Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

--- content:serverbasics [2024/10/26 14:35] – [Recover faulty Disc] obel1x
+++ content:serverbasics [2026/04/10 10:18] (aktuell) – [Mountoptions] obel1x
@@ Zeile 1: / Zeile 1: @@
-====== Linux: Basic Server Configuration ======
+====== Linux: Advanced SoHo- Server Configuration ======
-These setting here are an advice to think about when setting up a new linux- machine (here on an opensuse distrubution, which i really like).
+~~NOCACHE~~
+Welcome to my **Advanced Server Setup- Documentation**.
+In these chapters, i will explain how to setup and configure a full featured Active Domain- Network with Kerberos Single-Sign-On and Domain Integration of Linux Clients on a rootless containerized Docker- Installation including Nextcloud as personal Cloud to store all your Data and PIM locally and safe. That way you get a fully managed, Cloud enabled Homeoffice Network at low costs and much space for your personal data on your own pc.
+===== Current State =====
+This Document is currently under developement and chapters are not final right now. This will change in the Future.
+===== Usecase =====
+This is not a slim Setup - so if you only have old hardware or you are trying to figure out on yoru small office-pc, this may not work as well as you need it.
+You should have at least
+  * Large Harddrives: If you have maybe 1.5 TB of Data all togehter, you will need:
+      * 3 TB of space on your working directory / raid5 = 3 Harddrives, each 1 TB at least
+      * 6 TB of space on your backup / raid5 = 3 Harddrives, each 2 TB at least
+      * about maybe 100GB for the system / raid1 = 2 Harddrives
+      * about maybe 100GB for the databases / raid1 = 2 Harddrives
+      * maybe two extra drives for external backups, each 6 TB (you can also store that in the internet, but you will need a large space there too)
+  * A Server, that has relyable, quite fast internet in Download and Upload rates - while Upload may be more Importen
+  * The Server should be reachable all the time
+===== How to Start =====
+First, read this Page, get the Hardware and install the system. You should understand the Hardwaresetup and the installation of Linux and Raid- Systems first (as decribend beneath).
+Then, go on whith [[:content:serverbasics:network-dyndns|DynDNS- Setup]] to make your PC reachable from the net.
+Next, setup docker as decribed in the Chapter. When you have portainer running, you can go like this:
+  - Nextcloud-AIO
+  - FreeIPA
+  - Authentik
+Then glue them together with SSO, SPNEGO and Nextcloud-SSO. Then you should have understood everything, you can now play around on your own.
 ===== Subpages =====
 <catlist content:serverbasics -nohead -noNSInBold -sortAscending -sortByTitle -noAddPageButton -maxDepth:1>
+===== Basic System =====
+As Hardware, you should have at least:
+  * a single standard Desktop- PC with 4 or more Cores
+  * equipped with at least 16 GB of RAM and
+  * for failure of Discs a swappable mounting Rack to contain at least 5 Discs (should not have Raid as Hardware, as Software Raid in Linux is much more efficient!)
+  * Additional at least one external Disk, you may use to copy your Backups to and store them on a different physikal location
 ===== Mountpoints =====
@@ Zeile 51: / Zeile 97: @@
 So I would suggest to use two disks both partioned with GPT and same sized efi-partitions (as said, at least 500 Megabytes in Size to store Bios or UCODE updates for Firmware Updater) and before creating the FAT32 filesystem do software raid on it. E.g.:
 <code>
 ~ # mdadm --create --verbose /dev/md/efiboot --level=1 --raid-devices=2 --metadata=1.0 --name=efiboot --homehost=system /dev/sda1 /dev/sdb1
@@ Zeile 166: / Zeile 212: @@
 </code>
 ==== LVM ====
-LVM is a powerful partition-management-layer and should always be used, when there is some none low-end hardware present. If you can use the **KDE Partitioning- Tool**  (which means having Plasma=KDE Desktop compatible support), the support is very inuitive and opens a lot of flexibility whne handling partitions, like adding more disk space or moving partitions, but also on console this offers good functionality. OpenSuSE offer to create LVM- Styled system setup in installation optionally (not by default). If you can: use it.
+LVM is a powerful partition-management-layer and should always be used, when there is some none low-end hardware present. If you can use the **KDE Partitioning- Tool** (which means having Plasma=KDE Desktop compatible support), the support is very inuitive and opens a lot of flexibility whne handling partitions, like adding more disk space or moving partitions, but also on console this offers good functionality. OpenSuSE offer to create LVM- Styled system setup in installation optionally (not by default). If you can: use it.
 === Mirror- Raided LVM- Volumes (RAID1) ===
@@ Zeile 273: / Zeile 317: @@
 </code>
+=== LVM Error Recovery ===
+In case on Harddrive is failing, the Array gets degraded. If you boot your system without that disk, it will not start due to inaktive volume groups.
+To recover, do this:
+. Get Volume Groups up, if degraded
+vgchange -a y
+. Add a new PV to the VG that is large enough to hold the Data
+vgextend vgname /dev/sdX
+. Repair the logical volume by searching for usable PVs automagically
+lvconvert –repair vgname/lvname
+This should rebuild your logical Volume
+. After rebuild, remove the faild drive from the vg:
+vgreduce –removemissing vgdata
+Thats it, your System should become usable after that.
+== Moving Data before Drive fails ==
+If you have the possibility to add a new PV before the array gets degraded, you can use the replace- method after adding the new pv to the VG:
+lvconvert –replace /dev/sdX1 vgname/lvname /dev/sdY1
+=== More Info for LVMs ===
+https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_logical_volumes/configuring-raid-logical-volumes_configuring-and-managing-logical-volumes
 ==== Filesystem ====
@@ Zeile 279: / Zeile 360: @@
 And there is one Reason: Docker - at the current time of writing this (20.04.2024) you should NOT USE BTRFS with Docker. More is explained later.
 ==== Mountoptions ====
@@ Zeile 289: / Zeile 369: @@
 While autodefrag should not be necessary on ssd- harddiscs.
-For **Databases**  or files that need speed and __**are well backed up otherwise**__  : nodatacow,nodatasum,noatime,nodiratime
+For **Databases** or files that need speed and __**are well backed up otherwise**__  : nodatacow,nodatasum,noatime,nodiratime
 === Sources: ===
   * [[https://fedoraproject.org/wiki/Changes/BtrfsTransparentCompression|https://fedoraproject.org/wiki/Changes/BtrfsTransparentCompression]]
   * [[https://btrfs.readthedocs.io/en/latest/Administration.html|https://btrfs.readthedocs.io/en/latest/Administration.html]]
+=== Powermode settings ===
+Your Harddrives may have set a power level, that allows spindown. I personally would not let your harddrives spindown, because every start brings your harddrives mechanics nearer to death. In Fact there is not very much worse than spinning up and down every few minutes for a harddrive with physical discs.
+To change that, create the following file:
+<file>
+pcserver2023:/usr/lib/udev/rules.d # cat 85-hdparm.rules
+ACTION=="add|change", SUBSYSTEM=="block", KERNEL=="[sh]d[a-z]", RUN+="/sbin/hdparm -S 0 -B 128 /dev/%k"
+</file>
+That way, your harddrives will stay up all time.
 ===== Quotas =====
@@ Zeile 412: / Zeile 506: @@
 So you should maybe think of setting a better umask than 022 - which would make all users of you group have read access to you files to lets say 077. Or - even better don't use the group "users", but make a group with the same name as the user per User itself. Than you can have umask 007.
-On my system the umask can be defined in the file ''/etc/login.defs'' .
+On my system the umask can be defined in the file ''/etc/login.defs''  .
 But to go on directory- permissions: forget about umask.
 ==== FACLs ====
@@ Zeile 568: / Zeile 661: @@
 And with FACLs there are powerful tools that should cover everything an administrator needs.
+===== Firewall =====
+To check, which services are open, use:
+PLEASE, Before opening the Ports, check the Services described at the Sub-Pages first to secure them!
+<code>
+servername:~ # firewall-cmd --list-ports
+/tcp 3478/udp
+servername:~ # for s in $(firewall-cmd --list-services); do firewall-cmd --permanent --service "$s" --get-ports; done;
+/udp
+/tcp 53/udp
+/tcp
+/tcp
+/tcp 88/udp
+/tcp
+/tcp
+/tcp 873/udp
+/tcp
+</code>