Debian installation
This guide is intended to describe the installation of Debian for a server (i.e without a desktop environment). Since the installation is straightforward using the Debian installer, this guide concentrates on post-installation configuration.
Installation
- Download the Debian image (
debian-...-netinst.iso) and prepare a bootable media. - Boot on install media.
- Install Debian step-by-step using Debian installer. For a server, do a minimal installation. A full guide is available for more details.
Configuration
Network
-
Nftables (firewall).
-
Install Nftables (it might be already installed on your system)
apt-get install nftables -
Copy nftables.conf in
/etc. Minimal configuration with only the SSH port open. -
Enable nftables systemd service.
-
-
SSH. Enable sshd systemd service.
-
Networkd (Using systemd)
-
Disable the default system managing network interfaces in Debian (configured in
/etc/network)systemctl disable networking mv /etc/network/interfaces /etc/network/interfaces.save -
Create /etc/systemd/network/wired.network (replace interface name enp1s0 with yours. You can list interfaces using
ip link):[Match] Name=enp1s0 [Network] DHCP=yes -
Systemd can also manage name resolution (using systemd-resolved). Activate it by replacing
/etc/resolv.confgenerated by systemd-resolved:rm /etc/resolv.conf ln -s ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf -
Enable systemd-networkd and systemd-resolved services.
-
-
Time synchronization with timesyncd (systemd)
timedatectl set-ntp true
Microcode
Summary of detailed installation.
-
Enable contrib and non-free sources in
/etc/apt/sources.listif they aren’t already enabled.Starting with (example for bullseye):
deb http://deb.debian.org/debian bullseye main deb-src http://deb.debian.org/debian bullseye main deb http://security.debian.org/debian-security bullseye-security main deb-src http://security.debian.org/debian-security bullseye-security main deb http://deb.debian.org/debian bullseye-updates main deb-src http://deb.debian.org/debian bullseye-updates mainmodify to:
deb http://deb.debian.org/debian bullseye main contrib non-free deb-src http://deb.debian.org/debian bullseye main contrib non-free deb http://security.debian.org/debian-security bullseye-security main contrib non-free deb-src http://security.debian.org/debian-security bullseye-security main contrib non-free deb http://deb.debian.org/debian bullseye-updates main contrib non-free deb-src http://deb.debian.org/debian bullseye-updates main contrib non-freeNoteURL deb.debian.org should be different in your config file, and should be set with a local mirror of Debian. -
Install the microcode package.
- AMD
apt-get update apt-get install amd64-microcode - Intel
apt-get update apt-get install intel-microcode
- AMD
Automatic upgrades
Debian can automatically install software upgrades, including security updates. Unattended Upgrades maintain a system up-to-date without human intervention. The system also reboots automatically when necessary.
-
If necessary (they might be already installed on your system), install the
unattended-upgradesandapt-listchangespackages. Also install thepowermgmt-basepackage. It will allow to skip updates if the system is running on battery.apt-get install unattended-upgrades apt-get install apt-listchanges apt-get install powermgmt-base -
To activate automatic upgrades, create the 20auto-upgrades file in
/etc/apt/apt.conf.ddirectory. -
To activate automatic reboot, uncomment and change to
truetheAutomatic-Rebootin/etc/apt/apt.conf.d/50unattended-upgrades:Unattended-Upgrade::Automatic-Reboot "true";Unattended Upgrades can be further configured in
/etc/apt/apt.conf.d/50unattended-upgrades. For example, the time at which reboot is performed can be set there.
Logs of upgrades performed are recorded in /var/log/unattended-upgrades. After a day or two that Unattended Upgrades have been setup, it’s recommended to check these logs.