Minimal Debian Bullseye

Part of "New life for an old laptop as a Linux home server"
Debian 11 aka "Bullseye" is the latest stable release of the popular Linux operating system. I use Debian's (unofficial) network installer image (which includes non-free firmware for pesky wifi cards) to create a minimal, console-only base configuration that can be customized for various tasks, servers, and desktops.
Let's go!
Debian GNU/Linux is an operating system created by volunteers of one of the largest and longest-running free software projects in the world. There are 3 release branches: stable (code-named "Bullseye"), testing ("Bookworm"), and unstable ("Sid").
Below is a visual walk-through of an installation that makes use of the entire disk divided into two partitions: a small boot
partition, and a second partition where all the remaining storage is encrypted using Linux Unified Key Setup (LUKS). Later, that encrypted storage is used by the Logical Volume Manager (LVM) to create “virtual partitions” (Logical Volumes or LVs) for separate root
and home
filesystems. Installing LVM on top of the encrypted partition allows the creation of multiple LVs protected by a single passphrase, and dynamic resizing of LVs as needed.
If using Debian's guided partitioning option, all the necessary partition arrangements are auto-configured whether the computer boots using MBR or UEFI.
1. Pre-installation
1.1 Prepare install media
Download firmware-11.3.0-amd64-netinst.iso and SHA256SUMS.
Verify image integrity ...
$ sha256sum -c --ignore-missing SHA256SUMS
firmware-11.3.0-amd64-netinst.iso: OK
Prepare a USB storage device as an installer using one of these two methods.
1.1.1 Ventoy
I now use Ventoy to setup a USB device to be a multiboot installer. Simply copy an iso to the device, reboot, and the auto-generated menu lists all the disk images available to boot. Create a multiboot USB installer with Ventoy
1.1.2 dd
Write the installer to an unmounted USB storage device using the dd
command as root.
BE VERY CAREFUL TO NOTE THE PROPER DEVICE. ALL DATA ON THE DEVICE WILL BE OVERWRITTEN.
Example: On a Linux system, if a USB stick appears as sdx1
, then write the installer to sdx
(no partition number) ...
$ sudo dd if=path/to/firmware-11.2.0-amd64-netinst.iso of=/dev/sdx bs=4M status=progress oflag=sync
1.2 Boot live environment
1.3 Partitions
Select the guided partitioning option to make use of the entire disk configured with LVM on LUKS. I also recommend creating a separate home
.
By default, this creates:
- a small
boot
partition (plus a separateboot/efi
partition if using UEFI) - remaining storage dedicated to LVM + LUKS
- logical volumes created for
root
,swap
, andhome
Settings can be altered (alternate filesystems, mount options, etc) before writing the partition layout to disk. 1 If fine-grained control is desired, select manual partitioning.
I leave some free space available for future use, unless storage space is limited ...
2. Installation
Use the Debian global mirrors service deb.debian.org ...
Select only [*] standard system utilities
and leave the remaining tasks 2 unmarked ...
Packages are downloaded and the installer makes its finishing touches.
3. First boot
GRUB menu ...
User is prompted for the passphrase to unlock the encrypted partition ...
Login and welcome to Debian!
3.1 Check for errors
Failed systemd services ...
# systemctl --failed
High priority errors in the systemd journal ...
# journalctl -p 3 -xb
4. Configure system
4.1 Network
Check which network interfaces are detected and settings ...
# ip link
Wired interfaces are usually auto-configured by default and assigned an IP address courtesy of DHCP.
To assign a static address, deactivate the wired interface and create a new entry in /etc/network/interfaces
. 3 Sample entry for enp3s0
...
# The primary network interface
auto enp3s0
iface enp3s0 inet static
address 192.168.1.88
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8 8.8.4.4
Bring up|down interface with if{up,down} enp3s0
.
To create a wireless interface connection to WPA2-encrypted access points 4 using DHCP ...
iface wlp1s0 inet dhcp
wpa-ssid MY_SSID
wpa-psk MY_PASSPHRASE
dns-nameservers 8.8.8.8 8.8.4.4
Optional: Once a link is established, install a network manager utility. Packages network-manager
and network-manager-gnome
provide the console nmcli
and graphical nm-applet
clients respectively . Comment out (deactivate) any entries in interfaces
that will be managed by network-manager.
4.2 Upgrade
Install any upgrades ...
# apt update && apt full-upgrade
4.3 Sudo
Install sudo
to temporarily provide your non-root user (example: foo
) account with root privileges ...
# apt install sudo && adduser foo sudo
To allow foo
to execute superuser commands without being prompted for a password, create the file /etc/sudoers.d/sudoer_foo
containing ...
foo ALL=(ALL) NOPASSWD: ALL
4.4 Console fonts
Discover available fonts in /usr/share/consolefonts
. Set and display a font (example: Lat15-Terminus20x10) for the current session ...
$ sudo setfont Lat15-Terminus20x10
$ sudo showconsolefont
To make the selection persistent, either modify /etc/default/console-setup
or run ...
$ sudo dpkg-reconfigure console-setup
$ sudo setupcon
4.5 Keyboard
If you desire a different default language/keymap (example: I use colemak
), either modify /etc/default/keyboard
or run ...
$ sudo dpkg-reconfigure keyboard-configuration
$ sudo update-initramfs -u -k all # Enables use of desired keymap when entering LUKS passphrase in GRUB
4.6 Sysctl
If a non-root user runs dmesg
to read the contents of the kernel message buffer they will see ...
dmesg: read kernel buffer failed: Operation not permitted
To allow users to read the kernel log, modify /etc/sysctl.conf
by adding ...
kernel.dmesg_restrict = 0
Reload the configuration ...
$ sudo sysctl -p
4.7 Main, non-free, contrib, and backports
Debian uses three archives to distinguish between software packages based on their licenses. Main is enabled by default and includes everything that satisfies the conditions of the Debian Free Software Guidelines. Non-free contains packages that do not meet all the conditions of the DFSG but can be freely distributed, and contrib packages are open-source themselves but rely on software in non-free to work.
Backports contains packages drawn from the testing (and sometimes unstable) archive and modified to work in the current stable release. All backports are disabled by default (to prevent unintended system upgrades) and are installed on a per PACKAGE basis by running ...
$ sudo apt -t bullseye-backports install PACKAGE
Modify /etc/apt/sources.list
to add contrib, non-free, and backports ...
# Base repository
deb https://deb.debian.org/debian/ bullseye main contrib non-free
deb-src https://deb.debian.org/debian/ bullseye main contrib non-free
# Security updates
deb https://security.debian.org/debian-security bullseye-security main contrib non-free
deb-src https://security.debian.org/debian-security bullseye-security main contrib non-free
# Stable updates
deb https://deb.debian.org/debian bullseye-updates main contrib non-free
deb-src https://deb.debian.org/debian bullseye-updates main contrib non-free
# Stable backports
deb https://deb.debian.org/debian bullseye-backports main contrib non-free
deb-src https://deb.debian.org/debian bullseye-backports main contrib non-free
Any time sources.list
is modified its necessary to update the package database ...
$ sudo apt update
I create an alias - aaa
- in my ~/.bashrc that combines, in a single command:
- updating the package database (
apt update
) - running a full upgrade (
apt list --upgradable && apt full-upgrade
) - removing package files that can no longer be downloaded, and are largely useless (
apt autoclean
) - prompting to remove packages automatically installed to satisfy dependencies for other packages and are now no longer needed (
apt autoremove
)
Add ...
alias aaa="sudo apt update && apt list --upgradable && sudo apt full-upgrade && sudo apt autoclean && sudo apt autoremove"
Reload the new settings, and run ...
$ source ~/.bashrc
$ aaa
4.8 Command not found
Automatically search repositories when entering an unrecognized command, courtesy of the command-not-found
package ...
$ sudo apt install command-not-found apt-file
$ sudo apt-file update && sudo update-command-not-found
Re-login to activate.
4.9 SSD
Periodic TRIM optimizes performance on SSD storage. Enable a weekly task that discards unused blocks on the drive ...
$ sudo systemctl enable fstrim.timer
4.10 mlocate
Setup the locate
command and database for finding files ...
$ sudo apt install mlocate && sudo /etc/cron.daily/mlocate
4.11 Dot bashrc
Modify ~/.bashrc and create a colourful custom prompt ...
# colour codes
GREEN="\\[\\e[1;32m\\]"
YELLOW="\\[\\e[1;33m\\]"
BLUE="\\[\\e[1;34m\\]"
MAGENTA="\\[\\e[1;35m\\]"
WHITE="\\[\\e[1;37m\\]"
RESET="\\[\\e[0m\\]"
# Set a two-line prompt. If accessing via ssh include 'ssh-session' message.
if [[ -n "$SSH_CLIENT" ]]; then
ssh_message="-ssh_session"
fi
PS1="${MAGENTA}\\u ${WHITE}at ${GREEN}\\h${YELLOW}${ssh_message} ${WHITE}in ${BLUE}\\w \\n$WHITE\$${RESET} "
Add aliases and functions, enable unlimited history, and more. Example: my own .bashrc.
4.12 Microcode
Intel and AMD processors may periodically need updates to their microcode firmware. Microcode can be updated (and kept in volatile memory) during boot by installing either intel-microcode
or amd64-microcode
(AMD) ...
$ sudo apt install intel-microcode
See: Microcode
4.13 Secure access using SSH keys
Create cryptographic keys, install the OpenSSH server, and configure remote access.
4.14 Use zram as swap
Instead of creating a separate swap partition or using a swapfile, its possible to create a swap device in RAM itself with the Linux kernel module zram
.
4.15 Where to go next ...
... is up to YOU.
I created debian-after-install, a shell script I use to setup my own virtual machines, servers and desktops. You are welcome to use it as-is, or fork and adapt it with your own ideas!
4.16 Helpful
- The Debian Administrator's Handbook by Raphaël Hertzog and Roland Mas
- In-depth guide to becoming a Debian power-user/sysadmin. Read online or download the ebook.
- Debian Package Tracker
- A searchable interface that packs a lot of information about a given package on a single page.
- r/debian
- Reddit forum for Debian.
- The Linux Command Line
- Command line use, programs, and shell scripting. Free ebook download.
- ArchWiki
- Dedicated to Arch Linux, but contains many excellent HOWTOs relevant to all Linux distros.
Notes
Reserved blocks can be used by privileged system processes to write to disk - useful if a full filesystem blocks users from writing - and reduce disk fragmentation. On large non-root partitions, extra space can be gained by reducing this reserve. Example: Highlight and select /home
partition, select Reserved blocks:
and reduce the default 5%
reserve set aside by Debian to 1%
.
Task selection menu can be used post-install by running the command tasksel
.
Problem: Setting the network interface to static address can result in /etc/resolv.conf
being overwritten every few minutes with an IPv6 address that breaks DNS. The "fix" is to maually set nameserver 8.8.8.8
in resolv.conf and install the resolvconf package. Note that dns-nameservers
entries are ignored if resolvconf is not installed.
Multiple wireless static IP address setups can be created with iface wlp1s0_NAME inet static
and [de]activated with if{up.down} wlp1s0=wlp1s0_NAME
.
» Later: Roll your own Linux desktop using Openbox
« Earlier: Arch-install