Minimal Debian Bullseye

Last updated on 2022-09-12 • Tagged under #debian #linux #luks #lvm #homeServer

Debian 11 aka "Bullseye" is the latest stable release of the popular Linux operating system. I use Debian's (unofficial) network installer image (which includes non-free firmware for pesky wifi cards) to create a minimal, console-only base configuration that can be customized for various tasks, servers, and desktops.

Let's go!

Debian GNU/Linux is an operating system created by volunteers of one of the largest and longest-running free software projects in the world. There are 3 release branches: stable (code-named "Bullseye"), testing ("Bookworm"), and unstable ("Sid").

Below is a visual walk-through of an installation that makes use of the entire disk divided into two partitions: a small boot partition, and a second partition where all the remaining storage is encrypted using Linux Unified Key Setup (LUKS).

Later, that encrypted storage is used by the Logical Volume Manager (LVM) to create “virtual partitions” (Logical Volumes or LVs) for separate root and home file systems. Installing LVM on top of the encrypted partition allows the creation of multiple LVs protected by a single passphrase, and dynamic resizing of LVs as needed.

If using Debian's guided partitioning option, all the necessary partition arrangements are auto-configured whether the computer boots using MBR or UEFI.

1. Pre-installation

1.1 Prepare install media

Download firmware-11.5.0-amd64-netinst.iso and SHA256SUMS.

Verify image integrity ...

$ sha256sum -c --ignore-missing SHA256SUMS
firmware-11.5.0-amd64-netinst.iso: OK

Prepare a USB storage device as an installer using one of these two methods.

Method #1: Ventoy

I now use Ventoy to setup a USB device to be a multiboot installer. Simply copy an iso to the device, reboot, and the auto-generated menu lists all the disk images available to boot. Read more

Method #2: dd

Write the installer to an unmounted USB storage device using the dd command as root.

BE VERY CAREFUL TO NOTE THE PROPER DEVICE. ALL DATA ON THE DEVICE WILL BE OVERWRITTEN.

Example: On a Linux system, if a USB stick appears as sdx1, then write the installer to sdx (no partition number) ...

$ sudo dd if=path/to/firmware-11.5.0-amd64-netinst.iso of=/dev/sdx bs=4M status=progress oflag=sync

1.2 Boot live environment

Install

Select language

Select location

Configure keyboard

Detecting link

DHCP

Hostname

Domain

Root password

Verify password

Full name

Username

User password

Verify password

Select time zone

1.3 Partitions

Select the guided partitioning option to make use of the entire disk configured with LVM on LUKS. I also recommend creating a separate home.

By default, this creates:

a small boot partition (plus a separate boot/efi partition if using UEFI)
remaining storage dedicated to LVM + LUKS
logical volumes created for root, swap, and home

Settings can be altered (alternate file systems, mount options, etc.) before writing the partition layout to disk. ¹

Note: If more fine-grained control is desired, select manual partitioning.

Partitioning method

Select disk

Separate home

Write changes

Erasing data

Passphrase

Re-enter passphrase

I leave some free space available for future use, unless storage space is limited ...

Amount to use

Finish partitioning

Write changes

2. Installation

Installing

Install media

Archive mirror

Use the Debian global mirrors service deb.debian.org ...

Mirror hostname

Proxy

Retrieving files

Package survey

Select only [*] standard system utilities and leave the remaining tasks ² unmarked ...

Software selection

Packages are downloaded and the installer makes its finishing touches.

Install GRUB to MBR

GRUB device

Finish

3. First boot

GRUB menu ...

GRUB menu

User is prompted for the passphrase to unlock the encrypted partition ...

Unlock passphrase

3.1 Check for errors

Failed systemd services ...

systemctl --failed

High priority errors in the systemd journal ...

journalctl -p 3 -xb

4. Configure system

4.1 Network

Most home routers come with an integrated Dynamic Host Control Protocol (DHCP) server, and allow configuration via a web console. I have OpenWrt installed on my router, and I create static leases to assign fixed IP addresses to client devices.

Debian's network interfaces are configured for the ifup and ifdown commands in /etc/network/interfaces. By default, wired (ethernet) interfaces are configured for auto-detection and to use DHCP.

Example entry ...

# The primary network interface
allow-hotplug enp0s31f6
iface enp0s31f6 inet dhcp

Display all detected network interfaces along with their IP and MAC addresses ...

$ ip addr

For Openwrt, login to the web console and navigate to Network->DHCP and DNS->Static Leases.

Click Add, then include the device's network interface MAC address, the hostname, and the desired IP address. When done click Save & Apply.

All subsequent connections to the local network by the server will see it assigned this IP address.

Optional: Once a link is established, install a network manager utility. Packages network-manager and network-manager-gnome provide the console nmcli and graphical nm-applet clients respectively . Comment out (deactivate) any entries in interfaces that will be managed by network-manager.

4.2 Upgrade

Install any upgrades ...

apt update && apt full-upgrade

4.3 Sudo

Install sudo to temporarily provide your non-root user (example: foo) account with root privileges ...

apt install sudo && adduser foo sudo

To allow foo to execute superuser commands without being prompted for a password, create the file /etc/sudoers.d/sudoer_foo containing ...

foo ALL=(ALL) NOPASSWD: ALL

4.4 Console fonts

Discover available fonts in /usr/share/consolefonts.

Set and display a font (example: Lat15-Terminus20x10) for the current session ...

$ sudo setfont Lat15-Terminus20x10
$ sudo showconsolefont

To make the selection persistent, either modify /etc/default/console-setup or run ...

$ sudo dpkg-reconfigure console-setup
$ sudo setupcon

4.5 Keyboard

For a different default language/keymap either modify /etc/default/keyboard or run ...

$ sudo dpkg-reconfigure keyboard-configuration

Enable use of desired keymap when entering LUKS passphrase in GRUB by rebuilding initramfs ...

$ sudo update-initramfs -u -k all

4.6 Sysctl

If a non-root user runs dmesg to read the contents of the kernel message buffer they will see ...

dmesg: read kernel buffer failed: Operation not permitted

To allow users to read the kernel log, modify /etc/sysctl.conf by adding ...

kernel.dmesg_restrict = 0

Reload the configuration ...

$ sudo sysctl -p

4.7 Main, non-free, contrib, and backports

Debian uses separate archives to distinguish between software packages based on their licenses:

Main is enabled by default and includes everything that satisfies the conditions of the Debian Free Software Guidelines.
Contrib packages are open-source themselves but rely on software in non-free to work.
Non-free contains packages that do not meet all the conditions of the DFSG but can be freely distributed.
Backports contains packages drawn from the testing (and sometimes unstable) archive and modified to work in the current stable release.

All backports are disabled by default (to prevent unintended system upgrades) and are installed on a per PACKAGE basis by running ...

$ sudo apt -t bullseye-backports install PACKAGE

Modify /etc/apt/sources.list to add contrib, non-free, and backports ...

# Base repository
deb https://deb.debian.org/debian/ bullseye main contrib non-free
deb-src https://deb.debian.org/debian/ bullseye main contrib non-free

# Security updates
deb https://security.debian.org/debian-security bullseye-security main contrib non-free
deb-src https://security.debian.org/debian-security bullseye-security main contrib non-free

# Stable updates
deb https://deb.debian.org/debian bullseye-updates main contrib non-free
deb-src https://deb.debian.org/debian bullseye-updates main contrib non-free

# Stable backports
deb https://deb.debian.org/debian bullseye-backports main contrib non-free
deb-src https://deb.debian.org/debian bullseye-backports main contrib non-free

Any time sources.list is modified its necessary to update the package database ...

$ sudo apt update

4.8 Command not found

Automatically search repositories when entering an unrecognized command, courtesy of the command-not-found package ...

$ sudo apt install command-not-found apt-file
$ sudo apt-file update && sudo update-command-not-found

Re-login to activate.

4.9 SSD

Periodic TRIM optimizes performance on SSD storage. Enable a weekly task that discards unused blocks on the drive ...

$ sudo systemctl enable fstrim.timer

4.10 mlocate

Setup the locate command and database for finding files ...

$ sudo apt install mlocate && sudo /etc/cron.daily/mlocate

4.11 Dot bashrc

Modify ~/.bashrc and create a colourful custom prompt ...

# colour codes
GREEN="\\[\\e[1;32m\\]"
YELLOW="\\[\\e[1;33m\\]"
BLUE="\\[\\e[1;34m\\]"
MAGENTA="\\[\\e[1;35m\\]"
WHITE="\\[\\e[1;37m\\]"
RESET="\\[\\e[0m\\]"

# Set a two-line prompt. If accessing via ssh include 'ssh-session' message.
if [[ -n "$SSH_CLIENT" ]]; then
    ssh_message="-ssh_session"
fi
PS1="${MAGENTA}\\u ${WHITE}at ${GREEN}\\h${YELLOW}${ssh_message} ${WHITE}in ${BLUE}\\w \\n$WHITE\$${RESET} "

Add aliases and functions, enable unlimited history, and more.

Source: .bashrc

4.12 Microcode

Intel and AMD processors may periodically need updates to their microcode firmware.

Microcode can be updated (and kept in volatile memory) during boot by installing either intel-microcode or amd64-microcode (AMD) ...

$ sudo apt install intel-microcode

See: Microcode

4.13 Secure access using SSH keys

Create cryptographic keys, install the OpenSSH server, and configure remote access. Read more.

4.14 Use zram for swap

Instead of creating a separate swap partition or using a swapfile, its possible to create a swap device in RAM itself with the kernel module zram.

See: Zram

4.15 Where to go next ...

... is up to YOU.

I created debian-after-install, a shell script I use to setup my own virtual machines, servers and desktops. Free to use or fork and adapt with your own ideas!

4.16 Helpful

The Debian Administrator's Handbook by Raphaël Hertzog and Roland Mas
- In-depth guide to becoming a Debian power-user/sysadmin. Read online or download the ebook.
Debian Package Tracker
- A searchable interface that packs a lot of information about a given package on a single page.
r/debian
- Reddit forum for Debian.
The Linux Command Line
- Command line use, programs, and shell scripting. Free ebook download.
ArchWiki
- Dedicated to Arch Linux, but contains many excellent HOWTOs relevant to all Linux distros.

Notes

Reserved blocks can be used by privileged system processes to write to disk - useful if a full filesystem blocks users from writing - and reduce disk fragmentation. On large non-root partitions, extra space can be gained by reducing this reserve. Example: Highlight and select /home partition, select Reserved blocks: and reduce the default 5% reserve set aside by Debian to 1%.

Task selection menu can be used post-install by running the command tasksel.

Thanks for reading! Read other posts?

» Later: DoH and custom DNS servers with OpenWrt

« Earlier: Build a custom kernel package for Debian