Re: Server hardware advice.
On 8/6/19 10:29 PM, Steven Mainor wrote:
Hi all,
I'm looking for advice on how to build a home server with a primary focus on
security.
Have you considered OpenBSD? Security is their top priority.
I plan to run nextcloud and a mail server that will serve 3 to 5
people at most.
Have you considered a mail hosting provider? The Internet is a war zone
and mail servers are prime targets. Are you prepared to fight that
battle 24x7? Do you want you home IP that visible? Will your mail
users tolerate down-time? I provide e-mail addresses for myself and for
family members; I pay professionals to host my mail service.
Hosting Nextcloud locally allows you to get at your data at LAN speeds, but:
1. Do you have a good firewall/ router, and know how to use it?
2. Will Nextcloud run in a DMZ?
3. Does Nextcloud require a public IP -- e.g. DNS or dynamic DNS?
My requirements are:
A server setup that can be run with completely open source software and
doesn't require any binaries to boot. I don't trust anything closed source for
this particular project.
I prefer Intel brand motherboards, and Dell products with Intel chips,
because the hardware quality is good, support documents are available
for many years, and Intel supports FOSS with reference source code. So,
a given FOSS OS distribution has the best chance of working OOTB on such
hardware without needing binary firmware. That said, the Intel WiFi
board I installed in this Dell laptop does require binary firmware.
A gigabit ethernet port.
More than one can be very useful.
A USB3.0 port or SATA connector to attach storage to.
Internal headers, internal ports, or external ports?
SATA DOM?
M.2, etc.?
I have had issues with FOSS and USB 3.0 ports. USB 2.0 is slower, but
more reliable.
I have found internal to be more reliable than external.
Get at least four internal SATA 6 Gbps ports -- boot disk, optical disk,
two data disks (mirrored). I prefer six.
Enough processor power and ram to run nextcloud and the mail server from an
encrypted hard drive (LUKS) efficiently with moderate throughput saving and
reading files from nextcloud.
Get a processor with AES-NI support.
Get a motherboard that uses ECC RAM and get ECC RAM. Research your OS,
file system(s), services, etc., for the amount of RAM needed, and pad
according to budget and market price points. I would not get less than
2 @ 4 GB ECC.
I would just build something x86 based but the amd/intel Platform Security
Processor/IME stuff makes me nervous.
Do not connect an Ethernet port with a management chip directly to the
Internet and/or disable the management chip in the CMOS setup. If the
box has more than one Ethernet port and you want the management
features, connect the Ethernet port with the management chip to a
air-walled administration LAN.
So far I have been looking at single board computers like the ones listed
here: https://wiki.debian.org/CheapServerBoxHardware#OSHW
I like the OLinuXino A20 LIME2 but I am not sure the processor will be enough
to handle the overhead from an encrypted hard drive. I also don't like that it
is only 32-bit since that will limit the file size nextcloud can handle as I
understand it.
Is there anything similar to the OLinuXino A20 LIME2 but more powerful or is
there a better option I haven't read about yet?
On 8/6/19 11:08 PM, Steven Mainor wrote:
I would like to keep the budget under $500 not including the hard
drive(s) I already have drives. Less is better.
On 8/7/19 9:42 AM, Steven Mainor wrote:
For my needs, I doubt anything more than a modern single board
computer is necessary. At least as far as compute power is concerned.
I have many doubts about SBC's and SFF computers -- fewer memory,
expansion, and I/O slots and ports; fewer choices for processors, memory
modules, cases, power supplies, expansion cards, etc.; fewer drive bays;
heat issues; long-term vendor support; and the total system cost is
always higher than an equivalent tower desktop or server.
I built my computers from good quality, standards-compliant, COTS
desktop parts for 20+ years. This allowed me to mix-and-match as
required when parts died or became obsolete. I still have two 64-bit
desktop machines in use, and two 32-bit machines packed in their
original boxes in the garage.
Then Intel stopped making desktop boards and I wanted ZFS. ZFS wants
ECC memory. It was time to migrate to server hardware.
I needed to upgrade or replace my SOHO server late last year. My old
SOHO server was based on an Antec full tower ATX case and had an Intel
D945GNT motherboard, Pentium D processor, and 2 @ 1 GB RAM. One memory
slot was bad, preventing installation of 4 @ 1 GB RAM, and dm-crypt
without AES-NI cut disk performance in half or more. I replaced the
motherboard, CPU, and memory with a used server parts:
https://www.ebay.com/itm/Intel-S1200V3RP-Server-Board-Xeon-E3-1225v3-SR1KX-3-20GHz-8GB-Ram-I-O-Shield/123431007451?epid=1941949226&hash=item1cbd0fb4db:g:UuIAAOSwNJlb~bQi:rk:10:pf:0&LH_BIN=1
It works and the performance is amazing, but the case is bulky, the
total system requires a fair amount of power, the fans are noisier than
I like, and the internal 3.5" drive bays lack vibration isolation (so
the HDD heads clatter). Furthermore, I was using old HDD's and several
died in as many months. I needed something more modern and reliable.
I thought about putting a new Intel single processor server motherboard,
Xeon processor, and ECC memory into my Antec Sonata III 500 case, but
the cost was prohibitive ($600+).
I ended up buying a gently used Dell PowerEdge T30 for US$375. It came
with a Xeon E3-1225v5, 1 @ 8 GB ECC, 1 TB SATA HDD, and CD/DVD+-RW. I
removed the HDD and added a PC expansion slot 2.5" drive rack, 16 GB
SATA SSD, 8 GB ECC, and two 3 TB enterprise SATA HDD's. Total price was
less than US$700. It runs FreeBSD 11.2, GELI, ZFS, jails, Samba, and
CVS. It is energy efficient, quiet, and very fast. The only downside
is that the internal 3.5" drive bays lack vibration isolation. (I need
to add sheet rubber to damp the vibrations.) This was the best value
proposition I could find. I hope to run it 24x7 for many years.
David
Reply to: