8.5 KiB
layout, title, date, categories, highlight
| layout | title | date | categories | highlight | |
|---|---|---|---|---|---|
| post | ThinkCentre Kubernetes Home Server Step 1 (BIOS Setup) | 2025-12-31 22:00:00 -0400 |
|
true |
I recently picked up 3 refurbished Lenovo ThinkCentre M720q Tiny to migrate my Kubernetes cluster from AWS and cut my EKS costs. These machines are great for being silent and power-efficient, but out of the box, they're tuned as office desktops, not as high-availability server racks. Here's how I configured the hardware and OS settings to make this 3-node cluster production-ready. In the next steps, we will take advantage of Cloudflare and AWS for must-buy services like domain name, static ipv4, and web app firewall. Our cloud budget is 10 CAD/month. The bottleneck will strictly be the lenovo servers and our home Wi-Fi upload speed. The home server should work in any network, meaning it must not rely on the home router settings (current limitations: steps 1-3 are not automated). I already own a NAS server which we will use for daily k8 backups for the nodes.
Not the cleanest setup, no cable management, servers upside down, stickers still on, no room for ventilation, and they
have too much wiggle room in the rack, but the software is sound and that's 90% of the work done :D
The Hardware Stack
Before diving into the configuration, here is the spec sheet for each node in the cluster. These units feature Intel vPro and ThinkCentre BIOS, which is essential for the advanced BIOS settings that we are about to toggle:
- CPU: Intel(R) Core(TM) i7-7700 @ 3.60GHz (4 Cores / 8 Threads)
- RAM: 16GB DDR4
- Storage: 500GB SSD
- Network: Dedicated 5-port 1Gbps Ethernet Switch
- Wattage: 65W
For this setup, we will not take advantage of vPro's features such as accessing the BIOS over the network, but we will take advantage of features that come with ThinkCentre BIOS such as the auto-power on after a power loss.
I already created bootable USB drive for debian 13 ISO using rufus.
ThinkCentre M720q: Node Configuration
- Enter BIOS: Press repeatedly the F1 key.
- Hardware Audit: Confirm the CPU, RAM, and Storage match what is expected. Reset BIOS to default settings if it's the first time.
We want to strip away desktop features to save power and reduce the potential attack surface.
| Menu Path | Setting | Action | Why |
|---|---|---|---|
| Devices > Audio Setup | Integrated Audio | Disabled | Servers don't need sound |
| Devices > Network Setup | Wi-Fi / PXE | Disabled | Forces the node to rely on the Onboard Ethernet. |
| Devices > USB Setup | USB Legacy Support | Disabled | Prevents the use of less secure USB protocols during boot. |
| Advanced > CPU Setup | Virtualization | Enabled | Needed for container runtimes. |
| Advanced > CPU Setup | VT-d | Enabled | IO magic. |
| Power | After Power Loss | Power On | The Auto-Restart rule. |
| Power | Intelligent Cooling | Performance or Acoustic | Either to prevent thermal throttling or lower noise. |
| Security | Administrator Password | Set | Prevents tampering with the BIOS settings. |
| Security | Windows UEFI Update | Disabled | We are replacing Windows with Debian. |
| Security | Password for F1/F12 | Yes | Requires your admin password to boot from an unauthorized USB. |
| Security | Require POP on System Boot/Restart | No | Overkill. |
| Security | POP Changeable by User | No | Requires your admin to change his password. |
| Security | Secure Boot | Enabled | Verifies the Debian kernel signature before allowing it to boot. |
| Startup | Boot Sequence | Move the drive(s) to the #1 spot (prioritize the one storing the OS Bootloader). Exclude everything else. |
Debian installation is straightforward. Set most settings to default.
Post-Install
Once Debian is running, we need to tell the OS to take ownership of the hardware management. In a better world, we prefer to take full ownership ourselves using CoreBoot. But we cannot because Intel Boot Guard is supported on the hardware level. Since Lenovo ships these with Intel Boot Guard (Verified Boot) enabled, we must work within the manufacturer's ecosystem.
Disable the GUI on boot
# Switch to root
su -
sudo systemctl set-default multi-user.target
reboot
Synchronize the Hardware Clock
This command tells Debian to treat the motherboard's clock as UTC (the server standard).
sudo timedatectl set-local-rtc 0
Add missing locales. In my case, en_CA.UTF-8.
sudo dpkg-reconfigure locales
# Select en_CA.UTF-8 (or your preference) -> OK
Enable Linux-Native Firmware Updates
We disabled the Windows update hook in the BIOS; now we replace it with the Linux Vendor Firmware Service (LVFS). This allows you to update your BIOS directly from the Debian terminal.
sudo apt update && sudo apt install fwupd -y
fwupd does not download and auto-install updates like Windows. To list new available firmware from Lenovo/Intel, run:
fwupdmgr refresh && fwupdmgr get-updates
Note: You should only run fwupdmgr update during a scheduled maintenance window. BIOS updates take 2–5 minutes,
during which the node is completely unresponsive and will reboot automatically.
OS Updates & Cluster Maintenance
While fwupd handles the hardware, apt handles the OS. Debian 13 point releases (e.g., 13.2 to 13.3) are
security-focused and will not auto-install by default.
For a Kubernetes cluster, you should always perform "Rolling Updates." This means you drain one node at a time to ensure your pods are rescheduled elsewhere before you perform the upgrade and reboot.
During a scheduled maintenance window:
- Drain the node:
kubectl drain <node-name> --ignore-daemonsets - Upgrade OS:
sudo apt update && sudo apt upgrade -y - Upgrade Firmware:
fwupdmgr update(if applicable) - Reboot:
sudo reboot - Bring it back:
kubectl uncordon <node-name>
Next step, we will set up the firewall, ssh rules, and a custom vpn via an ec2 proxy server with a static IP.