Qutzl Insights

Advertisement

4 min read

VM-Setup: post-install Linux tooling that actually sticks around

A look at Narehood/VM-Setup, the menu-driven Bash utility for XCP-ng guests and generic Linux hosts, plus the newer update, pin-sync, and installer-hardening work.

By Michael NarehoodLinux

Spinning up a Linux VM is the easy part. The boring middle (guest tools, hostname, Docker, UniFi, Xen Orchestra, unattended security updates, SSH keys) is where every lab and every client build starts to diverge. VM-Setup is my answer to that: an interactive Bash menu that covers the common post-install path without pretending one script fits every distro the same way.

It grew up with XCP-ng guests in mind (guest tools are a first-class option), but most modules work on ordinary Linux installs too, virtualized or bare metal.

What it does

Clone it, run the installer, get a menu:

git clone https://github.com/Narehood/VM-Setup
cd VM-Setup
bash install.sh

You need Bash 4+, Git, sha256sum, network access, and root or sudo for the modules that change the system.

From there the menu covers the jobs I keep repeating:

  • Server initial config: hostname, guest tools when available, basic utilities
  • Application installers: guided WordPress, Xen Orchestra, UniFi Controller, and Cloudflare Tunnel flows
  • Docker host prep: launches a pinned Docker-Prep revision instead of chasing “latest” on a random Tuesday
  • Auto security patches: configure update timers without silently full-upgrading the box
  • Run system updates: a thin wrapper over apt, dnf, pacman, apk, and other managers it detects
  • Server config: MTU helpers, SSH key import (including GitHub public keys), MOTD, SSH banner
  • LinUtil: optional launch of a pinned LinUtil revision for broader system tweaks
  • Branch / settings: switch repo branch, toggle update preferences

Support varies by module. The menu will start on a wide range of distros; each installer only claims the package managers and services it actually detects. Read the prompts before you point this at a production host.

What’s new lately

Recent work focused less on “more menu items” and more on making the tool safer to run and easier to keep current.

Automatic updates (opt-in)

Tracked settings.conf ships conservative defaults. Your preferences live in ignored settings.local.conf (mode 600). Auto update check and auto-apply are off unless you turn them on in the settings menu (s from the main menu) or set:

# settings.local.conf
AUTO_UPDATE_CHECK="true"
AUTO_APPLY_UPDATES="true"

When an update applies, the next launch shows a short summary: previous vs new VM-Setup version, Docker-Prep pin, LinUtil pin, and a compare link. Auto-apply skips if the working tree has local changes, which is the right default when you have been hacking on a branch.

Pinned third-party launchers

Docker-Prep and LinUtil are pinned to Git commit IDs, not floating main. There is also an automated path for Docker-Prep: publish a release on that repo, a workflow updates the pin / version, regenerates checksums, runs security checks, and opens a PR. After merge, hosts with update checks enabled pick up the new pin on a normal VM-Setup update.

Installer checksums

Installer scripts are checked against Installers/.checksums.sha256 before they run. A mismatch is fatal. That is intentional: if something on disk does not match what was reviewed and committed, stop.

Hardened execution path

Recent hardening work tightened how installers are invoked, how CI inputs are handled, and how guest-tools decline paths behave. The theme is simple: fewer implicit upgrades, fewer “trust whatever we just downloaded” moments, clearer exits when you say no.

GitHub SSH key import

Server config can pull public SSH keys from a GitHub account into the host’s authorized keys flow, useful when you are standing up a box and do not want to paste keys by hand from three machines.

How I use it

Typical path for a new XCP-ng guest:

  1. Install the OS, get network, clone VM-Setup
  2. Run Server Initial Config (hostname + guest tools)
  3. Apply Auto Security Patches the way that site wants them
  4. Add only the app modules you need (Docker, XO, UniFi, WordPress, tunnel); skip the rest
  5. Import SSH keys / set MOTD if the box will be shared
  6. Optionally enable update checks so the utility itself does not rot on disk

Do not treat every menu item as mandatory. The value is a consistent checklist with safe defaults, not a kitchen-sink run that installs everything because it is on the list.

Bottom line

VM-Setup is MIT-licensed, menu-driven post-install tooling aimed at Linux servers and XCP-ng VMs. The interesting recent work is the update model, pin sync for Docker-Prep, installer checksums, and quieter hardening around how modules execute.

Bug reports are welcome; fixes are not guaranteed, same honesty as the README. If you build labs or client Linux VMs often enough to hate rediscovering the same ten steps, clone it and keep the modules you actually use.