💾 Archived View for uscoffings.net › tech › freebsd › freebsd-server.gmi captured on 2023-03-20 at 18:09:07. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-01-29)

➡️ Next capture (2023-09-08)

-=-=-=-=-=-=-

My FreeBSD Home Server

[date: 2017-12-05]

I started using FreeBSD seriously during 8.x. I recently upgraded to 11.1, and realized that my server was feeling crufty and undocumented. So did a hardware upgrade and reinstalled fresh.

Some notes follow.

Stats

• FreeBSD 13.1
• Gigabyte
• Intel Core i5 Kaby Lake
• 16GB RAM
• 128GiB M2 SSD
• 3TiB mirrored ZFS
• Gigabit switch

Install ports

Basic:

• archivers/zip
• daapd
• editors/libreoffice
• editors/vim
• email/claws-mail
• graphics/evince
• math/R
• net-p2p/transmission-gtk
• net/rsync
• samba
• security/sudo
• tmux
• www/elinks
• www/firefox
• x11-wm/xfce4
• x11/nvidia_driver
• xorg
• audio/mpg123
• dosbox
• emulators/virtualbox-ose

Tools to manage scrapbook:

• graphics/ImageMagick
• graphics/jhead
• graphics/netpbm
• graphics/optipng
• graphics/ristretto
• multimedia/vlc

build x11-drivers/xorg-drivers with correct driver enabled

Blog:

• www/lighttpd

Optional for Mutt-based email client:

• email/fetchmail
• email/msmtp
• email/mutt
• email/procmail

Development tools:

• devel/git
• devel/valgrind
• cdk
• cppcheck
• sdl2
• doxygen
• cmake
• lang/rust
• patch
• ninja

FreeBSD itself:

• ports/portmaster
• ports/pkg_cutleaves
• devel/subversion

Build server:

• ports-mgmt/poudriere

After installing everything, you can clean up unnecessary packages with "pkg autoremove". Sometimes this can make subsequent upgrades easier, too.

ZFS

zpool create ...

zfs export nfs

Tune filesystems

Edit `/etc/fstab` to mount `/tmp` using `tmpfs`:

tmpfs /tmp tmpfs rw 0 0

Add `,noatime` to /etc/fstab for speed. Perhaps not for `/var` if that is a separate slice.

Mount /proc by default (TODO or not... what needs this?):

proc /proc procfs rw 0 0

Reboot into install shell. Disable journaling for speed:

tunefs -j /dev/ada4p2

Enable TRIM if running on an SSD:

tunefs -e /dev/ada4p2

Label the root filesystem. Mount by label. (My motherboards recognize the spinning disks--which tend to come and go--before the SSD.)

Install /usr/ports/sysutils/smartmontools

sshd

Add to /etc/rc.conf:

sshd_enable="YES"

Add to /etc/ssh/sshd_config:

Allow root logins:

PermitRootLogin yes

Make SSH not disconnect idle clients so soon:

ClientAliveInterval 60

ClientAliveCountMax 10

network

Add to /etc/rc.conf:

defaultrouter="192.168.1.1"

hostname="server.uscoffings"

ifconfig_vr0="inet 192.168.1.201 netmask 255.255.255.0"

Add to /etc/hosts:

192.168.0.201 server.uscoffings server

make

Add to /etc/make.conf:

CPUTYPE?=native

OPTIONS_UNSET=NLS DOCS EXAMPLES DEBUG NIS SWIG LUA PULSEAUDIO JACK

OPTIONS_SET=OPENSSL

ZeroConf

Install port /usr/ports/net/mDNSResponder

Create /usr/local/etc/mDNSResponder.conf with:

UsCoffings _afpovertcp._tcp local. 548

Add to /etc/rc.conf:

mdnsd_enable="YES"

TODO: seems to have changed to "mdnsd"; what happened to flags?

mdnsresponder_flags="-f /usr/local/etc/mDNSResponder.conf"

music server

Install port /usr/ports/audio/mt-daapd

Add to /etc/rc.conf:

mt_daapd_enable="YES"

Edit /usr/local/etc/mt-daapd.conf

Apple File Server

Configure ZeroConf.

Install port /usr/ports/net/netatalk

If you compiled WITH_PAM support, you need to edit /etc/pam.conf to add

support for netatalk. To do so, add the following three lines to this

file:

netatalk auth required pam_unix.so try_first_pass

netatalk account required pam_unix.so try_first_pass

netatalk session required pam_permit.so

Add to /etc/rc.conf:

netatalk_enable="YES"

afpd_enable="YES"

atalkd_enable="YES"

slpd_enable="YES"

Add to /usr/local/etc/afpd.conf:

- -noddp

Add to /usr/local/etc/netatalk.conf:

ATALK_NAME=UsCoffings

AFPD_GUEST=nobody

TODO: update Add to /usr/local/etc/AppleVolumes.default:

~

/usr/share/music Music allow:@uscoffings

/usr/share/Library Library allow:@uscoffings

/usr/share/www/apache22/data WebServer allow:@uscoffings

rsync server

Install port /usr/ports/

Configure /usr/local/etc/rsyncd.conf.

Add to /etc/rc.conf:

rsyncd_enable="YES"

mail

Install port /usr/ports/mail/postfix.

Add to /etc/rc.conf:

postfix_enable="YES"

sendmail_enable="NO"

sendmail_submit_enable="NO"

sendmail_outbound_enable="NO"

sendmail_msp_queue_enable="NO"

TODO: Add to /etc/periodic.conf to disable sendmail-specific cleanups:

daily_clean_hoststat_enable="NO"

daily_status_mail_rejects_enable="NO"

daily_status_include_submit_mailq="NO"

daily_submit_queuerun="NO"

Edit /etc/mail/aliases... perhaps forward root's email to chuck

Regenerate /etc/aliases.db by running newalises

Edit /usr/local/etc/postfix/main.cf:

set myhostname

set mydomin

Install port /usr/ports/mail/dovecot.

TODO: mail

web mail

http://www.freesoftwaremagazine.com/articles/secure_email_server_bsd_part_1

TODO

List of ports to expose externally:

22 (1221 at the router)

80

TODO

point domain at server

backup

backup media -- drive, DVD

archivers/parchive

sysutils/dar

generate SSL certificate (to be used by dovecot, etc)

TODO: tor

what's the best port manager?

portmaster

seems to get confused often

portupgrade

ruby, slow, but works

mail:

pop3 server

web server for laura

cron

mon

backup of server

power down

cvsup

better tab completion

x11

install xorg; set hald and dbus to start; run moused

samba

printer

library

Console

kill the beep

echo "hw.syscons.bell=0" >> /etc/sysctl.conf

?? vs rc.conf: keybell="off"

/etc/rc.conf:

keyrate="fast"

/etc/rc.conf:

powerd_enable="YES"

saver="green"

TODO console - better res -- need kernel rebuild (see vidcontrol)

NTP

UTF8

Amazingly, UTF8 is still not default out-of-the-box.

Updating

portsnap fetch

portsnap update

portmaster -a

freebsd-update fetch

Recipe server

User configurations

Add self to groups:

wheel

vboxuser

www/firefox

uBlock Origin: I am toying with blocklists on the [pfSense](pfsense) firewall, but uBlock is still required on firefox.

shells/bash

`~/.bashrc`:

export CLICOLOR=1

urxvt