Debian installation

This guide is intended to describe the installation of Debian for a server (i.e without a desktop environment). Since the installation is straightforward using the Debian installer, this guide concentrates on post-installation configuration.

NoteThis guide is up-to-date for Debian bullseye.
TipConfiguration files are available for download.

Installation

  1. Download the Debian image (debian-...-netinst.iso) and prepare a bootable media.
  2. Boot on install media.
  3. Install Debian step-by-step using Debian installer. For a server, do a minimal installation. A full guide is available for more details.

Configuration

Network

  1. Nftables (firewall).

    1. Install Nftables (it might be already installed on your system)

      apt-get install nftables
      
    2. Copy nftables.conf in /etc. Minimal configuration with only the SSH port open.

    3. Enable nftables systemd service.

  2. SSH. Enable sshd systemd service.

  3. Networkd (Using systemd)

    1. Disable the default system managing network interfaces in Debian (configured in /etc/network)

      systemctl disable networking
      mv /etc/network/interfaces /etc/network/interfaces.save
      
    2. Create /etc/systemd/network/wired.network (replace interface name enp1s0 with yours. You can list interfaces using ip link):

      [Match]
      Name=enp1s0
      [Network]
      DHCP=yes
      
    3. Systemd can also manage name resolution (using systemd-resolved). Activate it by replacing /etc/resolv.conf generated by systemd-resolved:

      rm /etc/resolv.conf
      ln -s ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
      
    4. Enable systemd-networkd and systemd-resolved services.

  4. Time synchronization with timesyncd (systemd)

    timedatectl set-ntp true
    

Microcode

Summary of detailed installation.

  1. Enable contrib and non-free sources in /etc/apt/sources.list if they aren’t already enabled.

    Starting with (example for bullseye):

    deb http://deb.debian.org/debian bullseye main
    deb-src http://deb.debian.org/debian bullseye main
    
    deb http://security.debian.org/debian-security bullseye-security main
    deb-src http://security.debian.org/debian-security bullseye-security main
    
    deb http://deb.debian.org/debian bullseye-updates main
    deb-src http://deb.debian.org/debian bullseye-updates main
    

    modify to:

    deb http://deb.debian.org/debian bullseye main contrib non-free
    deb-src http://deb.debian.org/debian bullseye main contrib non-free
    
    deb http://security.debian.org/debian-security bullseye-security main contrib non-free
    deb-src http://security.debian.org/debian-security bullseye-security main contrib non-free
    
    deb http://deb.debian.org/debian bullseye-updates main contrib non-free
    deb-src http://deb.debian.org/debian bullseye-updates main contrib non-free
    
    NoteURL deb.debian.org should be different in your config file, and should be set with a local mirror of Debian.
  2. Install the microcode package.

    • AMD
      apt-get update
      apt-get install amd64-microcode
      
    • Intel
      apt-get update
      apt-get install intel-microcode
      

Automatic upgrades

Debian can automatically install software upgrades, including security updates. Unattended Upgrades maintain a system up-to-date without human intervention. The system also reboots automatically when necessary.

  1. If necessary (they might be already installed on your system), install the unattended-upgrades and apt-listchanges packages. Also install the powermgmt-base package. It will allow to skip updates if the system is running on battery.

    apt-get install unattended-upgrades
    apt-get install apt-listchanges
    apt-get install powermgmt-base
    
  2. To activate automatic upgrades, create the 20auto-upgrades file in /etc/apt/apt.conf.d directory.

  3. To activate automatic reboot, uncomment and change to true the Automatic-Reboot in /etc/apt/apt.conf.d/50unattended-upgrades:

    Unattended-Upgrade::Automatic-Reboot "true";
    

    Unattended Upgrades can be further configured in /etc/apt/apt.conf.d/50unattended-upgrades. For example, the time at which reboot is performed can be set there.

Logs of upgrades performed are recorded in /var/log/unattended-upgrades. After a day or two that Unattended Upgrades have been setup, it’s recommended to check these logs.

Last modification: October 13, 2021