Commit | Line | Data |
---|---|---|
a8f095b0 AT |
1 | System Notes - talisker.SGK - File Server |
2 | ========================================= | |
3 | ||
4 | These notes cover the creation of a FreeBSD fileserver serving encrypted ZFS | |
5 | volumes via Samba. | |
6 | ||
7 | General Info | |
8 | ------------ | |
9 | ||
10 | Hostname: talisker.SGK | |
11 | Version: FreeBSD 12.1 | |
12 | ||
13 | Motherboard: X8DT3-LN4F (manual saved in hw_support) | |
14 | Processors: 2x L5630 Xeons (4 cores @ 2.13 GHz, low power) | |
15 | Memory: 48 GB (12x 4GB R2 Registered ECC) | |
16 | Note: Configured in lockstep mode, leaving 32 GB usable | |
17 | Hard Drives: | |
18 | 3x 120 GB Intel DC S3500 (3-way boot mirror) | |
19 | 2x 8.0 TB WD Red (2-way mirror for media) | |
20 | 3x 3.0 TB WD Red (3-way mirror for personal files) | |
21 | 2x 2.0 TB used SAS (2-way mirror for scratch space) | |
22 | Note: The onboard SAS controller is limited to 2.0 TB max drive size. | |
23 | Consequently, one boot drive and the five drives >2.0 TB are on the | |
24 | SATA channels and all remaining drives are on SAS, even though this | |
25 | splits the boot mirror across controllers. | |
26 | ||
27 | Installed Ports | |
28 | --------------- | |
29 | ||
30 | sysutils/screen | |
31 | net/samba410 | |
32 | -LDAP | |
33 | -ADS | |
34 | -AD_DC | |
35 | (due to dependency errors, build devel/llvm80 and devel/meson first) | |
36 | sysutils/zfs-stats | |
37 | sysutils/zfstools | |
38 | sysutils/bacula9-server | |
39 | +MTX | |
40 | dns/bind-tools | |
41 | devel/git | |
42 | irc/irssi | |
43 | security/nmap | |
44 | sysutils/smartmontools | |
45 | archivers/zip | |
46 | archivers/gtar | |
47 | mail/ssmtp | |
48 | ||
49 | Encrypted ZFS Mirrors | |
50 | --------------------- | |
51 | ||
52 | The following example creates a 2-way mirror using `ada1` and `ada2`. First, | |
53 | create the encrypted devices. | |
54 | ||
55 | geli init -l 256 /dev/ada1 | |
56 | geli init -l 256 /dev/ada2 | |
57 | geli attach /dev/ada1 | |
58 | geli attach /dev/ada2 | |
59 | geli status | |
60 | ||
61 | In order to be prompted for the passphrase on boot, add the following line to | |
62 | `/etc/rc.conf`. | |
63 | ||
64 | geli_devices="ada1 ada2" | |
65 | ||
66 | Next, create the ZFS mirror. Enable compression by default, using LZ4 since it | |
67 | will abort the compression attempt if the initial results are not significant. | |
68 | ||
69 | zpool create zfs_mirror_1 mirror /dev/ada1.eli /dev/ada2.eli | |
70 | zfs set compress=lz4 zfs_mirror_1 | |
71 | zpool status | |
72 | ||
73 | Automated ZFS Snapshots | |
74 | ----------------------- | |
75 | ||
76 | Set the `com.sun:auto-snapshot` property on relevant zpools and verify it is | |
77 | inherited. | |
78 | ||
79 | zfs set com.sun:auto-snapshot=true zfs_mirror_1 | |
80 | ||
81 | Create `/etc/cron.d/zfs-snapshots` with something like the following. | |
82 | ||
83 | PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin | |
84 | 15,30,45 * * * * root /usr/local/sbin/zfs-auto-snapshot frequent 4 | |
85 | 0 * * * * root /usr/local/sbin/zfs-auto-snapshot hourly 24 | |
86 | 7 0 * * * root /usr/local/sbin/zfs-auto-snapshot daily 7 | |
87 | 14 0 * * 7 root /usr/local/sbin/zfs-auto-snapshot weekly 4 | |
88 | 28 0 1 * * root /usr/local/sbin/zfs-auto-snapshot monthly 12 | |
89 | ||
90 | Note that you can exclude specific snapshot intervals with the following | |
91 | property (e.g. frequent, daily, etc). | |
92 | ||
93 | zfs set com.sun:auto-snapshot:frequent=false zfs_mirror_1 | |
94 | ||
95 | Automated ZFS Scrubs | |
96 | -------------------- | |
97 | ||
98 | Create `/etc/cron.d/zfs-scrubs` with the following contents. | |
99 | ||
100 | PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin | |
101 | 0 0 0 * * root /sbin/zpool scrub zroot | |
102 | 0 0 0 * * root /sbin/zpool scrub zfs_mirror_1 | |
103 | 0 0 0 * * root /sbin/zpool scrub zfs_mirror_2 | |
104 | 0 0 0 * * root /sbin/zpool scrub zfs_mirror_3 | |
105 | ||
106 | Samba Notes | |
107 | ----------- | |
108 | ||
109 | Create `/usr/local/etc/smb4.conf` with the following contents. Add additional | |
110 | entries for each zpool. | |
111 | ||
112 | [global] | |
113 | workgroup = WORKGROUP | |
114 | server string = Samba Server | |
115 | netbios name = Talisker | |
116 | wins support = Yes | |
117 | security = user | |
118 | passdb backend = tdbsam | |
119 | ntlm auth = yes | |
120 | ||
121 | [zfs_mirror_1] | |
122 | path = /zfs_mirror_1 | |
123 | valid users = ataylor | |
124 | writable = yes | |
125 | browsable = yes | |
126 | read only = no | |
127 | guest ok = no | |
128 | public = no | |
129 | create mask = 0666 | |
130 | directory mask = 0755 | |
131 | ||
132 | Create a Samba user, using a different password than the system account. | |
133 | ||
134 | pdbedit -a ataylor | |
135 | ||
136 | Manually start Samba. | |
137 | ||
138 | service samba_server start | |
139 | ||
140 | Configure Samba to autostart on boot by adding the following to `/etc/rc.conf`. | |
141 | ||
142 | samba_server_enable="YES" | |
143 | ||
144 | Status Emails | |
145 | ------------- | |
146 | ||
147 | After building, run `make replace` inside the `mail/ssmtp` port to | |
148 | automatically disable sendmail/etc and replace with ssmtp. | |
149 | ||
150 | Create `/usr/local/etc/ssmtp/ssmtp.conf` with the following contents. | |
151 | ||
152 | # The person who gets all mail for userids < 1000 | |
153 | # Make this empty to disable rewriting. | |
154 | root=ataylor@subgeniuskitty.com | |
155 | ||
156 | # The place where the mail goes. The actual machine name is required | |
157 | # no MX records are consulted. Commonly mailhosts are named mail.domain.com | |
158 | # The example will fit if you are in domain.com and your mailhub is so named. | |
159 | mailhub=mail.subgeniuskitty.com:465 | |
160 | ||
161 | # Where will the mail seem to come from? | |
162 | rewriteDomain=subgeniuskitty.com | |
163 | ||
164 | # The full hostname | |
165 | hostname=talisker.subgeniuskitty.com | |
166 | ||
167 | # Set this to never rewrite the "From:" line (unless not given) and to | |
168 | # use that address in the "from line" of the envelope. | |
169 | FromLineOverride=YES | |
170 | ||
171 | # Use SSL/TLS to send secure messages to server. | |
172 | UseTLS=YES | |
173 | ||
174 | # Credentials accepted by remote SMTP server | |
175 | AuthUser=ataylor@subgeniuskitty.com | |
176 | AuthPass=password_goes_here | |
177 | ||
178 | Edit `/etc/passwd` and `/etc/master.passwd`, changing the name of the root | |
179 | account from `Charlie &` to something suitable for the `FROM:` field in emails. | |
180 | After, run `/usr/sbin/pwd_mkdb -p /etc/master.passwd`. | |
181 | ||
182 | Create `/etc/cron.d/status-emails` with suitable contents. For example: | |
183 | ||
184 | PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin | |
185 | 0 0 * * 0 root /sbin/zpool list | /usr/bin/mail -s "talisker.SGK - zpool list" ataylor@subgeniuskitty.com | |
186 | 0 0 * * 0 root /sbin/zpool status | /usr/bin/mail -s "talisker.SGK - zpool status" ataylor@subgeniuskitty.com | |
187 | 0 0 * * 0 root /sbin/zfs list -t snapshot | /usr/bin/mail -s "talisker.SGK - zfs snapshots" ataylor@subgeniuskitty.com | |
188 | 0 0 * * 0 root /sbin/zfs list | /usr/bin/mail -s "talisker.SGK - zfs list" ataylor@subgeniuskitty.com | |
189 | 0 0 * * 0 root /usr/local/bin/zfs-stats -IMAE | /usr/bin/mail -s "talisker.SGK - zfs stats" ataylor@subgeniuskitty.com |