Debian installation
This guide is intended to describe the installation of Debian for a server (i.e without a desktop environment). Since the installation is straightforward using the Debian installer, this guide concentrates on post-installation configuration.
Installation
- Download the Debian image (
debian-...-netinst.iso
) and prepare a bootable media. - Boot on install media.
- Install Debian step-by-step using Debian installer. For a server, do a minimal installation. A full guide is available for more details.
Configuration
Network
-
Nftables (firewall).
-
Install Nftables (it might be already installed on your system)
apt-get install nftables
-
Copy nftables.conf in
/etc
. Minimal configuration with only the SSH port open. -
Enable nftables systemd service.
-
-
SSH. Enable sshd systemd service.
-
Networkd (Using systemd)
-
Disable the default system managing network interfaces in Debian (configured in
/etc/network
)systemctl disable networking mv /etc/network/interfaces /etc/network/interfaces.save
-
Create /etc/systemd/network/wired.network (replace interface name enp1s0 with yours. You can list interfaces using
ip link
):[Match] Name=enp1s0 [Network] DHCP=yes
-
Systemd can also manage name resolution (using systemd-resolved). Activate it by replacing
/etc/resolv.conf
generated by systemd-resolved:rm /etc/resolv.conf ln -s ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
-
Enable systemd-networkd and systemd-resolved services.
-
-
Time synchronization with timesyncd (systemd)
timedatectl set-ntp true
Microcode
Summary of detailed installation.
-
Enable contrib and non-free sources in
/etc/apt/sources.list
if they aren’t already enabled.Starting with (example for bullseye):
deb http://deb.debian.org/debian bullseye main deb-src http://deb.debian.org/debian bullseye main deb http://security.debian.org/debian-security bullseye-security main deb-src http://security.debian.org/debian-security bullseye-security main deb http://deb.debian.org/debian bullseye-updates main deb-src http://deb.debian.org/debian bullseye-updates main
modify to:
deb http://deb.debian.org/debian bullseye main contrib non-free deb-src http://deb.debian.org/debian bullseye main contrib non-free deb http://security.debian.org/debian-security bullseye-security main contrib non-free deb-src http://security.debian.org/debian-security bullseye-security main contrib non-free deb http://deb.debian.org/debian bullseye-updates main contrib non-free deb-src http://deb.debian.org/debian bullseye-updates main contrib non-free
NoteURL deb.debian.org should be different in your config file, and should be set with a local mirror of Debian. -
Install the microcode package.
- AMD
apt-get update apt-get install amd64-microcode
- Intel
apt-get update apt-get install intel-microcode
- AMD
Automatic upgrades
Debian can automatically install software upgrades, including security updates. Unattended Upgrades maintain a system up-to-date without human intervention. The system also reboots automatically when necessary.
-
If necessary (they might be already installed on your system), install the
unattended-upgrades
andapt-listchanges
packages. Also install thepowermgmt-base
package. It will allow to skip updates if the system is running on battery.apt-get install unattended-upgrades apt-get install apt-listchanges apt-get install powermgmt-base
-
To activate automatic upgrades, create the 20auto-upgrades file in
/etc/apt/apt.conf.d
directory. -
To activate automatic reboot, uncomment and change to
true
theAutomatic-Reboot
in/etc/apt/apt.conf.d/50unattended-upgrades
:Unattended-Upgrade::Automatic-Reboot "true";
Unattended Upgrades can be further configured in
/etc/apt/apt.conf.d/50unattended-upgrades
. For example, the time at which reboot is performed can be set there.
Logs of upgrades performed are recorded in /var/log/unattended-upgrades
. After a day or two that Unattended Upgrades have been setup, it’s recommended to check these logs.