux-with-backup.sh && sudo bash /tmp/install-sql-linux-with-backup.sh

What it does

Step Description
0 Sets the hostname to <name>.rmserver.local
1 Installs SQL Server 2025, sqlcmd (mssql-tools18), configures collation, data/log/backup directories, memory limit, and enables SQL Server Agent (except Express)
2 Configures MSDTC with fixed RPC and DTC ports
3 Captures existing UFW rules as native iptables rules
4 Adds iptables rules for SQL Server (1433), MSDTC ports, and NAT PREROUTING for port 135
5 Installs iptables-persistent and saves all rules
6 Removes UFW and rebuilds a clean iptables ruleset (INPUT DROP policy, SSH/SQL/MSDTC allowed)
7 Installs Ola Hallengren's Maintenance Solution, creates full and transaction log backup wrapper scripts, mounts a remote SMB share for backup copies, exports TDE certificates to a separate SMB share, and schedules cron jobs (daily full, log every 15 min). Runs an initial full backup immediately so monitoring does not alarm before the first scheduled run
8 Installs and activates the TuneD mssql profile (Microsoft-recommended kernel tuning)
9 Installs and configures chrony for NTP time synchronisation
10 Enables unattended security updates (security patches only, no auto-reboot)
11 Hardens SSH (disables root login, password auth; sets banner) — optional
12 Installs fail2ban with an SSH jail and optional IP whitelist

Interactive prompts

All settings are collected before any changes are made. A summary is displayed for confirmation.

Prompt Default Description
Hostname db Short hostname — FQDN becomes <hostname>.rmserver.local
License type Developer Evaluation, Developer, Express, Standard, or Enterprise
Server collation SQL_Latin1_General_CP1_CI_AI SQL Server collation
Data directory /sqldata Default data file location
Log directory /sqllog Default log file location
Backup directory /sqlbackup Default backup file location
SA password (none) Must meet SQL Server complexity rules (>=8 chars, 3-of-4 categories)
Memory limit 85% of detected RAM SQL Server memory cap in MB (minimum 2048)
MSDTC ports 13500 / 51999 RPC and DTC TCP ports (Microsoft recommended)
Local backup root Same as backup directory Root path for per-database backup subfolders
SMB share (none) Remote share for backup copies (//server/share)
SMB username (none) Credentials for the backup SMB share
SMB password (none) Credentials for the backup SMB share
SMB mount point /mnt/sqlbackups_remote Local mount point for the backup share
Backup retention 30 days How long to keep backups locally and remotely
TDE cert export password (none) Password to protect the exported TDE private key
TDE cert SMB share (none) Separate share for certificate storage (must differ from backup share)
TDE cert SMB username (none) Credentials for the certificate SMB share
TDE cert SMB password (none) Credentials for the certificate SMB share
TDE cert mount point /mnt/sqlcerts_remote Local mount point for the certificate share
NTP server pool.ntp.org NTP server or pool for chrony
SSH hardening (ask y/n) Disable root login and password authentication
fail2ban whitelist (blank) Management IP/subnet to never ban (e.g. 192.168.1.0/24)

Security notes

  • All passwords and credentials are entered interactively and never stored in the script itself.
  • SMB credentials are stored in root-only files (chmod 600) under /root/.
  • TDE certificates are stored separately from backups — locally in /etc/mssql-tde-certs/ (root-only) and on a dedicated SMB share distinct from the backup share.
  • The TDE certificate export password must be stored offline (password manager or physical safe) — without it, backups cannot be restored on another server.
  • If the remote SMB share is unreachable, backups still complete locally — SMB mount failure is non-fatal.

Backup schedule

Type Schedule Script Description
Full Daily at 02:00 /usr/local/sbin/mssql_backup.sh Full backup of all user databases, verified with RESTORE VERIFYONLY, synced to SMB share
Log Every 15 min (except 02:00) /usr/local/sbin/mssql_logbackup.sh Transaction log backup to keep log files trimmed — required for databases in Full recovery model

Both scripts log to /var/log/mssql_backup.log and record all operations in the master.dbo.CommandLog table.

Cron jobs are defined in /etc/cron.d/mssql_backup.

Useful commands

# Run a manual full backup
sudo /usr/local/sbin/mssql_backup.sh

# Run a manual log backup
sudo /usr/local/sbin/mssql_logbackup.sh

# View backup log
sudo tail -50 /var/log/mssql_backup.log

# Check backup history in SQL Server
/opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -C -Q "SELECT database_name, type, backup_start_date, backup_finish_date FROM msdb.dbo.backupset ORDER BY backup_start_date DESC;"

# Check Ola Hallengren's command log
/opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -C -Q "SELECT DatabaseName, CommandType, StartTime, EndTime, ErrorNumber FROM master.dbo.CommandLog ORDER BY StartTime DESC;"

# Check backup files on disk
sudo find /sqlbackup -name "*.bak" -o -name "*.trn" | head -20

# Verify SMB share is mounted
mountpoint -q /mnt/sqlbackups_remote && echo "Mounted" || echo "Not mounted"

Migrate UFW to iptables (Existing SQL Server Hosts)

For servers already running SQL Server that were set up with UFW and need to switch to iptables. UFW can be unstable on servers with complex NAT rules (such as the MSDTC port 135 PREROUTING redirect), and iptables-persistent provides more predictable behaviour across reboots.

This script:

  • Snapshots all current UFW rules and live iptables state to /root/firewall-migration-<timestamp>/ before making any changes
  • Parses open UFW ports and preserves them in the new iptables ruleset (so no ports are accidentally lost)
  • Builds a clean iptables ruleset with INPUT DROP policy, allowing SSH, SQL Server (1433), and MSDTC ports
  • Reads MSDTC port configuration from /var/opt/mssql/mssql.conf automatically (defaults to 13500/51999)
  • Adds NAT PREROUTING and OUTPUT rules to redirect port 135 to the MSDTC RPC port
  • Persists all rules via iptables-persistent and enables netfilter-persistent on boot
  • Removes UFW completely
curl -fsSL https://raw.githubusercontent.com/MarkLFT/Scripts/main/migrate-ufw-to-iptables.sh -o /tmp/migrate-ufw-to-iptables.sh && sudo bash /tmp/migrate-ufw-to-iptables.sh

To roll back if something goes wrong:

sudo iptables-restore < /root/firewall-migration-*/iptables-v4-before.rules

Hotfix script

For servers already deployed, a hotfix script applies all fixes without rebuilding:

  • Makes SMB mount failure non-fatal (local backup always proceeds)
  • Fixes duplicate log lines from cron
  • Adds transaction log backups every 15 minutes
  • Runs both backups immediately
curl -sL https://raw.githubusercontent.com/MarkLFT/Scripts/main/fix-sql-backup-smb-fatal.sh | sudo bash

Safe to run multiple times — each patch is skipped if already applied.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages