Setting up a home server: the rough guide

This is the companion post to the other two in this series. The first one covers why I built a home server. The second covers what’s running on it. This one is the practical bit: the key decisions and commands in the order you’d actually need them.

A warning upfront: this is a skeleton, not a manual. Your hardware will have quirks. Your router will have a different interface than mine. Your BIOS will look different. When that happens — and it will — you’ll need to fill the gaps yourself with whatever documentation and forum threads apply to your specific situation. That’s not a limitation of the guide; it’s just the honest nature of this kind of project. The good news is that the gaps are usually small and well-documented elsewhere.

Installing Debian

One thing worth stating upfront: you’ll need a monitor and keyboard plugged in for the installation itself. Once SSH is working and you’ve confirmed you can log in remotely, unplug them — you won’t need them again.

Download the netinst ISO from debian.org — the small network installer, not the full DVD image. Put it on a USB stick — Ventoy is a good option (it lets you boot ISOs directly without flashing), but dd on Linux or macOS, Rufus on Windows, or Balena Etcher all work fine too.

Boot from the USB. How to do this depends entirely on your hardware — look for a boot menu key (often F10, F12, or Delete) and select the USB drive. If Secure Boot causes problems at this stage, your machine’s documentation will tell you how to handle it.

In the installer, the important decisions are these:

Partitioning: Choose “Guided — use entire disk and set up encrypted LVM.” Select “All files in one partition.” Say yes when asked to write changes. Set an encryption passphrase. Don’t forget it — there is no recovery path.

One practical note on encryption: every reboot will ask for this passphrase at the console before the system starts. For a home server that reboots once or twice a year, this is usually fine — you’re home, you plug in a keyboard, you type it. If that doesn’t work for your situation, skip the encryption step.

Software selection: Uncheck everything except SSH server and standard system utilities. No desktop environment. No GNOME. Once it’s running headless there’s nothing to display to — no point installing one.

After the install completes, the machine reboots, asks for your encryption passphrase, and boots to a login prompt. From this point you manage it entirely over SSH from another machine.

Static IP and first SSH connection

Before hardening anything, give the server a fixed local IP address. The cleanest way is through your router’s DHCP reservation settings — find your server’s MAC address (ip link show on the server will list it, or check your router’s connected devices after the first boot), assign it a permanent IP. The exact location in your router’s interface will vary; look for “DHCP” or “LAN” settings.

Once that’s done, SSH in from your other machine:

ssh username@server-ip

You’re in. Everything from here is done over this connection. Before anything else, bring the system up to date:

sudo apt update && sudo apt upgrade -y

SSH hardening and firewall

The default SSH configuration is fine for a first login but not for something that runs permanently. Three changes matter:

Generate an SSH key pair on your client machine if you don’t have one already. Run both of these on your local machine, not on the server:

ssh-keygen
ssh-copy-id username@server-ip

Then edit /etc/ssh/sshd_config on the server — sudo nano /etc/ssh/sshd_config or whatever editor you prefer. The simplest approach is to add these lines at the end of the file, after everything else — the default Debian config has these settings commented out, so your appended lines become the only active values for each directive:

Port 2222          # or any port that isn't 22
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no

Before restarting SSH, install UFW and allow the new port — this order matters. If UFW is active when SSH restarts on the new port and the port isn’t allowed yet, you’ll lock yourself out:

sudo apt install ufw
sudo ufw allow 2222   # use your chosen port here

Now restart SSH and enable the firewall:

sudo systemctl restart ssh
sudo ufw enable

Open a second terminal and verify you can connect on the new port — ssh -p 2222 username@server-ip — before closing the current session. Once you’re in, you’re done.

You’ll add more port rules as you install services. Don’t forget to allow each new one before you restart a service — otherwise you’ll lock yourself out of it, which is annoying but not fatal.

Samba — file sharing

Install Samba and create a shared folder:

sudo apt install samba
sudo mkdir /media/shared
sudo chown $USER:$USER /media/shared

Edit the Samba configuration file at /etc/samba/smb.conf. In the [global] section, change map to guest = bad user to map to guest = never. Then add this at the very end of the file:

[shared]
  path = /media/shared
  writeable = yes
  public = no

Set a Samba password for your user (separate from your system password), restart the service, and open the firewall port:

sudo smbpasswd -a your-username
sudo systemctl restart smbd
sudo ufw allow 445

Windows will see the share at \\server-ip\shared. On Linux, mount it with cifs-utils. Both are well-documented and take about five minutes once the server side is working. Samba has a reputation for being arcane. For a simple home share like this, it mostly isn’t.

Jellyfin — media server

Jellyfin provides its own install script:

sudo apt install curl
curl https://repo.jellyfin.org/install-debuntu.sh | sudo bash
sudo ufw allow 8096

Create the media folders it will point to:

mkdir /media/shared/movies
mkdir /media/shared/series
mkdir /media/shared/books
mkdir /media/shared/photos

Open http://server-ip:8096 in a browser on any machine on your network. A setup wizard walks you through the rest — creating an admin account, adding the media library paths, enabling remote access. Takes about ten minutes, most of which is waiting for the initial library scan.

Add your media files to the folders, and Jellyfin will find them. The mobile app works the same way — enter the server address and log in.

Tailscale — remote access

This is the one that makes everything accessible from outside the house without any port forwarding or dynamic DNS complexity.

First, create a free account at tailscale.com. Then install Tailscale on the server:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

The tailscale up command will print an authentication URL. Open it in a browser, log in to your Tailscale account, and the server is linked.

Install the Tailscale app on your phone, laptop, whatever devices you want to connect — sign in with the same account. They all join the same private network. From that point, your server’s local IP address is reachable from anywhere those devices have internet access.

No further configuration, and no UFW rules to add — Tailscale handles its own connectivity. Samba, Jellyfin, and everything else becomes accessible over Tailscale exactly as it is on the local network.

What you have now

A headless Debian server with encrypted storage, SSH key authentication, a firewall, a shared folder visible to every device on the network, a media server accessible from any screen in the house, and remote access from anywhere.

The exact same stack has been running here for over two years on a mini PC that cost less than a laptop and draws about as much power as a phone charger. It doesn’t ask for anything. It just works.

The details will be different for your setup. That’s fine. The shape is the same.

This is the starter kit — what I’d call the family-friendly minimum for a home server that actually gets used. The companion post covers a few more services (Nextcloud, Vaultwarden, Ollama, ZoneMinder) and each of them has solid documentation of its own. Same pattern: install, open the port, configure.

The gaps you’ll hit along the way are part of it. If this kind of tinkering is your thing — and if you’ve made it to the bottom of a guide like this, it probably is — you’ll figure them out.