| 1 | System Notes - talisker.SGK - File Server |
| 2 | ========================================= |
| 3 | |
| 4 | These notes cover the creation of a FreeBSD fileserver serving encrypted ZFS |
| 5 | volumes via Samba. |
| 6 | |
| 7 | General Info |
| 8 | ------------ |
| 9 | |
| 10 | Hostname: talisker.SGK |
| 11 | Version: FreeBSD 12.1 |
| 12 | |
| 13 | Motherboard: X8DT3-LN4F (manual saved in hw_support) |
| 14 | Processors: 2x L5630 Xeons (4 cores @ 2.13 GHz, low power) |
| 15 | Memory: 48 GB (12x 4GB R2 Registered ECC) |
| 16 | Note: Configured in lockstep mode, leaving 32 GB usable |
| 17 | Hard Drives: |
| 18 | 3x 120 GB Intel DC S3500 (3-way boot mirror) |
| 19 | 2x 8.0 TB WD Red (2-way mirror for media) |
| 20 | 3x 3.0 TB WD Red (3-way mirror for personal files) |
| 21 | 2x 2.0 TB used SAS (2-way mirror for scratch space) |
| 22 | Note: The onboard SAS controller is limited to 2.0 TB max drive size. |
| 23 | Consequently, one boot drive and the five drives >2.0 TB are on the |
| 24 | SATA channels and all remaining drives are on SAS, even though this |
| 25 | splits the boot mirror across controllers. |
| 26 | |
| 27 | Installed Ports |
| 28 | --------------- |
| 29 | |
| 30 | sysutils/screen |
| 31 | net/samba410 |
| 32 | -LDAP |
| 33 | -ADS |
| 34 | -AD_DC |
| 35 | (due to dependency errors, build devel/llvm80 and devel/meson first) |
| 36 | sysutils/zfs-stats |
| 37 | sysutils/zfstools |
| 38 | sysutils/bacula9-server |
| 39 | +MTX |
| 40 | dns/bind-tools |
| 41 | devel/git |
| 42 | irc/irssi |
| 43 | security/nmap |
| 44 | sysutils/smartmontools |
| 45 | archivers/zip |
| 46 | archivers/gtar |
| 47 | mail/ssmtp |
| 48 | |
| 49 | Encrypted ZFS Mirrors |
| 50 | --------------------- |
| 51 | |
| 52 | The following example creates a 2-way mirror using `ada1` and `ada2`. First, |
| 53 | create the encrypted devices. |
| 54 | |
| 55 | geli init -l 256 /dev/ada1 |
| 56 | geli init -l 256 /dev/ada2 |
| 57 | geli attach /dev/ada1 |
| 58 | geli attach /dev/ada2 |
| 59 | geli status |
| 60 | |
| 61 | In order to be prompted for the passphrase on boot, add the following line to |
| 62 | `/etc/rc.conf`. |
| 63 | |
| 64 | geli_devices="ada1 ada2" |
| 65 | |
| 66 | Next, create the ZFS mirror. Enable compression by default, using LZ4 since it |
| 67 | will abort the compression attempt if the initial results are not significant. |
| 68 | |
| 69 | zpool create zfs_mirror_1 mirror /dev/ada1.eli /dev/ada2.eli |
| 70 | zfs set compress=lz4 zfs_mirror_1 |
| 71 | zpool status |
| 72 | |
| 73 | Automated ZFS Snapshots |
| 74 | ----------------------- |
| 75 | |
| 76 | Set the `com.sun:auto-snapshot` property on relevant zpools and verify it is |
| 77 | inherited. |
| 78 | |
| 79 | zfs set com.sun:auto-snapshot=true zfs_mirror_1 |
| 80 | |
| 81 | Create `/etc/cron.d/zfs-snapshots` with something like the following. |
| 82 | |
| 83 | PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin |
| 84 | 15,30,45 * * * * root /usr/local/sbin/zfs-auto-snapshot frequent 4 |
| 85 | 0 * * * * root /usr/local/sbin/zfs-auto-snapshot hourly 24 |
| 86 | 7 0 * * * root /usr/local/sbin/zfs-auto-snapshot daily 7 |
| 87 | 14 0 * * 7 root /usr/local/sbin/zfs-auto-snapshot weekly 4 |
| 88 | 28 0 1 * * root /usr/local/sbin/zfs-auto-snapshot monthly 12 |
| 89 | |
| 90 | Note that you can exclude specific snapshot intervals with the following |
| 91 | property (e.g. frequent, daily, etc). |
| 92 | |
| 93 | zfs set com.sun:auto-snapshot:frequent=false zfs_mirror_1 |
| 94 | |
| 95 | Automated ZFS Scrubs |
| 96 | -------------------- |
| 97 | |
| 98 | Create `/etc/cron.d/zfs-scrubs` with the following contents. |
| 99 | |
| 100 | PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin |
| 101 | 0 0 0 * * root /sbin/zpool scrub zroot |
| 102 | 0 0 0 * * root /sbin/zpool scrub zfs_mirror_1 |
| 103 | 0 0 0 * * root /sbin/zpool scrub zfs_mirror_2 |
| 104 | 0 0 0 * * root /sbin/zpool scrub zfs_mirror_3 |
| 105 | |
| 106 | Samba Notes |
| 107 | ----------- |
| 108 | |
| 109 | Create `/usr/local/etc/smb4.conf` with the following contents. Add additional |
| 110 | entries for each zpool. |
| 111 | |
| 112 | [global] |
| 113 | workgroup = WORKGROUP |
| 114 | server string = Samba Server |
| 115 | netbios name = Talisker |
| 116 | wins support = Yes |
| 117 | security = user |
| 118 | passdb backend = tdbsam |
| 119 | ntlm auth = yes |
| 120 | |
| 121 | [zfs_mirror_1] |
| 122 | path = /zfs_mirror_1 |
| 123 | valid users = ataylor |
| 124 | writable = yes |
| 125 | browsable = yes |
| 126 | read only = no |
| 127 | guest ok = no |
| 128 | public = no |
| 129 | create mask = 0666 |
| 130 | directory mask = 0755 |
| 131 | |
| 132 | Create a Samba user, using a different password than the system account. |
| 133 | |
| 134 | pdbedit -a ataylor |
| 135 | |
| 136 | Manually start Samba. |
| 137 | |
| 138 | service samba_server start |
| 139 | |
| 140 | Configure Samba to autostart on boot by adding the following to `/etc/rc.conf`. |
| 141 | |
| 142 | samba_server_enable="YES" |
| 143 | |
| 144 | Status Emails |
| 145 | ------------- |
| 146 | |
| 147 | After building, run `make replace` inside the `mail/ssmtp` port to |
| 148 | automatically disable sendmail/etc and replace with ssmtp. |
| 149 | |
| 150 | Create `/usr/local/etc/ssmtp/ssmtp.conf` with the following contents. |
| 151 | |
| 152 | # The person who gets all mail for userids < 1000 |
| 153 | # Make this empty to disable rewriting. |
| 154 | root=ataylor@subgeniuskitty.com |
| 155 | |
| 156 | # The place where the mail goes. The actual machine name is required |
| 157 | # no MX records are consulted. Commonly mailhosts are named mail.domain.com |
| 158 | # The example will fit if you are in domain.com and your mailhub is so named. |
| 159 | mailhub=mail.subgeniuskitty.com:465 |
| 160 | |
| 161 | # Where will the mail seem to come from? |
| 162 | rewriteDomain=subgeniuskitty.com |
| 163 | |
| 164 | # The full hostname |
| 165 | hostname=talisker.subgeniuskitty.com |
| 166 | |
| 167 | # Set this to never rewrite the "From:" line (unless not given) and to |
| 168 | # use that address in the "from line" of the envelope. |
| 169 | FromLineOverride=YES |
| 170 | |
| 171 | # Use SSL/TLS to send secure messages to server. |
| 172 | UseTLS=YES |
| 173 | |
| 174 | # Credentials accepted by remote SMTP server |
| 175 | AuthUser=ataylor@subgeniuskitty.com |
| 176 | AuthPass=password_goes_here |
| 177 | |
| 178 | Edit `/etc/passwd` and `/etc/master.passwd`, changing the name of the root |
| 179 | account from `Charlie &` to something suitable for the `FROM:` field in emails. |
| 180 | After, run `/usr/sbin/pwd_mkdb -p /etc/master.passwd`. |
| 181 | |
| 182 | Create `/etc/cron.d/status-emails` with suitable contents. For example: |
| 183 | |
| 184 | PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin |
| 185 | 0 0 * * 0 root /sbin/zpool list | /usr/bin/mail -s "talisker.SGK - zpool list" ataylor@subgeniuskitty.com |
| 186 | 0 0 * * 0 root /sbin/zpool status | /usr/bin/mail -s "talisker.SGK - zpool status" ataylor@subgeniuskitty.com |
| 187 | 0 0 * * 0 root /sbin/zfs list -t snapshot | /usr/bin/mail -s "talisker.SGK - zfs snapshots" ataylor@subgeniuskitty.com |
| 188 | 0 0 * * 0 root /sbin/zfs list | /usr/bin/mail -s "talisker.SGK - zfs list" ataylor@subgeniuskitty.com |
| 189 | 0 0 * * 0 root /usr/local/bin/zfs-stats -IMAE | /usr/bin/mail -s "talisker.SGK - zfs stats" ataylor@subgeniuskitty.com |