diff --git a/_posts/homelab/2025-12-31-homelab.md b/_posts/homelab/2025-12-31-homelab.md index e1387fb..0d86675 100644 --- a/_posts/homelab/2025-12-31-homelab.md +++ b/_posts/homelab/2025-12-31-homelab.md @@ -1,10 +1,9 @@ --- layout: post -title: 'ThinkCentre M720q + Debian: 24/7 Server Setup' +title: 'ThinkCentre M720q + Debian: 24/7 Server Setup Step 1' date: 2025-12-31 22:00:00 -0400 categories: - homelab - - debian highlight: true --- @@ -46,27 +45,29 @@ take advantage of features that come with ThinkCentre BIOS such as the auto-powe We want to strip away desktop features to save power and reduce the potential attack surface. -| Menu Path | Setting | Action | Why | -| :-------------------------- | :------------------ | :-------------- | :--------------------------------------------------------- | -| **Devices > Audio Setup** | Integrated Audio | **Disabled** | Servers don't need sound | -| **Devices > Network Setup** | Wi-Fi / BT / PXE | **Disabled** | Forces the node to rely on the Onboard Ethernet. | -| **Devices > USB Setup** | USB Legacy Support | **Disabled** | Prevents the use of less secure USB protocols during boot. | -| **Power** | After Power Loss | **Power On** | The Auto-Restart rule. | -| **Power** | Intelligent Cooling | **Performance** | To prevent thermal throttling. | +| Menu Path | Setting | Action | Why | +| :-------------------------- | :------------------ | :-------------------------- | :--------------------------------------------------------- | +| **Devices > Audio Setup** | Integrated Audio | **Disabled** | Servers don't need sound | +| **Devices > Network Setup** | Wi-Fi / BT / PXE | **Disabled** | Forces the node to rely on the Onboard Ethernet. | +| **Devices > USB Setup** | USB Legacy Support | **Disabled** | Prevents the use of less secure USB protocols during boot. | +| **Power** | After Power Loss | **Power On** | The Auto-Restart rule. | +| **Power** | Intelligent Cooling | **Performance or Acoustic** | Either to prevent thermal throttling or lower noise. | ## 3. Security Governance -| Menu Path | Setting | Action | Why | -| :----------- | :------------------ | :----------- | :--------------------------------------------------------------- | -| **Security** | Supervisor Password | **Set** | Prevents tampering with the BIOS settings. | -| **Security** | Windows UEFI Update | **Disabled** | We are replacing Windows with Debian. | -| **Security** | Secure Boot | **Enabled** | Verifies the Debian kernel signature before allowing it to boot. | -| **Security** | Password for F12 | **Yes** | Requires your admin password to boot from an unauthorized USB. | +| Menu Path | Setting | Action | Why | +| :----------- | :--------------------- | :----------- | :--------------------------------------------------------------- | +| **Security** | Administrator Password | **Set** | Prevents tampering with the BIOS settings. | +| **Security** | Windows UEFI Update | **Disabled** | We are replacing Windows with Debian. | +| **Security** | Password for F1/F12 | **Yes** | Requires your admin password to boot from an unauthorized USB. | +| **Security** | POP Changeable by User | **No** | Requires your admin to change his password. | +| **Security** | Secure Boot | **Enabled** | Verifies the Debian kernel signature before allowing it to boot. | ## 4. Boot Sequence **Startup > Boot Sequence:** Move the drive(s) to the #1 spot (prioritize the one storing the OS Bootloader). Exclude everything else. +**Startup > CSM:** must be disabled to restrict non-UEFI operating systems. ## 5. Post-Install @@ -116,3 +117,9 @@ During a scheduled maintenance window: 3. **Upgrade Firmware:** `fwupdmgr update` (if applicable) 4. **Reboot:** `sudo reboot` 5. **Bring it back:** `kubectl uncordon ` + +--- + +Next step, we will set up the firewall, ssh rules, and a custom vpn via an ec2 proxy server with a static IP. + +[[2025-12-31-homelab-part2]]