New life for an old laptop as a Linux home server

Why setup a home server?
You might have something in mind that would benefit from having an "always-on, always-available" computer. In my case, it started with the desire to 1) continuously sync files between multiple devices, and 2) automatically run daily backups. For reasons of logistics, privacy, and curiosity I decided to forego using commercial cloud-computing services and put together my own solution.
Install a stable Linux distribution such as Debian and gain access to tens of thousands of packages ready to install, with the ability to host all kinds of services.
Why use an old laptop as a home server?
Something like a Raspberry Pi is certainly one option, but one big advantage of the laptop option is I already have one not being used! You might also have a spare laptop, or know where to get one for little to no cost. Second-hand laptops - retired in favour of more current and powerful machines - can still deliver plenty of oomph for running a personal server, and can include all sorts of things built-in (case, display, keyboard, multiple ports, storage) that need to be purchased separately for the Pi. Laptops are designed to be frugal with power and, if the battery still holds a charge, come equipped with their own built-in UPS!
Let's go!
Hardware: A recently discarded and saved from a landfill Thinkpad E520 (circa 2011) with an i5-2430M CPU, 8GB RAM, gigabit ethernet, wifi, scuffed up but usable display, no storage. I added a WD Blue 500GB SATA SSD ($70CAN).
1. Getting started
1.1 Install Debian
Debian 11 aka "Bullseye" is the latest stable release of the popular Linux operating system. I use Debian's (unofficial) network installer image (which includes non-free firmware for pesky wifi cards) to create a minimal, console-only base configuration as the foundation for my home server. Read more
1.2 Secure remote access using SSH keys
Create cryptographic keys and disable password logins to make the server more secure. Read more
1.3 Remotely unlock a LUKS-encrypted Linux server
When I use LUKS to encrypt the root partition on my Linux server, I need to supply the crypt passphrase at boot to unlock the system for startup to continue and get to login. All well and good if I'm sitting in front of the machine with a keyboard and display. But what if it's a headless server? Or located in a remote location? Read more
1.4 Terminal multiplexer: tmux
Useful on desktops and especially on servers, tmux launches a session in the console that can be divided in multiple windows and panes (multiplexing). Where it really differentiates itself from simply opening multiple terminals or logins, though, is the ability to detach/re-attach sessions. Login to the server, open several windows, run ongoing processes, detach session, logout, login, re-attach session, and restore your working environment.
Install ...
$ sudo apt install tmux
In one of my windows on the server, I like to keep an RSS feed reader open and running (see below).
See: Getting started with tmux, and my own tmux.conf configuration.
1.5 Turn off display and close lid
Install vbetool to control the laptop's display backlight ...
$ sudo apt install vbetool
Turn off the backlight with the command ...
$ sudo vbetool dpms off
To close the laptop lid and have the computer continue to run (i.e. don't suspend the system), edit /etc/systemd/logind.conf
and change ...
HandleLidSwitch=suspend
... to ...
HandleLidSwitch=ignore
Restart ...
$ sudo systemctl restart systemd-logind.service
2. Services
2.1 Sync data: syncthing
A continuous file synch program that synchronizes files between multiple computers. My home setup is a star layout; that is, I have multiple devices that exchange data with the home server. Read more
2.2 Backups: rdiff-backup
A backup you don't have to think about is a backup that gets done. Read more
2.3 RSS reader: newsboat
Newsboat is an RSS feed reader that runs in a console. I like it!
Install ...
$ sudo apt install newsboat
Create a list of feeds to track in ~/.newsboat/urls
. Sample file ...
"query:Unread Articles:unread = \"yes\""
https://www.dwarmstrong.org/feed.xml
https://www.reddit.com/r/archlinux.rss "~r/archlinux"
https://www.youtube.com/feeds/videos.xml?channel_id=UCxQKHvKbmSzGMvUrVtJYnUA "~yt/LearnLinuxTv"
Translates to ...
"query:Unread Articles:unread = \"yes\""
- Generates a combined list of unread posts from all feedshttps://www.dwarmstrong.org/feed.xml
- My own feed linkhttps://www.reddit.com/r/archlinux.rss "~r/archlinux"
- Reddit feeds can be created by copying the URL and adding.rss
; give a custom_name to a feed by adding"~<custom_name>"
https://www.youtube.com/feeds/videos.xml?channel_id=UCxQKHvKbmSzGMvUrVtJYnUA "~yt/LearnLinuxTv"
- To subscribe to a Youtube channel:- Open a YT channel's
VIDEOS
page - Use the browser's page source view option, and search for
channelId
and<string>
, where<string>
in this example isUCxQKHvKbmSzGMvUrVtJYnUA
- Add link
https://www.youtube.com/feeds/videos.xml?channel_id=<string>
to file
- Open a YT channel's
Run program ...
$ newsboat
2.4 Calendar: radicale
CalDAV and CardDAV are open protocols for sharing a calendar and address book respectively between devices. Radicale is a self-hosted CalDAV and CardDAV server. Read more
2.5 Web and reverse proxy: nginx
Nginx is an open-source, high performance, lightweight HTTP and reverse proxy server. Read more
3. Maintenance and monitoring
3.1 Package updates: unattended-upgrades
On desktops, I like to keep the system updated manually. However, on servers, once you get into several devices, upgrading can quickly get repetitive and timely security updates may be put off.
I use unattended-upgrades
to automate the process. Read more
3.2 Logs: logwatch
Keep an eye on the server with logwatch, which combs through the system logs and emails reports.
Install ...
$ sudo apt install logwatch
Configuration file is /usr/share/logwatch/default.conf/logwatch.conf
. A daily cron job is placed in /etc/cron.daily/00logwatch
. I stick with the default settings, which emails a daily report of yesterday's activity to root
, which is forwarded to my username. Run mail
to read.
3.3 Process viewer: htop
The top
command displays Linux processes, and one of the first packages I install on a new Linux setup is the enhanced, interactive htop viewer. Good-looking and easy to use: see CPU and MEMORY usage at a glance, system load and uptime, kill wonky processes, and more!
Install ...
$ sudo apt install htop
See: A Guide to the htop command in Linux
4. Outside world
4.1 Dynamic DNS: Duck DNS
My home server sits behind a router assigned a dynamic IP address by the ISP. If I want to remotely connect to my server, I can use a Dynamic DNS (DDNS) service to create a domain name, automatically update the IP address whenever it changes, and redirect traffic to the new location.
I use the free DDNS service provided by Duck DNS, which permits the creation of up to five domains in the format <subdomain_name>.duckdns.org
.
See the install instructions for setting up a cron job on the server that polls the external IP address assigned by the ISP, and notifies Duck DNS of the current address.
Use Network Address Translation (NAT) on the home router to setup port forwarding, which forwards traffic directed at one of the router's ports to the listening port on the home server.
4.2 Authentication: fail2ban
Fail2ban is a daemon that can block other nodes when there are a certain number of authentication failures.
Install ...
$ sudo apt install fail2ban
Default configuration file is /etc/fail2ban/jail.conf
. Don't modify this file directly; create a /etc/fail2ban/jail.local
file for any custom details ...
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
The existence of a jail.local
file will supersede the jail.conf
file.
One option that is a good idea to change right away is to add your local devices to the ignoreip
line to ensure you don't lock yourself out. Example: localhost
is ignored by default, and I add a few LAN addresses ...
ignoreip = 127.0.0.1/8 ::1 192.168.0.10/24 192.168.0.20/24
Other options include bantime
(how long a host is banned when fail2ban blocks it) and maxretry
(number of failures that need to occur before fail2ban takes action).
After any configuration change, restart the daemon and check its status ...
$ sudo systemctl restart fail2ban
$ systemctl status fail2ban
5. Helpful
- Mastering Ubuntu Server - Third Edition by Jay LaCroix
- Except for a few Ubuntu-specific services, this excellent guide is equally relevant to putting together a Debian server.
- yt/LearnLinuxTV
- YouTube channel with Linux tutorials, reviews, etc. Produced by the author of Mastering Ubuntu Server.
- The Debian Administrator's Handbook by Raphaƫl Hertzog and Roland Mas
- In-depth guide to becoming a Debian power-user/sysadmin. Read online or download the ebook.
- Debian Package Tracker
- A searchable interface that packs a lot of information about a given package on a single page.
- ArchWiki
- Dedicated to Arch Linux, but contains many excellent HOWTOs relevant to all Linux distros.
» Later: Install the LTS kernel in Arch Linux
« Earlier: Getting started with Git and GitLab