It would probably be more clear if there were screenshots for each step, but this was an installation on a physical server and taking photos for each step, opposes my laziness :). Just follow the instructions and you will be fine.
Feel free to adjust the above according to your own preferences.
There are 4 disks of 3TB each (3.0 TB SATA):
Not really SCSI but SATA in fact.
Then create a raid partition for /boot:
Lastly create the raid partition to be used by the encrypted volume:
Repeat the above steps for sdb, sdc and sdd.
First select ‘Configure software RAID’ and follow these steps:
The we create the software RAID (MD) devices. First we create device md0 for /boot:
Then we create the software RAID device to be used for the encrypted volume (md1):
Press ‘Finish’ when done.
When done press ‘Finish partitioning and write changes to disk’.`
When finished you will see a ‘RAID10 device #0 1GB Software RAID device’:
We will be using the software RAID /dev/md1 device for the encrypted volume.
Now select ‘Configure encrypted volumes’ and follow these steps:
Create encrypted volumes
Done setting up the partition
Write the changes to disk and configure encrypted volumes? Yes
Next we select the ‘Configure the Logical Volume Manager’ option and follow these steps:
Create volume group
Then we create the Logical Volumes (LV). First let’s create a SWAP volume:
Lastly we create the system (ROOT) volume. On an enterprise installation we may want to use different volumes for /usr, /home, /var, etc but for a home installation we will be fine to use just one.
Press ‘Finish’ when done.
After all the steps are completed these Logical Volumes will be present on the system:
Under the ‘LVM VG VG00, LV ROOT 0 6.0 TB’ line select the ‘#1 6.0TB’ option:
Under the ‘LVM VG VG00, LV SWAP 0 2.0 GB’ line select the ‘#1 2.0GB’ option:
Now we are ready to write the changes and start the installation. Press the ‘Finish partitioning and write changes to disk’ option to continue:
Wait for the base install to finish. Then select a country close to you. No debian mirrors in Cyprus so I use UK:
Wait for the APT configuration to Finish.
Choose software to install:
Wait while software is installing
Wait for the installation to finish and reboot. Remember to remove the USB during the reboot cycle.
During start-up you will see the ‘Please unlock md1_crypt’ prompt. Type your LUKS passphrase to unlock the disk and continue.
Login as root:
# apt update && apt -y dist-upgrade
# apt -y install vim htop multitail ntp byobu ufw unattended-upgrades downtimed
You need to generate an SSH key pair on you PC, if you don’t have one (you should!):
$ ssh-keygen -b 4096
Copy the public key:
$ cat ~/.ssh/id_rsa.pub
Paste the public key at the end of the /root/.ssh/authorized_keys file in your server and try to login from your PC:
$ ssh root@192.168.1.10
Some final adjustments on your SSH config (/etc/ssh/sshd_config). Change these values:
Port 2233
PasswordAuthentication no
Restart SSH:
# systemctl restart ssh.service
We are using port 2233 for SSH so we need to allow that and enable the firewall:
# ufw allow 2233/tcp
# ufw enable
Since we have two ethernet cards, we may take advantage of thr Linux bonding feature and join them as one. We will be using the Adaptive load balancing mode which provides load balancing of transmit, load balancing of receive for IPv4 and requires no configuration from the switch side.
First we need to install ifenslave:
# apt -y install ifenslave
Set up this in /etc/network/interfaces:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# enp2s0 is manually configured, and slave to the "bond0" bonded NIC
auto enp2s0
iface eth0 inet manual
bond-master bond0
# enp3s01 is also manually configured, thus creating a 2-link bond.
auto enp3s0
iface eth1 inet manual
bond-master bond0
# bond0 is the bonded NIC and can be used like any other normal NIC.
# bond0 is configured using static network information.
auto bond0
iface bond0 inet static
address 192.168.1.10
gateway 192.168.1.1
netmask 255.255.255.0
# bond0 uses adaptive load balancing
bond-mode 6
bond-miimon 100
bond-slaves enp2s0 enp3s0
An ifup bond0 should bring the bonded interface up. Or you can just reboot.
The server will be a headless system, located in a difficult to access location. So we need a way to unlock it when a power failure occurs. The most convenient way to do this is to use a mandos server but convenience comes at a cost. A safer and easier way is to use dropbear during boot (initrd). The weak point of this solution is that the server will be basically offline until the sysadmin manually unlocks it, to boot.
First we install dropbear for initrd:
# apt -y install dropbear-initramfs
Then we set a custom ssh port for dropbear. This better be different than the custom ssh port we used earlier. Change the dropbear port to 2244 in /etc/dropbear-initramfs/config:
DROPBEAR_OPTIONS="-p 2244"
Add the static IP in the initramtools configuration (/etc/initramfs-tools/initramfs.conf):
IP=192.168.1.10::192.168.1.1:255.255.255.0:storage:enp3s0:off
Copy the authorized_keys file in /etc/dropbear-initramfs:
# cp /root/.ssh/authorized_keys /etc/dropbear-initramfs/
Regenerate the initrd file:
# update-initramfs -u
Now reboot and ssh to it to test it:
$ ssh -p 2244 root@192.168.1.10
If your pubkeys are in place you will enter a busybox shell. Enter the crypt-unlock command, supply your unlock passphrase and the system will boot to the encrypted system.
We will be using our main mailserver as a smarthost for mail to go through.
Install the postfix MTA and the mail utility:
# apt -y install postfix mailutils
Answer these questions:
Test it:
# echo 'Testing #1' | mail -s 'Test #1' user@example.com
If you get a mail in your mailbox then everything is set. If not extra configuration may be needed on the smarthost. Contact the sysadmin of the smarthost, or check the logs if you access to it.
Install smartmontools:
# apt -y install smartmontools
Enable S.M.A.R.T, offline testing, attribute autosave, short and long test on all 4 devices. Add these lines in /etc/smartd.conf:
/dev/sda -a -d sat -o on -S on -s (S/../.././02|L/../../6/03) -m user@example.com -M exec /usr/share/smartmontools/smartd-runner
/dev/sdb -a -d sat -o on -S on -s (S/../.././02|L/../../6/03) -m user@example.com -M exec /usr/share/smartmontools/smartd-runner
/dev/sdc -a -d sat -o on -S on -s (S/../.././02|L/../../6/03) -m user@example.com -M exec /usr/share/smartmontools/smartd-runner
/dev/sdd -a -d sat -o on -S on -s (S/../.././02|L/../../6/03) -m user@example.com -M exec /usr/share/smartmontools/smartd-runner
Restart smartmontools:
# systemctl restart smartmontools.service
We also need to setup monitoring for the software raid. Add your email address in the /etc/mdadm/mdadm.conf file:
MAILADDR user@example.com
Restart the mdmonitor service:
# systemctl restart mdmonitor.service
Kexec is a Linux kernel mechanism that can load a fresh kernel from a running system. This results in a “reboot” without in fact rebooting the computer. The system loads a new kernel, the system appears “rebooted” but skipping the BIOS?UEFI initialization, thus resulting in faster reboots.
Install kexec-tools:
# apt -y install kexec-tools
The ‘Should kexec-tools handle reboots (sysvinit only)?’ question is related only to sysvinit systems. Since we are using systemd, it has no effect in our case.
Now if you want to reboot instead of running reboot you can run systemctl kexec. The latter command will reboot the system without going though BIOS/UEFI, POST etc and your system downtime is minimized.
And we are done! Store your server in a protected location, add a UPS for power backup and you are ready.