Server preparation

Hardware & resources

The server (host) machine can be:

  • a physical computer (dedicated server, repurposed desktop/laptop, small factor board…)

  • a virtual machine (VM)

  • a VPS from a hosting provider

Virtualization software (hypervisors) include libvirt/virt-manager, Proxmox VE, Virtualbox, …

Resource usage will vary depending on installed components (read each role’s documentation), the number of concurrent users, and how much user data you need to store. Example minimal configuration for a personal/small team server with 2-10 users:

Computer with x86/64 compatible CPU
1024-2048+ MB RAM
10+ GB storage for system and applications files
1-∞ GB storage for user data

If hosting on a physical server, prefer low power consumption hardware. Setup the BIOS to reboot after a power loss. If availability is important, setup hardware-level redundancy/failover mechanisms such as RAID, multiple network links, an UPS, and/or multiple power supplies.


  • The server must have a valid IPv4 address and gateway set during operating system installation.

  • The server must have a valid DNS resolver set during installation. You can either use:

    • Your hosting/Internet service provider’s DNS resolvers

    • Public DNS resolvers such as Google Public DNS (, Cloudflare public DNS (

    • Your private DNS resolver

  • The server must have Internet access during deployment and upgrades.

  • Prefer fast and reliable network links.

NAT/port forwarding

If the network interface is in a private network behind a router, setup port forwarding (NAT) on the router if you need to access your services from other networks/Internet. Depending on which services are installed on the server, forward the following ports to your server’s private IP address (if corresponding services are installed):

SSH server:                      TCP 22
Netdata monitoring system:       TCP 19999
Web server:                      TCP 80/443
BitTorrent incoming connections: TCP/UDP 52943
Mumble VoIP server:              TCP/UDP 64738
Graylog TCP input:               TCP 5140
Dovecot IMAP server:             TCP 993
Wireguard VPN server:            UDP 51820
Jitsi videoconferencing server:  UDP 10000
Owncast RTMP stream ingestion:   TCP 1935

Domain names

The controller must be able to resolve the server’s name from the inventory, using either:

Prefer using Fully Qualified Domain Names. Accessing the host directly by IP address is discouraged, use DNS records.

Public DNS records are required to obtain Let’s Encrypt SSL/TLS (HTTPS) certificates - private DNS records will not work (you may still use self-signed certificates).

Separate domain/subdomain names are required to allow clients to access web applications. For example assuming all roles are deployed, you would need to create the following DNS records:

*** # host name in the inventory/playbook # homepage # nextcloud # gitea # shaarli # tt-rss # transmission # mumble server # openldap (LDAP account manager) # openldap (self-service password) # matrix (element web client) # matrix (synapse server) # jellyfin # graylog # gotty # mail_dovecot # goaccess # owncast

External SMTP server

For your applications/services/monitoring tools to be able to send e-mail (notifications, confirmations, reports…), a valid account on an external e-mail (SMTP) server must be configured (see msmtp_* and *mailer* configuration variables). By default all outgoing e-mail functionality is disabled and you will not receive any e-mail from your servers.

You can use your own SMTP server or a commercial e-mail service such as Mailjet (requires public DNS A and TXT DNS records for the host), or a Gmail (requires enabling 2FA and less-secure app access) or other [1] [2] [3] e-mail account.

Base Operating System

xsrv roles are designed to run against minimal Debian Stable systems: Install Debian on the host.

You should now prepare the controller.