With Simple Means

YunoHost [1] is a Linux distribution that offers a basic server platform with single sign-on for hosting web, mail, XMMS, and several dozen other services. According to the project website, YunoHost's goal is to provide "…a server operating system aimed at making self-hosting accessible to everyone."

YunoHost comes with the nginx web server, MariaDB, mail transfer agent Postfix, and the IMAP server Dovecot, including the Rspamd spam filter. The Metronome IM XMPP server, OpenLDAP, Dnsmasq, and the SSOwat transparent authentication system for single sign-on are also available, as is Let's Encrypt for creating SSL certificates.

YunoHost also provides a community repository of validated helper scripts to install other services and applications. The repository, which is hosted on GitHub, provides customized versions of the applications preconfigured to integrate into YunoHost's single sign-on environment.

YunoHost is similar to other personal server systems, such as FreedomBox [2], Sandstorm [3], UBOS [4], or the recently discontinued arkOS. All of these projects have the goal of letting the user operate a server and install web services in the easiest possible way.

YunoHost is based on Debian and is available for download for the i386, AMD64, PowerPC, and ARM architectures. A demo site [5] lets you test the user interface in advance.

Well Equipped

The range of official apps for various web services includes 21 packages [6], which you can install with just one click. This list encompasses well-known services such as WordPress, Nextcloud, Roundcube, and DokuWiki, as well as lesser known tools such as the Baikal [7] CardDAV server, the RainLoop [8] webmail application, and the ZeroBin [9] encrypted paste service.

The list of unofficial apps [10] developed and maintained by the community is much longer: It includes around 100 programs, such as a sync server for Firefox [11], the Gogs [12] Git service, the Jenkins [13] CI server, Mattermost [14] as an alternative to Slack, the Piwigo[15] photo gallery, and many more.

But that's not the end: The Apps in Progress section offers several apps you can test, but without any guarantees.

Which Platform?

YunoHost will run on the Raspberry Pi 3, and even on earlier versions of the Rasp Pi. On the small scale of a home network, the Rasp Pi might be satisfactory, but if you are concerned about performance and throughput, the limits of the Rasp Pi are quickly evident. You can also install YunoHost on a local computer (see the "Installing on Your PC" box) or on a VServer with a professional hosting service provider. If Debian is already running on the computer on the base system, you can use a script to set up YunoHost [16].

You can also use a VirtualBox, VMware, or KVM virtual machine as the basis for your tests. An image for the virtualization-focused Vagrant development environment is also available [17].

Installing on Rasp Pi

To install YunoHost on a Rasp Pi, first download the image for the ARM platform and store it on an SD card, preferably a Class 10 card with at least an 8GB capacity. Be sure to choose the target device carefully; otherwise you will lose the data on a partition that your computer needs. The dd command is fine for writing the data, as are graphical tools like Etcher under Linux or Rufus under Windows. The corresponding ARM version for the Rasp Pi is based on Raspbian 8 "Jessie."

After copying the image to the SD card, insert the card into the slot on the Rasp Pi and connect the Ethernet cable, the power supply, and, optionally, a display and a keyboard. The boot process takes about 90 seconds.

The next step is to determine the Rasp Pi's IP address. If you have connected a display, the computer will show you its IP address. If no display is connected, the hostname -i command on the computer's console helps. Alternatively, you can find the address via the router's web interface. Under Windows, you can use the Advanced IP Scanner [18] program to display IP addresses logged on to the local network. You can do the same under Linux with on-board tools:

$ sudo arp-scan --localnet | grep Raspberry

You now have to finish the installation. Without a display, continue via SSH or call the http://<RasPi-IP> address in a browser to continue graphically. Since YunoHost uses a self-signed certificate by default, the browser displays the message that the connection is not secure. You can ignore this message in a private environment and allow an exception to reach the interface (Figure 1).

Figure 1: A first look at the back end shows all categories, including the area where you configure the services on the host.

If you want to grant other users external access to services, you should use your own domain. Use the yunohost domain cert-install command to create an SSL certificate with Let's Encrypt and install it so that it secures the connection via HTTPS in the future. However, this approach presupposes that the domain registrar first adapts the DNS A record so that it points to the domain's IP address. It usually takes 24 hours or longer for the change to propagate.

The first step in the interface is to set up a domain under which you can access the server (Figure 2). Guided configuration in the browser is easier for most users than working with SSH in a terminal. The first question is whether you already have a domain that you want to use. The example assumes that you don't have a domain, so the second option is the right choice.

Figure 2: If you want to allow users to access the services on the host, configure a domain.

However, if you want to use a self-defined local domain, such as yunohost. local, enter it along with the IP address in the /etc/hosts file. Under Windows, you will find the corresponding file under %SystemRoot%\system32\drivers\etc\.

DNS Knowledge

To provide services beyond the host machine, adjust the router's DNS settings. A look at the documentation [19] is helpful. However, beginners can follow the example and use one of the two YunoHost domains for a start. Multiple domains are possible, and you are allowed to mix your own domains and subdomains with YunoHost domains.

In the example without your own domain, enter the desired subdomain in the dialog and select one of the two domains offered to you. When assigning names, keep in mind that everyone who logs into the server uses this default domain.

In the example, ft is used as a subdomain. The default domain is ft.nohost.me. A first attempt with yunohost as a subdomain failed, because the system was not able to complete the configuration – but for no apparent reason.

Time for a Cup of Tea

After creating a server administration password, you'll need to set up the network, which may take a few minutes. You will then find yourself in the administration interface.

The first step is to update the system. Import new packages from both the Debian server and YunoHost (Figure 3) under the System update category. Be sure to update the system at regular intervals, because only an up-to-date server system offers sufficient security.

Figure 3: I recommend periodically updating the system to patch security vulnerabilities in the installed packages.

For all actions, you will see a status display at the top right-hand corner of the screen that displays the actions currently running. A list of actions in progress is displayed when you mouse over the items.

Next, you should create at least one user to log in to the user area. Afterwards, start installing applications. For this test, the first choices were Baikal, Wallabag, and Nextcloud. The installation and basic configuration required only one mouse click (Figure 4).

Figure 4: Wallabag was chosen for the test; the package comes from the company's official repository.

To test the installed applications, log in as the previously created user and access the services (Figure 5). The initial configuration of the apps I installed proved to be very good. For example, Nextcloud already had the required LDAP information.

Figure 5: You can log in to all apps using single sign-on.

Full of Apps

The easy installation steps only apply to the company's official apps. For the far larger number of custom apps, which come from and are managed by the community, you'll find an Install user-defined app submenu at the end of the official apps list.

Enter the application's GitHub URL. You can find the GitHub URL with the information provided for the app. For example, I installed the Piwigo photo gallery, which had the URL https://github.com/YunoHost-Apps/piwigo_ynh (Figure 6).

Figure 6: If the packages from the official repository do not meet all your needs, you can turn to community software.

In the Domains category, it is possible to define additional domains, change the standard, and add certificates. In the test, I created a subdomain of my own domain as the second domain, which worked fine after DNS was set to the IP address defined in /etc/hosts (or alternatively on the router).

Tools

The Services category allows you to start and stop system services. Behind the Tools tab, you will find the settings for the firewall, as well as tools for diagnosis and system messages. You can also change the root password.

The Backup category lets you back up the system, user data, and applications (Figure 7). This function is still considered experimental, but it worked perfectly during the test, including restoring the data (Figure 8).

Figure 7: Specify which data you want to include in the backup.

Figure 8: The test succeeded in importing the data from the backup back into the system.

Access via SSH

You can check the results for yourself using SSH. The complete configuration of the server is under /home/yunohost.conf/, and the backup is located under /home/yunohost.backup. The system offers many more commands, options, and parameters via the command line than through the web interface. You can view these command-line options with yunohost -h.

In the initial configuration, administration via SSH is only possible as root, since the system manages the users via LDAP. A script and some other tricks help users reach the system via SSH [20].

In any case, I recommend that you protect the security of SSH access with a key instead of the root password and then generally prohibit the use of passwords for SSH. As soon as user access is working, you should also prohibit logging in as root in the /etc/sshd.conf file.

Conclusions

Opinions differ on self-hosting systems such as YunoHost: Some people think that such systems are created by lazy admins who are not familiar with server administration and thus endanger themselves and the Internet. On the other hand, many users need this kind of system to manage data on the network without external help.

The present system makes it much easier to set up a well-provisioned server, but responsible use still requires some knowledge, including securing SSH access, configuring DNS settings, and configuring a certificate with Let's Encrypt.

On a Rasp Pi, the system performs excellently. Well-considered details, such as a preconfigured Fail2Ban [21] to protect against intrusion or user administration via LDAP, are surprising positives. The large selection of apps covers all areas of web services.

YunoHost is suitable for home offices and small businesses. The distribution, which is very solidly set up with Debian as a base, might also work for larger assignments. The fact that YunoHost is free software and under active development means that it could have a very bright future.