After both servers have restarted, the WireGuard tunnel has been activated, and the Root CA certificate has been installed,
go to the Home Page indicated on your installation configuration text file. You should have a secure and trusted connection to your HomeServer home page.
If you encounter any errors, you might need to restart your browser (all tabs and instances). If you are using Firefox, you might need to change one setting.
Type about:config in the address bar, and do a search for the word enterprise.
The setting security.enterprise_roots.enabled must be set to true. Then, restart the browser.
Ensure you can log in to Mailu, reachable from the home page. The admin username and password is provided in the installation configuration text file. You should have at least one email already in your admin mailbox, with subject "Public Root Certificate". As services are installed, you will begin to receive automated emails from them as well. For example, when Wazuh is installed, it will perform an analysis of the different packages installed on your Linux host machine and send you Common Vulnerabilities and Exposures (CVE) reports on those packages. Don't be too alarmed when you recieve this. These are documented vulnerabilities that the Linux devs are actively working to fix.
In the Mailu web interface, sign in to Admin section. Then go to Mail Domains underneath Administration section on left hand side. For your domain, click on Details underneath the Actions column. Click Generate Keys button on top right. Update your final email DNS record with the DKIM public key (See Item 4 in Installation for other email DNS records). The value for the DNS record should look similar to below, but with a different public key:
| Type | Name | Value |
|---|---|---|
| TXT | dkim._domainkey | v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzdhCsv4e9s8AHsBurnmtZoFRoV5lhnHRksVJtVqK6aQd3M40YvlEMImqpNhzIopQdefYTHhpM1iKpnQreKK1E5/WfhuyLVyxUAoelKqFRyvSE70XL7ZNLQPEGRbT0XqrwOkutQpNPhYQmwybnGia5L28IfEaYXOdJh960GbprBPYRXyKM1fHeT7Op0K0vZdOG8w11e0dZ0CHdCyJZvKvaBv9kbaLiXGjWQT7B/NBMHeqa7BDAUDREgyb2MvEkgkow9KwmlwLeHA0j5AiNlorICuvq+sOZ4kR+6JdxPoTupuDUuY5apsq8r94g2+mAK/aQBFFLsOF3Bv1nSPL6AquuwIDAQAB |
After adding the correct email DNS records, test your email by going to https://www.mail-tester.com/. Copy the provided email address. Log in to Mailu webmail (Sign in Webmail), and send an email to the provided email address. Ensure to create a subject, e.g. Email Spam Test, and a body for the email. Wait a few moments after sending, then go back to mail-tester.com and check your score. You will likely receive a score of 8.9/10. To get the full 10/10, you will have to set up reverse DNS for your server, which is done through your VPS provider. If you recieve a lower score due to the IP address of the RelayServer being on a black list, then you have unfortunately inherited the bad reputation of the previous user of that IP address. Do not be too concerned, it will likely resolve itself over time. If not, then at worse case you can easily transfer your RelayServer from one VPS to another with a different IP.
In the configuration file, copy and paste the Script-server URL into your browser address bar. Use the provided credentials to log in. Then go to 02 Services -> 02 Install All Available Services. Enter your sudo and config decrypt password, then execute the function. It will take at least 40 minutes if not longer to complete, so be patient. During the services installation, you can use the available services as they appear on the home page. However, you may experience sluggish responses and/or Page Not Found errors in your browser during the installation process. This is normal as certain processes are being restarted after each service is installed.
Log back into your HomeServer via SSH, ensure to update the SSH port to the newly selected value. Then type bash hshq.sh again at the terminal.
Select Services. You can then select individual services/stacks to install (option 1), or to install all available, simply select option
3. During the services installation, you can use the available services as they appear on the home page.
However, you may experience sluggish responses and/or Page Not Found errors in your browser during the installation process.
This is normal as certain processes are being restarted after each service is installed. If installing all services,
it will take at least 40 minutes if not longer to complete, so be patient. Upon completion, ensure to exit the script correctly.
You should see a dialog box that says "Your configuration file has been encrypted" upon exit.
Ensure you see this every time you use and exit the script.
Once Vaultwarden is installed, the mail administrator will receive an email with instructions to setup Vaultwarden. It will also contain other pertinent information regarding passwords and the configuration file. Ensure to read the entire email. Then follow the instructions accordingly to have easy access to the randomly generated passwords for all of your services.
If Nextcloud is installed, log in as administrator. Click user icon on top right, then go to Administration Settings. On left side, under Administration, go to LDAP/AD Integration. In main window, go to Users, then click "Verify settings and count users" button TWICE. Go to Groups and do the same with "Verify settings and count the groups" button. Now any LDAP user in the primaryusers group can log in to Nextcloud with their own profile.
If Mastodon is installed, you should have received the administrator login credentials via email. The admin username has already been added to your passwords import, but with an empty password. Use the password provided via email to update your Vaultwarden account.
If Jellyfin is installed, open web utility and perform initial setup wizard. Then click on user icon on top right, then go to Administration > Dashboard. Go to Plugins on left side under Advanced section. Click on Catalog (top middle of window), then click on LDAP Authentication and install the plugin. The settings should already be pre-filled, but you will need to restart Jellyfin in order to enable it. Go to Portainer in the Admin section of the home page. Click on the environment with your HomeServer name on it, then go to the Stacks section. Find the jellyfin stack, and click on "Stop this stack" button. After the stack has stopped, click on the green "Start this stack" button. Now any LDAP user in the primaryusers group can log in to Jellyfin with their own profile.
If Calibre is installed, go to the Admin section in Heimdall and open up Calibre-Server. You will be provided with a simple wizard to initialize the server. Accept the defaults, i.e. press Next, Next, then Finish in bottom right corner of dialog boxes. This should initialize the server with a single book - Quick Start Guide. Then go back to the Users tab and open up Calibre-Web, and login with Calibre-Web-Admin credentials. Accept the pre-filled location of Calibre Database by clicking the Save button. In the top right corner, go to Settings. Then click the Import LDAP Users button, to import all of the users. You will have to unfortunately login and press this button manually any time a new user is added/removed. This is the only LDAP-backed service that requires manual intervention. All other services that utilize LDAP handle these changes automatically (as they should).