💾 Archived View for uscoffings.net › tech › freebsd › freebsd-server.gmi captured on 2023-09-08 at 15:58:52. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-01-29)

🚧 View Differences

-=-=-=-=-=-=-

My FreeBSD Home Server

[date: 2017-12-05]

I started using FreeBSD seriously during 8.x. I recently upgraded to 11.1, and realized that my server was feeling crufty and undocumented. So did a hardware upgrade and reinstalled fresh.

Some notes follow.

TODO I need to update these notes:

• FreeBSD 13
• Moved from httpd to molly-brown. Hello Gemini!
• Moved dnsmasq to firewall, which simplifies networking config
• Moved mail to a jail.
• Headless.
• Current backup scheme uses ZFS snapshots as primary, sanoid / syncoid as secondary, and dar as tertiary.
• emby-server

Stats

• FreeBSD 13.1
• Gigabyte
• Intel Core i5 Kaby Lake
• 16GB RAM
• 128GiB M2 SSD
• 3TiB mirrored ZFS
• Gigabit switch

Install ports

Basic:

• archivers/zip
• daapd
• editors/libreoffice
• editors/vim
• email/claws-mail
• graphics/evince
• math/R
• net-p2p/transmission-gtk
• net/rsync
• samba
• security/sudo
• tmux
• www/elinks
• www/firefox
• x11-wm/xfce4
• x11/nvidia_driver
• xorg
• audio/mpg123
• dosbox
• emulators/virtualbox-ose

Tools to manage scrapbook:

• graphics/ImageMagick
• graphics/jhead
• graphics/netpbm
• graphics/optipng
• graphics/ristretto
• multimedia/vlc

build x11-drivers/xorg-drivers with correct driver enabled

Blog:

• www/lighttpd

Optional for Mutt-based email client:

• email/fetchmail
• email/msmtp
• email/mutt
• email/procmail

Development tools:

• devel/git
• devel/valgrind
• cdk
• cppcheck
• sdl2
• doxygen
• cmake
• lang/rust
• patch
• ninja

FreeBSD itself:

• ports/portmaster
• ports/pkg_cutleaves
• devel/subversion

Build server:

• ports-mgmt/poudriere

After installing everything, you can clean up unnecessary packages with "pkg autoremove". Sometimes this can make subsequent upgrades easier, too.

ZFS

zpool create ...

zfs export nfs

Tune filesystems

Edit `/etc/fstab` to mount `/tmp` using `tmpfs`:

tmpfs		/tmp		tmpfs	rw		0	0

Add `,noatime` to /etc/fstab for speed. Perhaps not for `/var` if that is a separate slice.

Mount /proc by default (TODO or not... what needs this?):

proc /proc procfs rw 0 0

Reboot into install shell. Disable journaling for speed. Enable TRIM if running on an SSD.

# tunefs -j /dev/ada4p2
# tunefs -e /dev/ada4p2

Label the root filesystem. Mount by label. (My motherboards recognize the spinning disks--which tend to come and go--before the SSD.)

Install /usr/ports/sysutils/smartmontools

sshd

Add to /etc/rc.conf:

sshd_enable="YES"

Add to /etc/ssh/sshd_config:

# Allow root logins:
PermitRootLogin yes
# Make SSH not disconnect idle clients so soon:
ClientAliveInterval 60
ClientAliveCountMax 10

network

Add to /etc/rc.conf:

defaultrouter="192.168.1.1"
hostname="server.uscoffings"
ifconfig_vr0="inet 192.168.1.201  netmask 255.255.255.0"

make

Add to /etc/make.conf:

CPUTYPE?=native

OPTIONS_UNSET=NLS DOCS EXAMPLES DEBUG NIS SWIG LUA PULSEAUDIO JACK

OPTIONS_SET=OPENSSL

ZeroConf

Install port /usr/ports/net/mDNSResponder

Create /usr/local/etc/mDNSResponder.conf with:

UsCoffings _afpovertcp._tcp local. 548

Add to /etc/rc.conf:

mdnsd_enable="YES"

TODO: seems to have changed to "mdnsd"; what happened to flags?

mdnsresponder_flags="-f /usr/local/etc/mDNSResponder.conf"

music server

Install port /usr/ports/audio/mt-daapd

Add to /etc/rc.conf:

mt_daapd_enable="YES"

Edit /usr/local/etc/mt-daapd.conf

Apple File Server

Configure ZeroConf.

Install port /usr/ports/net/netatalk

If you compiled WITH_PAM support, you need to edit /etc/pam.conf to add

support for netatalk. To do so, add the following three lines to this

file:

netatalk auth required pam_unix.so try_first_pass

netatalk account required pam_unix.so try_first_pass

netatalk session required pam_permit.so

Add to /etc/rc.conf:

netatalk_enable="YES"

afpd_enable="YES"

atalkd_enable="YES"

slpd_enable="YES"

Add to /usr/local/etc/afpd.conf:

- -noddp

Add to /usr/local/etc/netatalk.conf:

ATALK_NAME=UsCoffings

AFPD_GUEST=nobody

TODO: update Add to /usr/local/etc/AppleVolumes.default:

~

/usr/share/music Music allow:@uscoffings

/usr/share/Library Library allow:@uscoffings

/usr/share/www/apache22/data WebServer allow:@uscoffings

rsync server

Install port /usr/ports/

Configure /usr/local/etc/rsyncd.conf.

Add to /etc/rc.conf:

rsyncd_enable="YES"

mail

Install port /usr/ports/mail/postfix.

Add to /etc/rc.conf:

postfix_enable="YES"

sendmail_enable="NO"

sendmail_submit_enable="NO"

sendmail_outbound_enable="NO"

sendmail_msp_queue_enable="NO"

TODO: Add to /etc/periodic.conf to disable sendmail-specific cleanups:

daily_clean_hoststat_enable="NO"

daily_status_mail_rejects_enable="NO"

daily_status_include_submit_mailq="NO"

daily_submit_queuerun="NO"

Edit /etc/mail/aliases... perhaps forward root's email to chuck

Regenerate /etc/aliases.db by running newalises

Edit /usr/local/etc/postfix/main.cf:

set myhostname

set mydomin

Install port /usr/ports/mail/dovecot.

TODO: mail

web mail

http://www.freesoftwaremagazine.com/articles/secure_email_server_bsd_part_1

TODO

List of ports to expose externally:

22 (1221 at the router)

80

TODO

point domain at server

backup

backup media -- drive, DVD

• archivers/parchive
• sysutils/dar

generate SSL certificate (to be used by dovecot, etc)

TODO: tor

what's the best port manager?

portmaster

seems to get confused often

portupgrade

ruby, slow, but works

mail:

pop3 server

web server for laura

cron

mon

backup of server

power down

cvsup

better tab completion

x11

install xorg; set hald and dbus to start; run moused

samba

printer

library

Console

kill the beep

# echo "hw.syscons.bell=0" >> /etc/sysctl.conf

?? vs rc.conf: keybell="off"

keyrate="fast"

powerd_enable="YES"
saver="green"

TODO console - better res -- need kernel rebuild (see vidcontrol)

NTP

UTF8

Amazingly, UTF8 is still not default out-of-the-box.

Updating

portsnap fetch
portsnap update
portmaster -a

freebsd-update fetch

Recipe server

User configurations

Add self to groups: wheel vboxuser

www/firefox

uBlock Origin: I am toying with blocklists on the [pfSense](pfsense) firewall, but uBlock is still required on firefox.

shells/bash

Out-of-the-box, bash is not as friendly as on Linux.

export CLICOLOR=1