I Turned My M4 Mac Mini into a Powerful, Secure Headless Server
When the M4 Mac Mini first released back in late 2024, I was quick to pick one up. I previously had the older Mac Mini M1, which was a good machine, but only had 8GB of RAM and much slower Thunderbolt ports. So when I noticed that Apple released a Mac Mini with the newest M4 chip, I jumped ship and traded my old mini for the newer one... and it was a great choice! But, until now, I've been using it as a home server in the messiest way possible. I had Docker folders scattered across the desktop, scripts in my Downloads folder, and honestly just hoped nothing would break... Well that changes today! Eventually I got tired of it and I've decided to do it properly this time - so this is my attempt of turning my M4 Mac Mini into a powerful, headless server! Sooo, how do you do it? The first step was nuking the whole thing and starting fresh. Luckily, macOS makes this pretty easy: System Settings > General > Transfer or Reset > Erase All Content & Settings. Of course I didn't forget to make a backup of my docker-compose.yml files scattered across the desktop, since those will come in handy. As for data, I've been using an external drive for that, so I made a quick copy with rsync just in-case. 30 minutes later and we're on a clean desktop! Now, there's a couple things we need to do before we can unplug our HDMI and peripherals... First, we need to enable SSH for remote access. Go to System Settings > General > Sharing, and toggle Remote Login on. Click the (i) icon and ensure Allow full disk access for remote users is checked (this gives us disk access over SSH connections). Optionally, you can also toggle Remote Management as well on in-case you realllly need access over VNC (no but really, it does come in handy sometimes). Click the (i) icon and click Options to enable certain permissions for computer access (like Control). While you're here, make sure Local hostname is set to whatever you want, as we'll be using that later for SSH (I used server.local). Now, let's make sure FileVault is enabled by going to System Settings > Privacy & Security > FileVault. Click Turn On if not already, and write down the recovery key displayed! But what is FileVault? Well, FileVault enables full-disk encryption of our Mac's disk to prevent unauthorized access (if somebody decides to snatch it 🥲) Finally, go to System Settings > Energy and make sure these are enabled: Prevent automatic sleeping when the display is off Start up automatically after a power failure Wake for network access Now, we can finally shove the Mac Mini into a closet and login via SSH! On any other device: `ssh admin@server.local` (replace admin with your account username). Now we need to... Install Homebrew using /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" (will require password) Install Docker and Colima: brew install docker docker-compose colima Before we continue with anything else, if you're using an external drive, make sure to force auto-mounting on system boot: sudo defaults write /Library/Preferences/SystemConfiguration/autodiskmount AutomountDisksWithoutUserLogin -bool true Now, time to setup Docker! We'll be using Colima (aka. containers on Lima) since we're making a headless setup (also, Docker Desktop is eww): colima start -t vz -c 10 -m 16 -d 128 --root-disk 32 --network-address --network-mode bridged --network-interface en1 --ssh-port 2222 -V /Volumes/primary:w --mount-type virtiofs --save-config You can replace these configurations with whatever resource allocations you'd like, but I'm maxing it out since this computer won't be used for anything else. If you're using bridged mode as well, make sure to specify the correct --network-interface, which will depend on your networking setup (Ethernet or Wi-Fi). You can find the correct interface by running networksetup -listallhardwareports. Also, if you're not using an external drive, you can remove the /Volumes mount (... why aren't you?) And that's it! Now we can start our docker containers as usual with Docker Compose: docker-compose up -d Fixing "Permission Denied" (External Drives) If you're using an external drive for your data (which you should be), you're probably going to have permission issues. If you don't have them, cool! If you do, it's likely because the drive's ownership is set to the root user, but Colima is running on the standard user account. To fix this, you'll need to transfer drive ownership to your user account. You can do so with the following command: sudo chown -R $(whoami):staff /Volumes/myDrive (replace myDrive) Then, run sudo chmod -R 770 /Volumes/myDrive to standardize the permissions across files. What about reboots? This is where things get a little interesting. If the Mac reboots, FileVault holds the boot process hostage at the login screen, meaning none of your services will start until someone "unlocks" it. Since we don't have a monitor plugged in, that someone is us, over SSH. Luckily, macOS 26 Tahoe introduced a pre-boot SSH server, which lets you SSH in before the OS fully loads. After a reboot, give it about 30-60 seconds, then: `ssh admin@server.local` You'll see a message like:This system is locked. To unlock it, use a local account name and password. Once successfully unlocked, you will be able to connect normally. Once you enter your password, the connection should drop immediately - and that's normal. The Mac is just decrypting the drive and booting up. Wait another minute, SSH back in, and you're good to go. After you're in, you can start your Docker daemon by running colima start (it will use your previous config). Handling Encrypted Volume Mounts If you're using an unencrypted external drive, it's already been mounted automatically and Docker will resume as normal. BUT, if you're using an APFS encrypted drive like me, you'll need to unlock it first. To unlock an APFS encrypted drive over SSH, you can use diskutil apfs unlockVolume /Volumes/myDrive (replace myDrive). You'll be prompted to enter the passphrase, and you'll see "Unlocked and mounted APFS Volume" once it's ready! If needed, you can restart Colima using colima stop && colima start.