projects / website_subgeniuskitty.com / blame
| Commit | Line | Data |
|---|---|---|
| a8f095b0 AT |
1 | System Notes - talisker.SGK - File Server |
| 2 | ========================================= | |
| 3 | ||
| 4 | These notes cover the creation of a FreeBSD fileserver serving encrypted ZFS | |
| 5 | volumes via Samba. | |
| 6 | ||
| 7 | General Info | |
| 8 | ------------ | |
| 9 | ||
| 10 | Hostname: talisker.SGK | |
| 11 | Version: FreeBSD 12.1 | |
| 12 | ||
| 13 | Motherboard: X8DT3-LN4F (manual saved in hw_support) | |
| 14 | Processors: 2x L5630 Xeons (4 cores @ 2.13 GHz, low power) | |
| 15 | Memory: 48 GB (12x 4GB R2 Registered ECC) | |
| 16 | Note: Configured in lockstep mode, leaving 32 GB usable | |
| 17 | Hard Drives: | |
| 18 | 3x 120 GB Intel DC S3500 (3-way boot mirror) | |
| 19 | 2x 8.0 TB WD Red (2-way mirror for media) | |
| 20 | 3x 3.0 TB WD Red (3-way mirror for personal files) | |
| 21 | 2x 2.0 TB used SAS (2-way mirror for scratch space) | |
| 22 | Note: The onboard SAS controller is limited to 2.0 TB max drive size. | |
| 23 | Consequently, one boot drive and the five drives >2.0 TB are on the | |
| 24 | SATA channels and all remaining drives are on SAS, even though this | |
| 25 | splits the boot mirror across controllers. | |
| 26 | ||
| 27 | Installed Ports | |
| 28 | --------------- | |
| 29 | ||
| 30 | sysutils/screen | |
| 31 | net/samba410 | |
| 32 | -LDAP | |
| 33 | -ADS | |
| 34 | -AD_DC | |
| 35 | (due to dependency errors, build devel/llvm80 and devel/meson first) | |
| 36 | sysutils/zfs-stats | |
| 37 | sysutils/zfstools | |
| 38 | sysutils/bacula9-server | |
| 39 | +MTX | |
| 40 | dns/bind-tools | |
| 41 | devel/git | |
| 42 | irc/irssi | |
| 43 | security/nmap | |
| 44 | sysutils/smartmontools | |
| 45 | archivers/zip | |
| 46 | archivers/gtar | |
| 47 | mail/ssmtp | |
| 48 | ||
| 49 | Encrypted ZFS Mirrors | |
| 50 | --------------------- | |
| 51 | ||
| 52 | The following example creates a 2-way mirror using `ada1` and `ada2`. First, | |
| 53 | create the encrypted devices. | |
| 54 | ||
| 55 | geli init -l 256 /dev/ada1 | |
| 56 | geli init -l 256 /dev/ada2 | |
| 57 | geli attach /dev/ada1 | |
| 58 | geli attach /dev/ada2 | |
| 59 | geli status | |
| 60 | ||
| 61 | In order to be prompted for the passphrase on boot, add the following line to | |
| 62 | `/etc/rc.conf`. | |
| 63 | ||
| 64 | geli_devices="ada1 ada2" | |
| 65 | ||
| 66 | Next, create the ZFS mirror. Enable compression by default, using LZ4 since it | |
| 67 | will abort the compression attempt if the initial results are not significant. | |
| 68 | ||
| 69 | zpool create zfs_mirror_1 mirror /dev/ada1.eli /dev/ada2.eli | |
| 70 | zfs set compress=lz4 zfs_mirror_1 | |
| 71 | zpool status | |
| 72 | ||
| 73 | Automated ZFS Snapshots | |
| 74 | ----------------------- | |
| 75 | ||
| 76 | Set the `com.sun:auto-snapshot` property on relevant zpools and verify it is | |
| 77 | inherited. | |
| 78 | ||
| 79 | zfs set com.sun:auto-snapshot=true zfs_mirror_1 | |
| 80 | ||
| 81 | Create `/etc/cron.d/zfs-snapshots` with something like the following. | |
| 82 | ||
| 83 | PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin | |
| 84 | 15,30,45 * * * * root /usr/local/sbin/zfs-auto-snapshot frequent 4 | |
| 85 | 0 * * * * root /usr/local/sbin/zfs-auto-snapshot hourly 24 | |
| 86 | 7 0 * * * root /usr/local/sbin/zfs-auto-snapshot daily 7 | |
| 87 | 14 0 * * 7 root /usr/local/sbin/zfs-auto-snapshot weekly 4 | |
| 88 | 28 0 1 * * root /usr/local/sbin/zfs-auto-snapshot monthly 12 | |
| 89 | ||
| 90 | Note that you can exclude specific snapshot intervals with the following | |
| 91 | property (e.g. frequent, daily, etc). | |
| 92 | ||
| 93 | zfs set com.sun:auto-snapshot:frequent=false zfs_mirror_1 | |
| 94 | ||
| 95 | Automated ZFS Scrubs | |
| 96 | -------------------- | |
| 97 | ||
| 98 | Create `/etc/cron.d/zfs-scrubs` with the following contents. | |
| 99 | ||
| 100 | PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin | |
| 101 | 0 0 0 * * root /sbin/zpool scrub zroot | |
| 102 | 0 0 0 * * root /sbin/zpool scrub zfs_mirror_1 | |
| 103 | 0 0 0 * * root /sbin/zpool scrub zfs_mirror_2 | |
| 104 | 0 0 0 * * root /sbin/zpool scrub zfs_mirror_3 | |
| 105 | ||
| 106 | Samba Notes | |
| 107 | ----------- | |
| 108 | ||
| 109 | Create `/usr/local/etc/smb4.conf` with the following contents. Add additional | |
| 110 | entries for each zpool. | |
| 111 | ||
| 112 | [global] | |
| 113 | workgroup = WORKGROUP | |
| 114 | server string = Samba Server | |
| 115 | netbios name = Talisker | |
| 116 | wins support = Yes | |
| 117 | security = user | |
| 118 | passdb backend = tdbsam | |
| 119 | ntlm auth = yes | |
| 120 | ||
| 121 | [zfs_mirror_1] | |
| 122 | path = /zfs_mirror_1 | |
| 123 | valid users = ataylor | |
| 124 | writable = yes | |
| 125 | browsable = yes | |
| 126 | read only = no | |
| 127 | guest ok = no | |
| 128 | public = no | |
| 129 | create mask = 0666 | |
| 130 | directory mask = 0755 | |
| 131 | ||
| 132 | Create a Samba user, using a different password than the system account. | |
| 133 | ||
| 134 | pdbedit -a ataylor | |
| 135 | ||
| 136 | Manually start Samba. | |
| 137 | ||
| 138 | service samba_server start | |
| 139 | ||
| 140 | Configure Samba to autostart on boot by adding the following to `/etc/rc.conf`. | |
| 141 | ||
| 142 | samba_server_enable="YES" | |
| 143 | ||
| 144 | Status Emails | |
| 145 | ------------- | |
| 146 | ||
| 147 | After building, run `make replace` inside the `mail/ssmtp` port to | |
| 148 | automatically disable sendmail/etc and replace with ssmtp. | |
| 149 | ||
| 150 | Create `/usr/local/etc/ssmtp/ssmtp.conf` with the following contents. | |
| 151 | ||
| 152 | # The person who gets all mail for userids < 1000 | |
| 153 | # Make this empty to disable rewriting. | |
| 154 | root=ataylor@subgeniuskitty.com | |
| 155 | ||
| 156 | # The place where the mail goes. The actual machine name is required | |
| 157 | # no MX records are consulted. Commonly mailhosts are named mail.domain.com | |
| 158 | # The example will fit if you are in domain.com and your mailhub is so named. | |
| 159 | mailhub=mail.subgeniuskitty.com:465 | |
| 160 | ||
| 161 | # Where will the mail seem to come from? | |
| 162 | rewriteDomain=subgeniuskitty.com | |
| 163 | ||
| 164 | # The full hostname | |
| 165 | hostname=talisker.subgeniuskitty.com | |
| 166 | ||
| 167 | # Set this to never rewrite the "From:" line (unless not given) and to | |
| 168 | # use that address in the "from line" of the envelope. | |
| 169 | FromLineOverride=YES | |
| 170 | ||
| 171 | # Use SSL/TLS to send secure messages to server. | |
| 172 | UseTLS=YES | |
| 173 | ||
| 174 | # Credentials accepted by remote SMTP server | |
| 175 | AuthUser=ataylor@subgeniuskitty.com | |
| 176 | AuthPass=password_goes_here | |
| 177 | ||
| 178 | Edit `/etc/passwd` and `/etc/master.passwd`, changing the name of the root | |
| 179 | account from `Charlie &` to something suitable for the `FROM:` field in emails. | |
| 180 | After, run `/usr/sbin/pwd_mkdb -p /etc/master.passwd`. | |
| 181 | ||
| 182 | Create `/etc/cron.d/status-emails` with suitable contents. For example: | |
| 183 | ||
| 184 | PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin | |
| 185 | 0 0 * * 0 root /sbin/zpool list | /usr/bin/mail -s "talisker.SGK - zpool list" ataylor@subgeniuskitty.com | |
| 186 | 0 0 * * 0 root /sbin/zpool status | /usr/bin/mail -s "talisker.SGK - zpool status" ataylor@subgeniuskitty.com | |
| 187 | 0 0 * * 0 root /sbin/zfs list -t snapshot | /usr/bin/mail -s "talisker.SGK - zfs snapshots" ataylor@subgeniuskitty.com | |
| 188 | 0 0 * * 0 root /sbin/zfs list | /usr/bin/mail -s "talisker.SGK - zfs list" ataylor@subgeniuskitty.com | |
| 189 | 0 0 * * 0 root /usr/local/bin/zfs-stats -IMAE | /usr/bin/mail -s "talisker.SGK - zfs stats" ataylor@subgeniuskitty.com |