• BernardSpil
• HomeServer

Mainly intended for myself to document my config but this may be useful to others as well. Wherever possible this configuration uses LibreSSL as the OpenSSL library.

System overview

LAN: 192.2.0.0/24 Gateway: 192.2.0.254 Server: 192.2.0.1

The active home-server is always "meterkast" (utilities cabinet in Dutch).

Hardware

I try to run very efficient home-servers. Always using FreeBSD, since 5.4. Always the latest release. Since ca. 2016 running LibreBSD, my own spin on FreeBSD with LibreSSL replacing OpenSSL.

Meterkast 7.0

• GMKTec M5 Plus MiniPC
• Ryzen 7 5825U (Zen 3, 8C/16T, 2-4,5GHz)
• 2x 32GB DDR4-3200 SO-DIM
• Samsung SSD 970 EVO Plus 2TB
• Seagate USB-3 Barracuda 2.5 5400 4TB
• Free NVME 2280 and 2240 slots
• 2x RTL8125 2.5GbE Controller (realtek-re-kmod crashes system)
• 1x ASIX AX88179 Gigabit USB 3.0 Ethernet

Storage was simply migrated over from meterkast6. Silent, performant, extension capable. Likely the second m2 2280 slot will become a 5x SATA port.

Historical hardware

Mostly these are ex-employer old systems that reached end-of-life and could be taken over for below 100EUR.

Meterkast 6.0

• Old Asus laptop
• AMD Ryzen 5 4600U (Zen 2, 6C/6T, 2.1-4GHz)
• 2x 16GB DDR4-3200 SO-DIM
• Samsung SSD 970 EVO Plus 2TB
• Seagate USB-3 Barracuda 2.5 5400 4TB
• Realtek 8168 Gigabit Ethernet

Repurposed as daily driver with Windows 11 reusing the original 256GB NVME SSD.

Meterkast 5.0

• HP 8570w 15.6" Portable Workstation
• Intel Core i7-3720QM
• 4x DDR?
• Samsung mSATA 512GB SSD
• Seagate 1.75TB 7200rpm 2.5" (zroot)
• Seagate 2.0TB 5400rpm 2.5" in CD bay. (zbay)
• Intel 82579LM Gigabit

Repurposed as lab environment.

Meterkast 4.0

• Old HP laptop
• Pentium Core i5 520M 2.4GHz
• 4GB DDR3 SO-DIMM (8GB upgrade ordered)
• Storage (ZFS)

  1. zroot: 120GB SSD Transcend JetDrive 420 (internal 2.5" SATA slot)

  2. zbay: 1TB HGST Travelstar 7K1000 2.5" HDD (Drivebay caddy)
  3. zesata: 500GB Seagate Momentus 5400.6 2.5" HDD (eSATA-p external)

Meterkast 3.0

• Medion ??? 15.6" laptop
• Intel Celeron?
• 2GB DDR2?
• 1TB HGST Travelstar?

Meterkast 2.0

• Dell D400 12.1" laptop
• Pentium-M 1.4GHz
• 1GB PC2100 SO-DIMM
• LAN Broadcom BCM5705
• LAN Cardbus 3com 3c575B
• WLAN Atheros AR5416 hostap
• Seagate Momentus 5400.3 160GB

Meterkast 1.0

• Dell LS (L400?) 13"
• Pentium III 500MHz(?)
• 2.5" HDD
• LAN Intel GBE
• LAN Cardbus 3com 3c575B
• WLAN?

Intended use

Links will go to more detailed wiki articles

1. DHCP/DNS server

2. File-server
3. Backup target for Desktop and laptops
4. Cloud storage server
5. Web-server
   • Personal website
   • Family website
   • Freelance website

6. Mail-server (AKA OpenSMTPd) (incl spam classification and virus scanning)

Software

1. dnsmasq for DHCP and dynamic DNS

2. Unbound as validating, caching and recursive DNS resolver

3. OpenLDAP as user and authentication backend

4. Samba 4.2 as file-server and for backup-target

5. rsync for backups

6. OpenVPN for secure internet access for my mobile devices

7. Apache 2.4 as web-server

   1. ownCloud as cloud storage/calendar/contacts server

   2. PHP 5.6, etc. as required

   3. MariaDB for apps requiring database backend

8. OpenSMTPd as mail server

   1. Dovecot as LDA and IMAP server

   2. AMaVisD as networked scanner daemon

   3. ClamAV as virus scanner

   4. SpamAssassin as rule-based spam classifier

   5. dspam as Bayesian spam classifier

9. System management

   • Poudriere for keeping ports up-to-date

   • ezjail to manage the jails

   • smartmontools to monitor disks

Jails

Anything that can be connected from the internet is jailed. Mail scanner was separated provide additional isolation.

• db: Home of MariaDB server
• http: Home of Apache and the web applications and content
• mail: Home of MTA and IMAP-server
• scan: Home of Amavisd, clamav, spamassassin, dspam
• tor: Home of my TOR router

Every jail is firewalled using ipfw.

1. tor gets access to the internet only (not LAN) and is denied anything else
2. Allow all jails to access DNS
3. jails get specific access, anything else is denied