New life for an old laptop as a Linux home server

Last updated on 2021-08-29 Tagged under  #homeServer   #debian   #linux 

Why setup a home server?

You might have something in mind that would benefit from having an "always-on, always-available" computer.

For myself, it started with the desire to:

Out of curiosity I decided to forego using commercial cloud-computing services and put together something myself. Install a stable Linux distribution such as Debian and gain access to tens of thousands of software packages with the ability to host all kinds of services.

Why use an old laptop as a home server?

Something like a Raspberry Pi is certainly one option, but one big advantage of the laptop option is I already have one not being used! You might also have a spare laptop, or know where to get one for little to no cost.

Second-hand laptops - retired in favour of more current and powerful machines - can still deliver plenty of oomph for running a personal server, and can include all sorts of things built-in (case, display, keyboard, multiple ports, storage) that need to be purchased separately for the Pi. Laptops are designed to be frugal with power and, if the battery still holds a charge, come equipped with their own built-in UPS!

My setup

A discarded and saved-from-landfill Thinkpad E520 (circa 2011) with:

1. Getting started

1.1 Install Debian

Debian 11 aka "Bullseye" is the latest stable release of the popular Linux operating system. I use Debian's (unofficial) network installer image (which includes non-free firmware for pesky wifi cards) to create a minimal, console-only base configuration as the foundation for my home server. Read more

1.2 Static IP Lease

Our new server should use a fixed IP address so its hosted network services can easily be found.

Most home routers come with an integrated Dynamic Host Control Protocol (DHCP) server, and allow configuration via a web console. I have OpenWrt installed on my router, and I create static leases to assign fixed IP addresses to client devices.

Debian's network interfaces are configured for the ifup and ifdown commands in /etc/network/interfaces. By default, wired (ethernet) interfaces are configured for auto-detection and to use DHCP.

Example entry ...

# The primary network interface
allow-hotplug enp0s31f6
iface enp0s31f6 inet dhcp

Display all detected network interfaces along with their IP and MAC addresses ...

$ ip addr

For Openwrt, login to the web console and navigate to Network->DHCP and DNS->Static Leases.

Click Add, then include the MAC address of the server's network interface, the hostname, and the desired IP address. When done click Save & Apply.

All subsequent connections to the local network by the server will see it assigned this IP address.

1.3 Secure remote access using SSH keys

Create cryptographic keys and disable password logins to make the server more secure. Read more

1.4 Remotely unlock a LUKS-encrypted Linux server

When I use LUKS to encrypt the root partition on my Linux server, I need to supply the crypt passphrase at boot to unlock the system for startup to continue and get to login. All well and good if I'm sitting in front of the machine with a keyboard and display. But what if it's a headless server? Or located in a remote location? Read more

1.5 Terminal multiplexer: tmux

Useful on desktops and especially on servers, tmux launches a session in the console that can be divided in multiple windows and panes (multiplexing).

Where it really makes a difference from simply opening multiple terminals or logins, though, is the ability to detach/re-attach sessions. Login to the server, open several windows, run ongoing processes, detach session, logout, login, re-attach session, and restore your working environment.

Install ...

$ sudo apt install tmux

See: Getting started with tmux, and my own tmux.conf configuration.

1.6 Turn off display and close lid

Install vbetool to control the laptop's display backlight ...

$ sudo apt install vbetool

Turn off the backlight with the command ...

$ sudo vbetool dpms off

To close the laptop lid and have the computer continue to run (i.e. don't suspend the system), edit /etc/systemd/logind.conf.

Change ...

HandleLidSwitch=suspend

To ...

HandleLidSwitch=ignore

Restart ...

$ sudo systemctl restart systemd-logind.service

2. Services

2.1 Sync data: syncthing

Syncthing is acontinuous file synch program that synchronizes files between multiple computers. My home setup is a star layout; that is, I have multiple devices that exchange data with the home server. Read more

2.2 Backups: rdiff-backup

A backup you don't have to think about is a backup that gets done. Read more

2.3 RSS reader: newsboat

Newsboat is an RSS feed reader that runs in a console.

Install ...

$ sudo apt install newsboat

Create a list of feeds to track in ~/.newsboat/urls.

Sample file ...

"query:Unread Articles:unread = \"yes\""
https://www.dwarmstrong.org/feed.xml
https://www.reddit.com/r/debian.rss "~r/archlinux"
https://www.youtube.com/feeds/videos.xml?channel_id=UCxQKHvKbmSzGMvUrVtJYnUA "~yt/LearnLinuxTv"

Translates to:

Run program (and leave running inside tmux) ...

$ newsboat

2.4 Calendar: radicale

CalDAV and CardDAV are open protocols for sharing a calendar and address book respectively between devices. Radicale is a self-hosted CalDAV and CardDAV server. Read more

2.5 Web and reverse proxy: nginx

Nginx is an open-source, high performance, lightweight HTTP and reverse proxy server. Read more

2.5 Dynamic DNS: Duck DNS

My home server sits behind a router assigned a dynamic IP address by the ISP.

If I want to remotely connect to my server, I can use a Dynamic DNS (DDNS) service to create a domain name, automatically update the IP address whenever it changes, and redirect traffic to the new location.

I use the free DDNS service provided by Duck DNS, which permits the creation of up to five domains in the format <subdomain_name>.duckdns.org.

See the install instructions for setting up a cron job on the server that polls the external IP address assigned by the ISP, and notifies Duck DNS of the current address.

Use Network Address Translation (NAT) on the home router to setup port forwarding, which forwards traffic directed at one of the router's ports to the listening port on the home server.

3. Maintenance and monitoring

3.1 Package updates: unattended-upgrades

On desktops, I like to keep the system updated manually. However, on servers, once you get into several devices, upgrading can quickly get repetitive and timely security updates may be put off.

I use unattended-upgrades to automate the process. Read more

3.2 Logs: logwatch

Keep an eye on the server with logwatch, which combs through the system logs and emails reports.

Install ...

$ sudo apt install logwatch

Configuration file is /usr/share/logwatch/default.conf/logwatch.conf. A daily cron job is placed in /etc/cron.daily/00logwatch. I stick with the default settings, which emails a daily report of yesterday's activity to root, which is forwarded to my username. Run mail to read.

3.3 Process viewer: htop

The top command displays Linux processes, and one of the first packages I install on a new Linux setup is the enhanced, interactive htop viewer. Good-looking and easy to use: see CPU and MEMORY usage at a glance, system load and uptime, kill wonky processes, and more!

Install ...

$ sudo apt install htop

See: A Guide to the htop command in Linux

3.4 Authentication: fail2ban

Fail2ban is a daemon that can block other nodes when there are a certain number of authentication failures.

Install ...

$ sudo apt install fail2ban

Default configuration file is /etc/fail2ban/jail.conf. Don't modify this file directly; create a /etc/fail2ban/jail.local file for any custom details ...

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

The existence of a jail.local file will supersede the jail.conf file.

One option that is a good idea to change right away is to add your local devices to the ignoreip line to ensure you don't lock yourself out. Example: localhost is ignored by default, and I add a internal LAN addresses ...

ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24

Other options include bantime (how long a host is banned when fail2ban blocks it) and maxretry (number of failures that need to occur before fail2ban takes action).

After any configuration change, restart the daemon and check its status ...

$ sudo systemctl restart fail2ban
$ sudo systemctl status fail2ban

4. Helpful

Thanks for reading! Read other posts?

» Later: Install the LTS kernel in Arch Linux

« Earlier: A look at Xfce