<-Back

On this page... (hide)

  1.   1.  Starting Point
    1.   1.1  Hardware and partitionning
    2.   1.2  Get a Domain Name
    3.   1.3  Know what you want
  2.   2.  Basic config
    1.   2.1  Update
    2.   2.2  Charset
    3.   2.3  Setup repositories in YaST
    4.   2.4  Install basic stuff
    5.   2.5  Automatic updates
    6.   2.6  Firewall
  3.   3.  Services
  4.   4.  X11Forwarding

1.  Starting Point

1.1  Hardware and partitionning

Home install: As said in the main page, I now (201701) have a fiber line internet link, with 100 Mb down and 60Mb up band width (verified), much enough for a personal server. My provider modem is pretty cool, so I don't need to have my own gateway, so my server won't have to act as a gateway. So far so good.

I build a machine with obsolete gathered for free hardware and disks from my trash box. Some time ago I replaced some 1To, 1.5To, 2To hard drives by 5To usb disks for archival purpose, so I have lot of Tb disks at hand, so I managed to build a *three* disks mirror raid 1 system. My hardware is an optiplex 760 Dell computer, so I have two internal disks and the third on an esata dock.

They are installed as raid with the smaller disk size, that is around 1Tb, as md127, ,then lvm mapper with 50Gb system and 879Gb data partitions all with ext4 file system, 2Gb swap.

First time I use raid on production.

Distibution: openSUSE Leap 42.2

1.2  Get a Domain Name

I know you can use a dynamic system, but having your own domain name is very handy and very cheap. I use http://gandi.net and pay only €15 a year for my dodin.org domain name. I always had fixed IP, including at home, so I don't know much about a server on a variable IP system.

I buy recently yet an other domain name (dodin.me) to makes it easier to make migrations. I can build the new server on a real domain name and only switch when it's ok. http://ovh.com is very cheap, around €7 only for a domain name (a year!) - depending on the tld. I even have three domain names (to allow round robin install), also you can have free ones with http://www.azote.org.

Today the only difference between registrars is the zone interface, that is the more or less simple way to manage subdomains.

If your server is due to host a mail system, you may have to deal with anti-spam mechanisms.

http://www.mail-tester.com/ is the best I found to test your DNS zone, it gives lot of hints. You may also use "opendkim" http://opendkim.org/

1.3  Know what you want

The first task is to take a paper and a pencil and write down exactly what you want. Of course, when working, you will understand better your needs and change accordingly, but any change can give painful results.

As an example, gandi.net allows you to have a full mail server with no administration and unlimited e-mails for as low as €1 (one!) a month and if you want only the myname@mydomain e-mail, better use it. I wanted to learn mail administration, so I decided to go the hard way and install my own one.

What I wanted was:

  • an http server for me and my family (I have two daughters working as singer and actress, so they need also web site);
  • a mail server. I want to be able to manage all my mails from this server, to be able to read them (and the archives) from any computer on the world, without having to bring one with me;
  • a ftp server to store files as needed and allow customers to do also;
  • of course ssh access;

As of 2017, I will try to drop mail management (because I'm aging and would like to lower my burden), but it's difficult, my service is better than many :-(.

  • I also run now owncloud, very handy, specially to manage photos done with smartphones.

2.  Basic config

2.1  Update

It's mandatory to make an immediate update. Using "zypper up" is probably the best way, at this step if there is a failure it's easy to install again.

If some step seems to last forever, do not stop the update, specially if it's a grub update, because it may break your grub install.

If necessary, the grub install can be done again with yast, but before rebooting, or in a rescue system. As I had the problem, I could verify that even with raid system, the recovery system is the same (bind mount and chroot).

2.2  Charset

The charset should be utf8, this is not universally adopted. Verify it with

 env | grep LANG

mine is

 LANG=fr_FR.UTF-8

2.3  Setup repositories in YaST

I use to remove "source" or "test" repositories and to add packman one, that is necessary is the server have at anytime to manage multimedia (likely).

Then

 zypper ref
 zypper dup --from "Packman Repository"

to change applications to Packman.

2.4  Install basic stuff

Depending of your initial install you will probably have to install a lot of things. My provider installed a very minimal system. I had to install nearly all by hand. Begin to install all the meaningfull YaST modules (search for yast in software install). I had yast (mandatory!), but not yast2 (no gui) when using "ssh -X -C" to connect then yast2 is much friendlier. Notice that ssh -X seems to need a minimal X install. I use to install xfce4 basics (but not to run it at boot).

I didn't write down all what I installed. A short list is probably: mc, w3m, yast2-gtk and qt, vsftpd (ftp), dovecot (mail imap/pop3), mrtg (http statistics), inn (news server), mailman (list server), spamassassin (spam fighter), apache2, ntp (time sync), tightVNC (remote admin). X and xfce may be usefull some day.

Don't forget to activate the necessary services in YaST, system, services manager. You may want to use "systemctl enable", read the systemctl man page, it's pretty important by the time.

Using patterns is friendly, but for example I ended with libreoffice and Gimp, not really necessary on a web server :-) (don't forget to remove them :-).

2.5  Automatic updates

You should have a YaST module to manage automatic security updates. If you don't have, you didn't install the relevant module. Do and configure the update. The module name (13.1) is "yast2-online-update-configuration". It's available from software management/config, but only in qt version (not ncurse) with install on the go. With ncurse (xterm) version, install it yourself. after that it's available in the control centrer menu as Online Update Config.

2.6  Firewall

Default openSUSE firewall is SuSEFirewall2. Most options are setup with the YaST2 module.

The main error to avoid is to launch the firewall before having setup the sshd opening - doing so you will lose the connection to the server...

Test the firewall: http://www.auditmypc.com/firewall-test.asp (but from the tested computer). To be able to use this easily look at Doc.TunnelSshEtFirefox.

Add:

  • dovecot
  • smtp (postfix)
  • http (apache)
  • https
  • VNC
  • vsftp

3.  Services

Do verify all your daemons are running and launched at start.

Specially:

  • inn if you want a newsgroup server (not yet for me)
  • mailman for mailing lists (not yet for me, but I will need it soon)
  • rsyncd (do not seems to be mandatory)
  • spamd (not yet)
  • vsftpd

In YaST was "running levels", is now "service manager" (13.1). You may also want to use "systemctl enable".

4.  X11Forwarding

To allow X11 forwarding to work on modern distributions, you have to add

X11Forwarding yes
#X11UseLocalhost no
AddressFamily inet

to "/etc/ssh/sshd_config".

then log in with "ssh -X -C [-p <port>] url

X11Forwarding was activated as default in openSUSE 42.2, but not AddressFamily, and I'm unsure of the best setup...