At home in my local network I run a small Raspberry Pi as a server for ad-blocking with Pi-hole and (hopefully in near future) with an internal family photo gallery based on HomeGallery.
Today I want to walk you through my way of setting up a new Raspberry Pi as a home server. Note that this is only one of many, many ways to setup a server. I choose this one because I find it easy and the result "good enough" to get started.
This blog post is for you if you are either new to a Raspberry Pi or of you want to copy some commands to save some time.
- Operating System installation
- Switch from Desktop to SSH
- Disable Wifi and Bluetooth
- Assign a static IP address
- Enable public key login
- Disable root and password login
- Delete stored WiFi password
- Enable unattended upgrades
- Reclaim SD card space
- Stop unneeded services
- Install Log2Ram
Operating System installation
For the initial setup you can use the Raspberry Pi Imager to install the Raspberry Pi OS on your SD card. I find the initial setup more convenient with the desktop UI. As soon as the connection via SSH works, we will disable the UI and (maybe) uninstall some of the larger packages.
After the first time boot just finish the OS configuration in the wizard. You may even configure Wifi to have less cables on your desk. We can disable it again later.
Switch from Desktop to SSH
After the initial OS setup we can start scaling down. For a server we need SSH instead of the Desktop. Open the Raspberry Pi Configuration in the start menu and adjust it as follow (do not reboot right now):
- on tab System
- set you password
- … and your hostname, eg. raspberry.lan
- boot to CLI
- no auto-login
- no waiting for network
- on tab Interfaces
Save the settings but do not reboot now as we want to change some other settings as well.
Disable Wifi and Bluetooth
Usually my Raspberry Pi Home Server resides near my router and I prefer a cable connection over Wifi. I usually switch off Wifi and Bluetooth — mostly to reduce energy consumption but also as a protection against unauthorized access.
To permanently disable Wifi and Bluetooth you can edit the boot configuration at /boot/config.txt and insert the following lines. Changes apply after the next reboot.
# Disable Bluetooth
dtoverlay=disable-bt
# Disable WiFi
dtoverlay=disable-wifi
Assign a static IP address
The Raspberry uses the DHCP of your router per default. This is usually fine. In my case I want my home server to have a static IP which never changes. Note that your DHCP must not assign this IP to another device.
I added the following lines to /etc/dhcpcd.conf. You can read this article for more details.
interface eth0
# /24 means the subnet mask is 255.255.255.0
static ip_address=192.168.12.34/24
static routers=192.168.12.1
# those are Google DNS
static domain_name_servers=8.8.8.8 8.8.4.4
Now is a good time to reboot and connect the Raspberry Pi via cable. You should be able to login with password via SSH.
Enable public key login
On our servers we always disable password authentication. It is more safe and more convenient to login via a public key. If you want to login via password, just skip the SSH configuration.
Before disabling password login and locking ourselves out we must enable login via public key. Copy your public key into ~/.ssh/authorized_keys as follows.
# login on the raspberry pi
ssh pi@192.168.12.34
# be sure to be in the home directory
cd
# create the SSH config folder
mkdir .ssh
chmod 755 .ssh
# create the authorized_keys file
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
# now copy-paste you public key into this file
nano .ssh/authorized_keys
# (in another shell) test public key login
ssh pi@192.168.12.34
Disable root and password login
Now let’s disable SSH login as root user or via password. You have to adjust the /etc/ssh/sshd_config such that it contains the following two lines. There are probably some lines you can comment in and adjust.
PermitRootLogin no
PasswordAuthentication no
Now make the SSHd to reload and read the new settings. Do not close the current session before you logged in via another terminal. Otherwise you can still lock yourself out.
sudo service sshd reload
# (in another shell) test before logging out
# should work only with public key
# … and should not ask for pi's password
ssh pi@192.168.12.34
# should not work at all
ssh root@192.168.12.34
Delete stored WiFi password
Remember the WiFi password we entered during the initial setup? It is still stored on the Raspberry. You can delete it as follows.
# delete the stored wireless network
sudo nano /etc/wpa_supplicant/wpa_supplicant.conf
Enable unattended upgrades
It is just a small home server but I want to install security updates nonetheless. I would probably forget about it, so I enable auto-updates.
In theory it might cause problems which require manual attention though it rarely does. I rather have a server down before not installing security related updates. In the first case I have a problem and I know it; in the latter I have a problem and don't know about it. Feel free to have your own opinion though.
You can enable auto-update as follows:
sudo su
# install unattended-upgrades
apt update
apt install -y unattended-upgrades
# enable auto cleanup (optional)
cat > /etc/apt/apt.conf.d/20auto-upgrades <<EOF
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
EOF
# start unattended-upgrades
service unattended-upgrades start
Reclaim SD card space
The Raspberry Pi OS comes with a bunch of installed packages which I find great to get started. However if you want to free some disk space you can quickly find the largest packages and identify some to uninstall.
sudo su
# list installed packages ordered by size
dpkg-query \
-Wf '${db:Status-Status} ${Installed-Size}\t${Package}\n' | \
sed -ne 's/^installed //p' | \
sort -n
# uninstall large unneeded packages
apt remove what-you-do-not-need
# remove dependencies as well
apt autoremove
I decided to keep the installed packages.
Stop unneeded services
There might be some unneeded services running as well. I do this for the same reason I disabled WiFi and Bluetooth. However the reduction in energy consumption in this case is probably much, much less.
You can inspect all running services including their description with the following command.
sudo su
# list running services including description
service --status-all | \
grep '+' | \
cut -d ' ' -f 6 | \
xargs -Iservice bash -c \
'echo service; \
echo $(cat /etc/init.d/service | grep -i description); \
echo '
Note that some services need to be uninstalled. Otherwise they re-activate after reboot. Just try it out.
You know best what you need or want to keep around. I disabled the following services:
sudo su
apt remove cups
apt autoremove
# Short-Description: CUPS Printing spooler and server
# Description: Manage the CUPS Printing spooler and server;
# Short-Description: cups-browsed - Make remote CUPS printers available locally
# Description: This daemon browses Bonjour broadcasts of shared remote CUPS
systemctl disable triggerhappy
systemctl stop triggerhappy
# Short-Description: triggerhappy hotkey daemon
# Description: triggerhappy hotkey daemon
Install Log2Ram
After reading over the blog post, my Sandstorm college Theo hinted me to another nice little package: Log2Ram. It reduces write access to the SD card by collecting system logs in main memory for a day (per default) before writing them to the SD card.
I have no experience whatsoever with this service, but want to give it a try. So can you if you want to. You can install and configure it with the following commands. Please consult the docs for details.
sudo su
# add package repository
echo "deb http://packages.azlux.fr/debian/ bullseye main" | \
sudo tee /etc/apt/sources.list.d/azlux.list
wget -qO - https://azlux.fr/repo.gpg.key | \
sudo apt-key add -
# install log2ram
apt update
apt install log2ram
# adjust the settings (optional)
nano /etc/log2ram.conf
# reboot
reboot
After rebooting I checked for Log2Ram and it failed to start. My logs at /var/log were too large (already? how?). Without further investigation I deleted some larger log files and restarted Log2Ram. Looks fine now.
sudo su
# check log2ram
systemctl status log2ram
# clean up some logs
cd /var/log
du -hd1
# now remove what can be removed
# restart log2ram and check again
systemctl restart log2ram
systemctl status log2ram
Thanks for reading
This concludes my preparation of the Raspberry Pi home server. Now I can start installing Pi-hole and HomeGallery. This is worth another blog post in the future.
If you have any question or suggestion please get in touch!