Documentation and scripts to setup and maintain my home server and the services running on it

Shell 100%

Find a file

IvanPalm 54f997a8eb removed old versions of compose files + archived unused services		2026-05-11 22:27:34 +02:00
services	removed old versions of compose files + archived unused services	2026-05-11 22:27:34 +02:00
.gitignore	added music streaming service using Navidrome	2025-02-04 22:51:55 +01:00
LICENSE	Initial commit	2024-12-31 15:52:10 +01:00
README.md	slowly updating	2026-04-10 21:57:32 +02:00

README.md

Home Server Setup Notes

This repository documents the configuration and setup of my home server, including guidance on server configuration, IP management, and services deployed in Docker containers. It serves as a guide to recreate or maintain the setup, with links to dedicated documentation for each service.

Install and Set Up UFW
Configure SSH Key Authentication
Install and Configure Fail2Ban
Setting Up a Custom Domain on Cloudfare
Dockerized Services

Server Configuration

Operating System: Debian 13 - Trixie
Hardware:
- Case: Fractal Design - Node 304
- Motherboard: ASRock B760M-ITX/D4 WiFi Mini ITX
- CPU: Intel i3-12100
- CPU Fan: be quiet! Pure Rock Slim 2
- Memory: G.Skill Ripjaws V 16 GB (2 x 8 GB) DDR4-3200 CL16
- Storage:
  - 1x SSD Samsung 990 EVO Plus 1 TB M.2-2280 PCIe 5.0 X2 NVME
  - 2x HDD Seagate IronWolf Pro NAS 4 TB 3.5" 7200 RPM in RAID1
  - 1x HDD Seagate Barracuda Compute 2 TB 3.5" 7200 RPM
- PSU: be quiet! Pure Power 11 400 W 80+ Gold Certified
Prerequisites:
- Non-root admin user with sudo permissions.

Networking

Install and Set Up UFW

UFW (Uncomplicated Firewall) is a simple and effective way to secure your server by managing incoming and outgoing traffic.

Install UFW (if not already installed)
```
sudo apt install ufw
```
Set Default Rules
Configure UFW to deny all incoming traffic by default and allow all outgoing traffic:
```
sudo ufw default deny incoming
sudo ufw default allow outgoing
```
Allow SSH
Specify the port for SSH to ensure you don't lock yourself out of the server:
```
sudo ufw allow ssh
```
Enable UFW
Activate the firewall with the specified rules:
```
sudo ufw enable
```
Verify Configuration
Check which ports are allowed and ensure the firewall is active:
```
sudo ufw status
```

This setup provides basic protection, restricting access to only the specified ports.

Configure SSH Key Authentication

Generate an SSH Key Pair On your client machine, generate a secure SSH key pair:
```
ssh-keygen -t ed25519 -C "your_comment_or_email"
```
Copy Public Key to Server Transfer the public key to the server with ssh-copy-id.
```
ssh-copy-id <USER>@<SERVER-IP>
```
Replace <USER> and <SERVER-IP> with your username and server IP, respectively
Enable Key-Based Login Only Edit the SSH configuration file to allow only key-based authentication:
```
sudo nano /etc/ssh/sshd_config
```
Update the following lines:
```
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
```
Restart the SSH daemon to apply changes:
```
sudo service sshd restart
```

Install and Configure Fail2Ban

Fail2Ban helps protect against brute-force attacks by banning IPs with repeated failed login attempts.

Install Fail2Ban
```
sudo apt install fail2ban
```
Create a Local Configuration
Copy the default configuration to a new .local file:
```
sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
```
Set Up an SSH Jail
Add the following to the end of /etc/fail2ban/fail2ban.local:
```
[sshd]
enabled = true
port = SSH_PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = -1
```
Note

: bantime = -1 bans indefinitely. Adjust as needed.
Restart Fail2Ban
```
sudo service fail2ban restart
```
Check Fail2Ban Status
View the status of the SSH jail:
```
sudo fail2ban-client status sshd
```

Unban an IP Address
If needed, unban a specific IP:

sudo fail2ban-client set sshd unbanip <IP-ADDRESS>

Configuring Home Network

Configuring Static Public IPv6

This method utilizes the ifupdown package to manage network interfaces.

Append the following section to the configuration file /etc/network/interfaces.

# Set static IPv6 - 2a02:2455:84a5:XXXX:YYYY:::
iface enp3s0 inet6 static
        address 2a02:2455:84a5:XXXX:YYYY:::/64
        gateway 2a02:2455::1
        metric 128
        dns-nameservers 1.1.1.1 1.0.0.1

Given tha allocated subnet 2a02:2455:84a5:XXXX:YYYY:::/64 the gateway is retrieved by taking the first part of that prefix 2a02:2455, and add ::1 to the end. In this case, the gateway is 2a02:2455::1.

DNS nameserver is assigned to Cloudflare addresses (but it could be also Google others - Cloudflare seems to be faster and less predatory when it comes to users' data).

Setting Up a Custom Domain on Cloudfare

Domain Registration
- Register custom domain on Cloudfare.
DNS Configuration
- Configured AAAA record assigned to home-server public IPv6, setting host to @.
- Set up subdomains for services (e.g., nextcloud.mydomain.net).

Dynamic DNS

Configured ddclient as shown below.
Set run_damenon=true in /etc/default/ddclient for ddclient to run as a daemon.
Forced run in debug mode with sudo ddclient -daemon=0 -debug -verbose -noquiet -force.

# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf

syslog=yes              # log the output to syslog
ssl=yes                 # use ssl when updating IP

use=web, web=ifconfig.co/ip
protocol=cloudflare, \
zone=mydomain.net, \
login=token, \
password=my-cloudfare-api-token \
mydomain.net

Configure DNS Name-server
- By default, the DNS server and DNS domain were set to localhost and to the router.
- Open the systemd-resolved configuration file with sudo nano /etc/systemd/resolved.conf.
- Add the following entries:
```
DNS=1.1.1.1 1.0.0.1
Domains=mydomain.net
```
- Restart the service with sudo systemctl restart systemd-resolved.

Dockerized Services

Please see dedicated guidance.