This post serves as an informal playbook to deploy a new machine in my homelab.
1. OS
- Download a Debian live install image (as I remember the traditional installer being a pain last time) on another machine
- Create a live disk (e.g. using Ubuntu’s Startup Disk Creator)
- Insert the live disk into the new machine and follow the installation prompts
2. System Services
2.1 CUPS
- Remove CUPS (as I sure as hell don’t want or need to connect this machine to a printer)
sudo systemctl stop cups
sudo systemctl disable cups
sudo apt remove --purge -y cups
sudo apt -y autoremove2.2. SSH Server
- Install a SSH server (to access the machine remotely)
sudo apt install -y openssh-server2.3. Firewall
- Install UFW (the Uncomplicated Firewall)
sudo apt install -y ufw2.4. Fail2Ban
- Install Fail2Ban (to rate-limit access attempts via SSH)
sudo apt install -y fail2ban2.5. Cockpit
sudo apt install -y cockpit cockpit-storaged cockpit-networkmanager cockpit-podman2.6. Podman Compose
- Install Podman Compose
sudo apt install -y podman-compose3. System Configurations
3.1. Static IP Address
- Disable IPv6
- Disable DHCP
- Set a static IP and gateway
nmcli con mod <connection-name> ipv6.method "disabled" # disable IPv6
nmcli con mod <connection-name> ipv4.method "manual" # disable DHCP
nmcli con mod <connection-name> ipv4.address <static-ip-address> # set static IP
nmcli con mod <connection-name> ipv4.gateway <gateway-ip-address> # set gateway IP
nmcli con up <connection-name> # restart connection with new changes3.2. Firewall
- Deny incoming
- Allow outgoing
- Allow SSH
- Allow Cockpit’s web interface (running on port
9090) - Enable the firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 9090
sudo ufw enable