Upgrading my mini PC Proxmox slash Debian server

Here we are again…this is similar to my previous post about 7 months ago where I nuked my config and started over, but after several months of iterating on my configuration - so a lot has changed. This time I decided to upgrade the PC to the Beelink EQR6, a machine that I had been using for a glorified jukebox and media streaming box, as well as XMR mining in the plenty of spare time that it had.

I also feel that it’s helpful to do a sanity check every now and then to make sure my server hasn’t become a special snowflake and I can redeploy without serious issues. Flexes those old muscles.

This ended up taking a lot less time than expected and I ran into far fewer headaches than anticipated. I reviewed several of my earlier posts for configuration tutorials, and after writing this post it’s actually crazy how many I’ve linked to.

The really cool thing about this is that since most of my data is stored on my NAS, once I had the basics set up and put the machine into the rack, most everything just clicked into place.

Install Proxmox

First thing to do is install Proxmox on the machine.

The installer is pretty straightforward. I did run into an issue - the installer uses CIDR notation instead of a 255 type subnet mask. I typed in just the IP without thinking too much about it. When I booted into it, the static IP was set to 10.0.10.39/0 (it took me a few minutes of scratching my head to figure out why it wasn’t connecting) - but that /0 when I found it was obviously not correct. Easy fix, and maybe I just missed reading a prompt on the Proxmox installer.

I also set this up on VLAN 10 (my user VLAN) and planned to migrate after I had done some initial setup. Static IPs changed later, after I got it on my “rack”.

Once Proxmox was installed, I ran through the basics of adding an admin user, and I also compared settings to my existing Proxmox install. I don’t touch Proxmox enough to have it down to a science (like I do spinning up a new Debian install).

Spin up Debian VM

I will bullet point this, as documenting it again is mostly extraneous. I’ve documented elsewhere, and this is one of the things I’ve done so many times that it’s muscle memory. This is just the basics to get a minimal Debian install, privileged user, comfy configs, and SSH access.

• Download the netinst (minimal) ISO to Proxmox
• Spin up a VM in Proxmox using that ISO
  • Dedicate however much CPU/memory/storage. I kept the storage to a minimum because I had previously allocated too much and ran into space issues with local backups. Again, most of the data is stored on my NAS - I don’t need very much space allocated.
• Run through the TUI installer - install only SSH server and basic system utilities.
• Reboot and log in as root
• Install packages (I will note my current packages in a list at the bottom of this post)
• Add a sudo user, change user password, change root password
• Set a static IP
• Set up the SSH server, ssh-copy-id, lock it down with AuthenticationMethods publickey,password
• Copy configs from existing machine, symlink .zshrc and .zsh_history, chsh

Set up media user

I have a non-privileged user, media, that I use to run all Docker containers. This user owns the entire iSCSI share. I log in with this user unless I’m doing something involving administration.

The thing is, this user has a specific UID and GID that I needed to make sure were the same, or I’d run into permission issues and have to run a gigantic chown that I really didn’t want to have to do. So here’s the rundown:

# add group with specific gid (must do this first)
groupadd -g 1002 media

# add media user with specific uid + shell, and create home directory
useradd -m -g media -s /bin/zsh -u 1001 media

# change password
passwd media

# copy user's config directory, change owner, symlinks for zsh
cp -r /home/user/.config /home/media
chown -R media:media /home/media/.config
su media
cd
ln -s .config/zsh/zshrc .zshrc
ln -s .config/zsh/zsh_history .zsh_history

Install Docker

See here for reference - it was identical to get the necessary packages installed.

I then copied my existing Portainer docker compose file and spun it up to verify. We’ll come back to this.

Move to rack

At this point I couldn’t do much else without having it connected to the iSCSI share for all the mounted Docker volumes. I spun down the other PC and just replaced it with this one.

I believe all I needed to do once making this swap was change the static IPs to be in the management VLAN (99) - to match the old server. After this I had SSH access as normal and could proceed.

I also took the old machine and put it on my desk in VLAN 10 - just had to change the static IP. That way, I could have it as a reference, which I ended up needing several times.

Set up NAS over iSCSI share

See the following posts:

• Actually moving iSCSI share to physically separated storage network
• Moving iSCSI share to dedicated storage network
• Network shares with iSCSI

I did the following:

• In Proxmox:
  • Create a bridge device (vmbr1)
  • Assign a static IP to the bridge port
  • Assign the new bridge to the VM
• In TrueNAS:
  • Set allowed initiators to all initiators for the iSCSI share (temporarily)
• In the VM:
  • Assign a static IP to the new interface (match the old server)
  • Install iSCSI, discover, mount, edit configuration (see this)
  • Edit /etc/fstab to mount at boot (see this)
  • Configure Docker systemd service to wait until that drive is mounted (see this)

Set up Nginx

I learned how to scp from a destination machine for this - copied my existing configs to my home directory (on the old server), then scp’d from the new server to grab them. (It was easier than going in the other direction, I didn’t feel like futzing with SSH config to go the other direction.) Plopped them into their Nginx directories, chown’d, symlinked to /etc/nginx/sites-enabled, and it just worked.

The one thing I still need to review is the dhparams.pem, I had screwed around with hardening Nginx a while back and I didn’t document. I simply commented out the line from the Nginx ssl-params configuration for the time being.

The other thing I needed to do was generate a wildcard certificate, which I figured out how to very much streamline recently. See this for details.

Set up Portainer

Yeah, so the thing I didn’t fully grasp until I had slotted the new server into the rack with the NAS over iSCSI attached was how easy this part was going to be. All my Docker volumes live on the NAS, including Portainer’s…meaning I just had to start Portainer, then run down my list of stacks and hit deploy.

Everything back up and running in less than 5 minutes after spinning up Portainer.

Miscellaneous

Changing hostname

I probably could have gotten away with leaving the hostname as mini but didn’t want to risk it and so I set it to mini2. I did want to change it back once it was in place, though. Fairly straightforward:

# set hostname
sudo hostnamectl set-hostname <new-name>

# replace all occurrences of old hostname with new
sudoedit /etc/hosts

# verify
hostnamectl

Backups and cronjobs

Added my typical cronjobs - updatedb daily, apt update && apt upgrade once weekly, and then I had to review the backups.

Since I had changed where the iSCSI share directory lived recently - /home/media/shared instead of just /media/shared - what I didn’t realize is that since I had /home as one of my directories to back up, my backups script was trying to back up the entire multiple terabyte share. I ended up fixing that, and I’ve included the script below for reference.

After I had gotten all I needed from the old server, I also took the entire contents of the boot disk and copied it to my NAS. I have the space, why not. (This post walks through how I did that, along with this manpage.)

Locking things down

• Locked down SSH server - had set it to just pubkey authentication for ease of use. I set it to my normal 2FA of pubkey and password.
• Changed all passwords.

Reference

Backups script

#!/bin/bash
 
backup_dir="/home/media/shared/bups/mini/"
dirs=("/home/media/shared/docker" "/etc/nginx" "/home/user")
 
for dir in ${dirs[@]}; do
  echo "Backing up $dir..." | /usr/bin/logger -t backups_script
  tar -czf $backup_dir$(echo $dir | rev | cut -d\/ -f1 | rev).$(date -I).tar.gz $dir 2>&1 | /usr/bin/logger -t backups_script
done
 
for dir in ${dirs[@]}; do
  echo "Removing stale backups for $dir..." | /usr/bin/logger -t backups_script
  find $backup_dir -name "$(echo $dir | rev | cut -d\/ -f1 | rev).*.tar.gz" -mtime +14 -delete | /usr/bin/logger -t backups_script
done
 
echo "Backups completed." | /usr/bin/logger -t backups_script

Current packages

# very helpful command
apt-mark showmanual | less

# the essentials
zsh
zsh-syntax-highlighting
neovim
tmux
lf
tldr

# basic utilities
sudo
curl
wget
git
locate
tar

# advanced / specific utilities
open-iscsi
net-tools
tcpdump
lvm2
kpartx

# logging
rsyslog
logrotate

# webserver and certificates
nginx
certbot
python3-certbot-dns-cloudflare
python3-pip

EOF