Server preparation

Hardware & resources

The server (host) machine can be:

  • a physical computer (dedicated server, repurposed desktop/laptop, small factor board…)

  • a virtual machine (VM)

  • a VPS from a hosting provider

Virtualization software (hypervisors) include libvirt/virt-manager, Proxmox VE, Virtualbox, …

Resource usage will vary depending on installed components (read each role’s documentation), the number of concurrent users, and how much user data you need to store. Example minimal configuration for a personal/small team server with 2-10 users:

Computer with x86/64 compatible CPU
1024-2048+ MB RAM
10+ GB storage for system and applications files
1-∞ GB storage for user data

If hosting on a physical server, prefer low power consumption hardware. Setup the BIOS to reboot after a power loss. If availability is important, setup hardware-level redundancy/failover mechanisms such as RAID, multiple network links, an UPS, and/or multiple power supplies.

Network

  • The server must have a valid IPv4 address and gateway set during operating system installation.

  • The server must have a valid DNS resolver set during installation. You can either use:

    • Your hosting/Internet service provider’s DNS resolvers

    • Public DNS resolvers such as Google Public DNS (8.8.8.8 8.8.4.4), Cloudflare public DNS (1.1.1.1 1.0.0.1)

    • Your private DNS resolver

  • The server must have Internet access during deployment and upgrades.

  • Prefer fast and reliable network links.

NAT/port forwarding

If the network interface is in a private network behind a router, setup port forwarding (NAT) on the router if you need to access your services from other networks/Internet. Depending on which services are installed on the server, forward the following ports to your server’s private IP address (if corresponding services are installed):

SSH server:                      TCP 22
Netdata monitoring system:       TCP 19999
Web server:                      TCP 80/443
BitTorrent incoming connections: TCP/UDP 52943
Mumble VoIP server:              TCP/UDP 64738
Graylog TCP input:               TCP 5140
Dovecot IMAP server:             TCP 993
Wireguard VPN server:            UDP 51820
Jitsi videoconferencing server:  UDP 10000
Owncast RTMP stream ingestion:   TCP 1935

Domain names

The controller must be able to resolve the server’s name from the inventory, using either:

Prefer using Fully Qualified Domain Names. Accessing the host directly by IP address is discouraged, use DNS records.

If you need to obtain Let’s Encrypt SSL/TLS (HTTPS) certificates, public DNS records are required - private DNS records will not work (you may still use self-signed certificates).

Separate domain/subdomain names are required to allow clients to access web applications. For example assuming all roles are deployed, you would need to create the following DNS records:

***.CHANGEME.org # host name in the inventory/playbook
www.CHANGEME.org # homepage
cloud.CHANGEME.org # nextcloud
git.CHANGEME.org # gitea
links.CHANGEME.org # shaarli
rss.CHANGEME.org # tt-rss
torrent.CHANGEME.org # transmission
mumble.CHANGEME.org # mumble server
ldap.CHANGEME.org # openldap (LDAP account manager)
ssp.CHANGEME.org # openldap (self-service password)
chat.CHANGEME.org # matrix (element web client)
matrix.CHANGEME.org # matrix (synapse server)
media.CHANGEME.org # jellyfin
logs.CHANGEME.org # graylog
tty.CHANGEME.org # gotty
imap.CHANGEME.org # mail_dovecot
goaccess.CHANGEME.org # goaccess
livestream.CHANGEME.org # owncast

External SMTP server

For your applications/services/monitoring tools to be able to send e-mail (notifications, confirmations, reports…), a valid account on an external e-mail (SMTP) server must be configured (see msmtp_* and *mailer* configuration variables). By default all outgoing e-mail functionality is disabled and you will not receive any e-mail from your servers.

You can use your own SMTP server or a commercial e-mail service such as Mailjet (requires public DNS A and TXT DNS records for the host), or a Gmail (requires enabling 2FA and less-secure app access) or other [1] [2] [3] e-mail account.

Base Operating System

xsrv roles are designed to run against minimal Debian Stable systems: Install Debian on the host.


You should now prepare the controller.