Goals
- Re-partition disk to allow more space for
/var/log
- Create another VM and reinstall Debian - mainly for cleanup
- Move all running services to Docker
- Configure VM backups on Proxmox hypervisor
- Clean up Proxmox hypervisor update / upgrade errors
- Remove enterprise repository
- Add non-subscription repository
- Add admin user to Proxmox hypervisor (stop logging in as root)
Re-installing Debian
Similar to Initial setup of my Raspberry Pi 5. Simple, straightforward, the Debian TUI installer handles everything nicely. Proxmox automatically connects the VM to the internet when you create it.
Partitioning scheme:
- 100GB for
/
- 100GB for
/var
(previously only allocated 10GB - ran out quick) - 14GB for
swap
(same as RAM) - remainder for
/home
Install with SSH server and no desktop environment.
Configuring Debian install
I won’t write these out in detail, but I’m trying to get the process down so I’d like to record every step.
- Log in as root via console
- Verify
sshd
is enabled - Install
sudo
- Edit
/etc/sudoers
file to allowwheel
to enter all commands with no password - Create the
wheel
group and add admin user - Change passwords for root user and admin user
- Verify
- Configure ssh login and dotfiles
ssh-copy-id
from client machinescp -r .config
from client machine
- Log in as admin user via ssh
- Change shell to
/bin/zsh
; create symbolic link./zshrc
that points to.config/zsh/zshrc
; log out and back in - Install packages (see below)
- Configure static IP
- Change ssh server settings in
/etc/ssh/sshd_config
- Disable password login
- Disable root login
- Disable X11 forwarding
- Verify syntax (
sudo sshd -t
) - Reload
sshd
- Change shell to
Packages
sudo apt install \
git curl neovim zsh zsh-syntax-highlighting tldr nmap net-tools \
lf rsyslog htop tmux pv open-iscsi cryptsetup trash-cli
iSCSI drive
Add authorized IP to TrueNAS first.
Then follow the steps here.
Creating media
user and group
This is the user that will own all the files in the mounted directory.
Changing permissions of the mounted iSCSI share
Allow members of the media
group to read and write in addition to the media
user:
Docker services
Docker installation and folder setup
Note
Have to replace
$VERSION_CODENAME
with the hardcoded release (bookworm)
My docker management has been miserable so far, so I am trying a different structure for the files and folders, to keep them separate from the default /var
and /etc
locations.
/home/user/docker
subdirectories fordocker-compose.yml
files/docker/
subdirectories for docker image datachown -R media:media
on root docker directory- run all docker containers as
media
user
slskd
Jellyfin
Transmission
filebrowser
nginx
My end goal is to have subdomains (e.g. jellyfin.nas.local
) that point to the actual services on my LAN. I figured I’d give this a crack with an nginx reverse proxy to docker services, as that’s something I’m doing on this domain.
I added a rule to point nas.local
, nas.lan
, and nas.net
Unfortunately, it seems to be a massive pain, at least with my WireGuard VPN.
- None of the requests from my client PC connected to the VPN go through my LAN DNS server. Defaults to
1.1.1.1
. - If I use the
.local
tld, my browser will recognize it as a proper URL, but not get the proper name through my LAN Pi-hole DNS. - An unused tld such as
.lan
defaults to Google search unless prefixed withhttp://
(thanks, firefox) - If I use the
.net
tld, it defaults to trying to resolve that through another DNS provider, as in the first example.
So, this has been tabled for now. A goal for the future.
cronjobs
- Script to update docker containers
apt update && apt upgrade
weeklyupdatedb
daily
Remaining
Services
- Syncthing
- Navidrome - still investigating this one. It doesn’t seem to have many mobile clients available.
- Webmin (? - I never use this, not really sure I’m going to install it)
- beets
Tasks
- Configure backups!
EOF