FreeBSD 12 Headless Home Server with RPi2 Model B --------------------------------------------------- The hardware configuration Raspberry Pi 2 Model B or better 32G Class 10 MicroSD Card as the system disk Large capacity USB flash drive for user directories USB-attached, externally powered, mechanical hard drive for backup and swap file 5V 2A microUSB power supply Windows Client PC with 7zip, Win32DiskImager and Putty software installed Home router connected to the internet On the client PC ---------------- Download the FreeBSD 12 RELEASE image file for your Raspberry Pi from ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/12.0 Extract it using 7zip Write to SD Card with Win32DiskImager utility Note: if you plan to attach to a TV or monitor, add the line 'overscan_scale=1' to CONFIG.TXT on the MSDOS partition of the SD card. Remove the SD card from the PC and insert it into the Raspberry Pi Remove all USB storage devices from the Raspberry Pi (otherwise a long fsck may make the system appear unresponsive.) Attach the Raspberry Pi to Network and power up Find the Raspberry Pi's IP address in your router's DHCP attached devices list (Look for 'generic' hostname) Use PuTTY to make an SSH connection to the new host's IP address (Note: The initial boot and SSH connection can take a couple of minutes, so be patient.) Log in as freebsd with a password of freebsd Switch to root with 'su -' and a password of root List network adapters with 'ifconfig' Find the adapter that has the IP address found in the router's DHCP log (should be ue0) Edit rc.conf with 'vi /etc/rc.conf' Find the line with ifconfig_DEFAULT="DHCP" Add 2 lines right after it with ifconfig_ue0="x.x.x.x netmask m.m.m.m" defaultrouter="y.y.y.y" where x.x.x.x is the static IP you want to use, m.m.m.m is the network mask (usually 255.255.255.0) and y.y.y.y is the router IP. Note: You may also want to change the hostname by editing the line that reads 'hostname="generic"'. Configure DNS server addresses by editing /etc/resolv.conf and adding lines like this: nameserver 208.67.222.222 nameserver 208.67.220.220 Note: Check with your ISP to find the correct addresses to use (or continue to use the OpenDNS name servers given in the example.) Reboot with 'shutdown -r now' Connect to the new IP address with PuTTY Log in as freebsd and 'su -' to root again Change the root password with 'passwd' Add some non-privileged users with the 'adduser' command Add at least one of the new users to the wheel group using the 'invite into other groups' option in the adduser dialog Test by starting another PuTTY session, logging in as the new user in the wheel group and then su to root If successful, lock the freebsd account with 'pw lock freebsd' Also lock the 'toor' emergency backdoor account Set up automatic time sync by adding 'ntpd_enable="YES"' to rc.conf Also add 'ntpd_sync_on_start="YES"' to rc.conf so that time sync will be forced at boot Set the timezone by copying the appropriate file from /usr/share/zoneinfo to /etc/localtime (e.g. 'cp /usr/share/zoneinfo/America/Chicago /etc/localtime' if you live in or near Chicago, USA) Manually start time sync with the command 'service ntpd start' Verify by comparing the output of the 'date' command to a known good time source (e.g. www.time.gov) Insert the USB flash drive Find your flash drive's device name by using the 'dmesg' command and looking for the manufacturer's name in the output (e.g. 'da0: Removable Direct Access SCSI device' indicates that /dev/da0 is a SanDisk USB storage device.) List the partition layout for the device with the 'gpart show' command. Hint: you should see a device name that matches what you found with dmesg and a partition size roughly equal to the capacity of your device. Note: most flash drives use a single, Master Boot Record (MBR) primary partition or what FreeBSD calls slice 1. WARNING: The following commands will erase all data on the flash drive. Use 'gpart delete' to remove the DOS partition. (e.g. 'gpart delete -i 1 da0' for a flash drive on /dev/da0) Use 'gpart destroy' to remove the existing MBR partition table (e.g. 'gpart destroy da0' for a flash drive on /dev/da0) Hint: If it says 'device busy' check to see that all partitions have been removed with 'gpart delete'. Use 'gpart create' to put a new GPT scheme on the flash drive. (e.g. 'gpart create -s GPT da0') Use 'gpart add' to create a partition for the /home directory. (e.g. gpart add -t freebsd-ufs da0') Create filesystem on the new partition with the 'newfs' command. (e.g. 'newfs -j /dev/da0p1' using the devie name in the examples thus far.) Note: the -j option enables soft updates journaling which helps ensure filesystem integrity. Temporarily mount the USB flsh drive on /mnt with 'mount /dev/da0p1 /mnt' Copy the current /home contents to the flash drive with 'cp -a /home/* /mnt' Verify the command was successful with 'ls -lR /mnt' and, if satisfied, unmount the flash drive with 'umount /mnt' Append the following line to /etc/fstab /dev/da0p1 /home ufs rw,noatime,noauto 0 0 Note: the 'noatime' option reduces wear on the flash drive by not recording the last time a file was read. Mount the new filesystem with 'mount /home' Reboot one more time to make sure the system comes up as expected Log in and su to root. Partition the external disk for swap and backup gpart add -t freebsd-swap -s 1024M da1 gpart add -t freebsd-ufs da1 newfs -j /dev/da1p2 Append the following lines to /etc/fstab /dev/da1p1 none swap sw 0 0 /dev/da1p2 /media/backup ufs rw 2 2 Mount the backup partition with 'mkdir /media/backup && mount /media/backup' Activate swap with 'swapon -a' Install the pkg tool with 'pkg update' Say yes when asked if you want to fetch and install it Install the Samba file sharing server with the command 'pkg install samba48' STRIKE XXX For some odd reason, samba does not install completely, so do 'pkg install samba48' one more time. Create a simple smb4.conf in the /usr/local/etc directory with the followig contents: [global] workgroup = WORKGROUP server string = Samba %v on %h security = user # Add the following if symlinks to locations outside the share are needed. allow insecure wide links = yes wide links = yes [homes] comment = Home Directories browseable = no writable = yes create mask = 644 directory mask = 755 Give existing users access to Samba shares with the command 'smbpasswd -a ' Edit /etc/rc.conf and append the line 'samba_server_enable="YES"' Start up the server manually with 'service samba_server start' Test by browsing the network from the Windows client PC ========================================= This completes the basic home file server ========================================= Advanced Configuration - shared directory ----------------------------------------- Create a shared directory with the command 'mkdir /home/shared' Create a group named 'shared' with the command 'pw group add shared' Add users to the new group with 'pw group mod shared -m user1,user2,...' Change group ownership and permissions on the directory with 'chgrp shared /home/shared' and 'chmod g+w /home/shared' Protect against accidentally deleting other users' files by setting the sticky bit with 'chmod +t /home/shared' Make the shared directory available to Samba users by appending the following section to smb4.conf: [shared] path = /home/shared comment = Shared Directory browsable = yes writable = yes create mask = 644 directory mask = 755 Advanced Configuration - DNS forwarding --------------------------------------- Install BIND 9 with 'pkg install bind914' Configure named by editing /usr/local/etc/namedb/named.conf Comment out the line that restricts named to listening on the localhost only. // listen-on { 127.0.0.1; }; Turn on DNS forwarding by uncommenting the forwarders { } section adding your ISP's servers between the brackets. Example using opendns name servers: forwarders { 208.67.222.222; 208.67.220.220; }; Enable the DNS server by appending the line 'named_enable="YES"' to /etc/rc.conf Start the server with 'service named start' Advanced Configuration - DNS for LAN hosts ------------------------------------------ Append the following lines to /usr/local/etc/namedb/named.conf: zone "yourdomain.name" { type master; file "/usr/local/etc/namedb/master/yourdomain.name"; }; zone "1.168.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/1.168.192.in-addr.arpa"; }; Add a forward lookup zone file in the /usr/local/etc/namedb/master directory. Use the following example for yourdomain.name and modify for your network: $TTL 3D ; default expiration time @ IN SOA yourdomain.name. root.yourdomain.name. ( 20160325 ; serial number 8H ; refresh interval 2H ; retry interval 4W ; expiration 1D ) ; minimum TTL ; NS yourdomain.name. ; use this host as DNS server MX 10 yourdomain.name. ; Primary Mail Exchanger ; A 192.168.1.11 ; replace with your Pi's IP address router A 192.168.1.1 ; Internet router's IP localhost A 127.0.0.1 ; mail CNAME yourdomain.name ; use this host as mail server Add a reverse lookup zone in the /usr/local/etc/namedb/master directory. Use the following example for 1.168.192.in-addr.arpa and modify for your network: $TTL 3D ; default expiration time @ IN SOA yourdomain.name. root.yourdomain.name. ( 20160325 ; serial number 8H ; refresh interval 2H ; retry interval 4W ; expiration 1D ) ; minimum TTL ; NS yourdomain.name. ; use this host as DNS server ; 1 PTR router.yourdomain.name. 11 PTR yourdomain.name. ; last octet of this host's IP Restart the DNS server with 'service named restart' Check /var/log/messages for any errors. Note: The DNS Howto from the Linux Documentation Project is an excellent reference. http://www.tldp.org/HOWTO/DNS-HOWTO.html Advanced Configuration - DHCP ----------------------------- Install ISC DHCP with 'pkg install isc-dhcp44-server' Configure isc-dhcpd by editing /usr/local/etc/dhcpd.conf Remove the existing contents of dhcpd.conf and replace with the following example: default-lease-time 691200; # 8 days max-lease-time 2592000; # 30 days option domain-name "yourdomain.name"; option domain-name-servers 208.67.222.222, 208.67.220.220; option ntp-servers 192.168.1.100; # Replace with your Pi's IP option subnet-mask 255.255.255.0; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.101 192.168.1.150; option routers 192.168.1.1; # Replace with your router's IP } Enable the DHCP serer by appending 'dhcpd_enable="YES"' to /etc/rc.conf Also add 'dhcpd_flags="-q"' to /etc/rc.conf to supress extra output when dhcpd starts. Start the server with 'service isc-dhcpd start' Verify proper startup with 'tail /var/log/messages' Advanced Configuration - SMTP ----------------------------- Sendmail is already installed. Enable sendmail by editing rc.conf and changing the 'sendmail_enable=NONE' line to 'sendmail_enable="YES"'. Also change sendmail_msp_queue_enable="NO" to sendmail_msp_queue_enable="YES". In your Windows mail client be sure to set connection security to none to avoid complaints about certificates. Redirect root's mail to a regular user by editing /etc/aliases and adding a line similar to the following: root: user@hostname Note: replace 'user' and 'hostname' with the actual name of an existing user and the name of your server, respectively. Rebuild the aliases database with the command 'newaliases' Start sendmail with 'service sendmail start' Advanced Configuration - POP3 mail ---------------------------------- WARNING: POP3 is not a secure protocol. Only use this configuration on a home network that is behind a firewall. Install qpopper with 'pkg install qpopper' Add a line for qpopper in /etc/inetd.conf pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper Enable inetd in /etc/rc.conf by appending inetd_enable="YES" Start inetd with 'service inetd start' Advanced Configuration - Web ---------------------------- Install Apache httpd with the command 'pkg install apache24'. Enable the web service by appending 'apache24_enable="YES"' to /etc/rc.conf. Start apache with 'service apache24 start' Advanced Configuration - ftp ---------------------------- Enable inetd by adding 'inetd_enable="YES"' to /etc/rc.conf Uncomment the ftpd line in /etc/inetd.conf ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l Start inetd with 'service inetd start' (or 'service inetd reload' if you have already started it for POP3. Advanced Configuration - System Monitoring ------------------------------------------ Install the Monit system moitoring utility with the command 'pkg install monit' Create a configuration file from the sample provided using the commands 'cd /usr/local/etc ; cp monitrc.sample monitrc' Create a directory for custom service definitions with 'mkdir /usr/local/etc/monit.d' Edit the monitrc file to allow access to the monit web page from the entire local network by changing this: set httpd port 2812 and use address localhost # only accept connection from localhost allow localhost # allow localhost to connect to the server and allow admin:monit # require user 'admin' with password 'monit' to this: set httpd port 2812 and allow 192.168.1.0/24 # allow LAN hosts to connect to the server and (Change network IP address accordingly.) allow admin:monit # require user 'admin' with password 'monit' (Change to suit.) Continue editing the monitrc file to use an include directory for service definitions by changing this: # include /etc/monit.d/* to this: include /usr/local/etc/monit.d/*.conf Test the configuration with the command 'monit -t' and correct any errors that come up. Note: You may safely ignore warnings about not being able to translate the hostname to a fully-qualified domain name (FQDN). Enable monit by appending 'monit_enable="YES"' to /etc/rc.conf Start monit with the command 'service monit start'. To monitor services, create files inside of /usr/local/etc/monit.d using .conf as the name of the file. Example contents of /usr/local/etc/monit.d/sshd.conf, used to monitor sshd and restart it if it crashes: check process sshd with pidfile /var/run/sshd.pid start program "/usr/sbin/service sshd start" For each service added, verify the configuration changes with 'monit -t' and activate them with 'service monit reload'. For the services used in this guide, the configuration files are as follows: httpd.conf check process httpd with pidfile /var/run/httpd.pid start program "/usr/sbin/service httpd start" stop program "/usr/sbin/service httpd stop" inetd.conf check process inetd with pidfile /var/run/inetd.pid start program "/usr/sbin/service inetd start" stop program "/usr/sbin/service inetd stop" named.conf check process named with pidfile /var/run/named/pid start program "/usr/sbin/service named start" stop program "/usr/sbin/service named stop" ntpd.conf check process ntpd with match ntpd start program "/usr/sbin/service ntpd start" stop program "/usr/sbin/service ntpd stop" smbd.conf check process smbd with pidfile /var/run/samba4/smbd.pid start program "/usr/sbin/service samba_server start" stop program "/usr/sbin/service samba_server stop" nmbd.conf check process nmbd with pidfile /var/run/samba4/nmbd.pid start program "/usr/sbin/service samba_server start" stop program "/usr/sbin/service samba_server stop" sendmail.conf Advanced Configuration - tmux ----------------------------- Find the tmux utility with 'pkg search tmux' Install tmux with 'pkg install tmux-X.xx' where X.xx is the version shown. Advanced Configuration - automated backups ------------------------------------------ Create a UFS partition on the USB-attached external hard drive. Mount the partition on /media/backup Install the rsync utility using 'pkg install rsync' Edit smb.conf and add the following section: [backup] path = /media/backup comment = Backup Drive browsable = no writable = no Creating a cron job to rsync to the backup drive on a schedule is left as an exercise for the reader. Access from Windows using the UNC path \\\backup