Minimal Debian Bookworm

Debian 12 aka "Bookworm" is the latest stable release of the popular Linux operating system. I use Debian's network installer image to create a minimal, console-only base configuration that can be customized for various tasks, servers, and desktops.
Let's go!
Debian GNU/Linux is an operating system created by volunteers of one of the largest and longest-running free software projects in the world. There are 3 release branches: stable (code-named "Bookworm"), testing ("Trixie"), and unstable ("Sid").
Below is a visual walk-through of an installation that makes use of the entire disk divided into three partitions: an ESP
partition (UEFI systems), a boot
partition, and a third partition where all the remaining storage is encrypted using Linux Unified Key Setup (LUKS).
Further into the install, the encrypted storage is used by the Logical Volume Manager (LVM) to create “virtual partitions” (Logical Volumes or LVs) for separate root
and home
and swap
file systems. Installing LVM on top of the encrypted partition allows the creation of multiple LVs protected by a single passphrase, and dynamic resizing of LVs as needed.
If using Debian's guided partitioning option, all the necessary partition arrangements are auto-configured whether the computer boots using MBR or UEFI.
0. Pre-install
(For amd64
systems) Download debian-12.1.0-amd64-netinst.iso and SHA256SUMS.
Verify image integrity ...
$ sha256sum -c --ignore-missing SHA256SUMS
debian-12.1.0-amd64-netinst.iso: OK
For other architectures supported by Debian, see: https://cdimage.debian.org/cdimage/release/current/
Prepare a USB storage device as an installer using one of these two methods.
Method #1: Ventoy
I now use Ventoy to setup a USB device to be a multiboot installer. Simply copy an iso to the device, reboot, and the auto-generated menu lists all the disk images available to boot. Read more
Method #2: dd
Write the installer to an unmounted USB storage device using the dd
command as root.
BE VERY CAREFUL TO NOTE THE PROPER DEVICE. ALL DATA ON THE DEVICE WILL BE OVERWRITTEN.
Example: On a Linux system, if a USB stick appears as sdx1
, then write the installer to sdx
(no partition number) ...
$ sudo dd if=path/to/debian-12.1.0-amd64-netinst.iso of=/dev/sdx bs=4M status=progress oflag=sync
1. Install
1.1 Boot and User
Leave the root password empty to assign the initial user account to the sudo
group (root can be activated post-install if desired with sudo passwd root
) ...
Example: Create an account for a user named "foo" ...
1.2 Partitions
Select Guided - use entire disk and set up encrypted LVM
option to make use of the entire disk configured with LVM on LUKS.
By default, this creates:
- an
ESP
partition (UEFI) - a
boot
partition - remaining storage is encrypted courtesy of LUKS, and used by LVM
If something different is desired, settings can be altered before writing partition layout to disk. 1
Note: If more fine-grained control is desired, select Manual.
I recommend creating a separate home
. This makes re-installs easier while preserving user data ...
I leave some free space available (10%) for future use, unless storage space is small (<64GB) ...
1.3 Packages
Use the Debian global mirrors service deb.debian.org ...
Select only [*] SSH server
and [*] standard system utilities
and leave the other tasks 2 unmarked ...
Packages are downloaded and the installer makes its finishing touches ...
2. First boot
User is prompted for the passphrase to unlock the encrypted partition ...
Login and welcome to Debian!
3. Check for errors
Failed systemd services ...
$ sudo systemctl --failed
High priority errors in the systemd journal ...
$ sudo journalctl -p 3 -xb
4. Configure system
4.1 Network
Most home routers come with an integrated Dynamic Host Control Protocol (DHCP) server, and allow configuration via a web console. I have OpenWrt installed on my router, and I create static leases to assign fixed IP addresses to client devices.
Debian's network interfaces are configured for the ifup
and ifdown
commands in /etc/network/interfaces
.
By default, wired (ethernet) interfaces are configured for auto-detection and to use DHCP.
Example entry for wired ...
# The primary network interface
allow-hotplug enp0s31f6
iface enp0s31f6 inet dhcp
Example entry for wireless ...
allow-hotplug wlp61s0
iface wlp61s0 inet dhcp
wpa-ssid <wifi_access_point_name>
wpa-psk <wifi_passphrase>
Display all detected network interfaces along with their IP and MAC addresses ...
$ ip addr
Optional: Configure the wifi access point/router to assign static leases to designated devices.
Example: For a router running OpenWrt, login to the web console and navigate to Network->DHCP and DNS->Static Leases
.
Click Add
, then include the device's network interface MAC address, the hostname, and the desired IP address. When done click Save & Apply
.
All subsequent connections to the local network by the server will see it assigned this IP address.
Optional: Once a link is established, install a network manager utility.
Packages network-manager
and network-manager-gnome
provide the console nmcli
and graphical nm-applet
clients respectively . Comment out (deactivate) any entries in interfaces
that will be managed by network-manager
.
4.2 Upgrade
Install any upgrades ...
$ sudo apt update && sudo apt full-upgrade
4.3 Sudo
To allow user foo
to execute superuser commands without being prompted for a password, create the file /etc/sudoers.d/sudoer_foo
containing ...
foo ALL=(ALL) NOPASSWD: ALL
4.4 Console fonts
Discover available fonts in /usr/share/consolefonts
.
Set and display a font (example: Lat15-Terminus20x10
) for the current session ...
$ sudo setfont Lat15-Terminus20x10
$ sudo showconsolefont
To make the selection persistent, either modify /etc/default/console-setup
or run ...
$ sudo dpkg-reconfigure console-setup
$ sudo setupcon
4.5 Keyboard
For a different default language/keymap either modify /etc/default/keyboard
or run ...
$ sudo dpkg-reconfigure keyboard-configuration
Enable use of desired keymap when entering LUKS passphrase in GRUB by rebuilding initramfs
...
$ sudo update-initramfs -u -k all
4.6 Sysctl
If a non-root user runs dmesg
to read the contents of the kernel message buffer they will see ...
dmesg: read kernel buffer failed: Operation not permitted
To allow users to read the kernel log, modify /etc/sysctl.conf
by adding ...
kernel.dmesg_restrict = 0
Reload the configuration ...
$ sudo sysctl -p
4.7 Main, non-free, contrib, and backports
Debian uses separate archives to distinguish between software packages based on their licenses:
- Main is enabled by default and includes everything that satisfies the conditions of the Debian Free Software Guidelines.
- Contrib packages are open-source themselves but rely on software in non-free to work.
- Non-free contains packages that do not meet all the conditions of the DFSG but can be freely distributed.
- Non-free-firmware (introduced in Debian 12) contains non-free firmware binaries packaged for devices that would be completely non-functional without them (example: many wireless cards).
- Backports contains packages drawn from the testing (and sometimes unstable) archive and modified to work in the current stable release.
All backports are disabled by default (to prevent unintended system upgrades) and are installed on a per PACKAGE basis by running ...
$ sudo apt -t bookworm-backports install PACKAGE
Modify /etc/apt/sources.list
to add contrib, non-free, non-free-firmware, and backports ...
deb http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
# deb-src deb http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
# deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb http://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
# deb-src http://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
deb http://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
# deb-src http://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
Any time sources.list
is modified its necessary to update the package database ...
$ sudo apt update
4.8 Command not found
Automatically search repositories when entering an unrecognized command, courtesy of the command-not-found
package ...
$ sudo apt install command-not-found apt-file
$ sudo apt-file update && sudo update-command-not-found
Re-login to activate.
4.9 plocate
Setup the locate
command and database for finding files ...
$ sudo apt install plocate && sudo /etc/cron.daily/plocate
4.10 Dot bashrc
Modify ~/.bashrc and create a colourful custom prompt ...
# colour codes
GREEN="\\[\\e[1;32m\\]"
YELLOW="\\[\\e[1;33m\\]"
BLUE="\\[\\e[1;34m\\]"
MAGENTA="\\[\\e[1;35m\\]"
WHITE="\\[\\e[1;37m\\]"
RESET="\\[\\e[0m\\]"
# Set a two-line prompt. If accessing via ssh include 'ssh-session' message.
if [[ -n "$SSH_CLIENT" ]]; then
ssh_message="-ssh_session"
fi
PS1="${MAGENTA}\\u ${WHITE}at ${GREEN}\\h${YELLOW}${ssh_message} ${WHITE}in ${BLUE}\\w \\n$WHITE\$${RESET} "
Add aliases and functions, enable unlimited history, and more.
Source: .bashrc
4.11 Microcode
Intel and AMD processors may periodically need updates to their microcode firmware.
Microcode can be updated (and kept in volatile memory) during boot by installing either intel-microcode
or amd64-microcode
(AMD) ...
$ sudo apt install intel-microcode
See: Microcode
4.12 Secure access using SSH keys
Create cryptographic keys, install the OpenSSH server, and configure remote access. Read more
4.13 Use zram for swap
Instead of using a separate swap partition or swapfile, an alternative is to create a swap device in RAM itself with the kernel module zram
. Read more
4.14 Where to go next ...
... is up to YOU. Enjoy!
Note: I created debian-after-install, a Python script I use to setup my own virtual machines and servers and desktops: Xorg + Openbox and Wayland + Sway.
5. Resources
- The Debian Administrator's Handbook by Raphaël Hertzog and Roland Mas
- In-depth guide to becoming a Debian power-user/sysadmin. Read online or download the ebook.
- Debian Package Tracker
- A searchable interface that packs a lot of information about a given package on a single page.
- The Linux Command Line
- Command line use, programs, and shell scripting. Free ebook download.
- Learn Linux TV
- YouTube channel with Linux tutorials, reviews, etc. Produced by the author of Mastering Ubuntu Server.
- ArchWiki
- Written with Arch Linux in mind, but contains many excellent HOWTOs relevant to all Linux distros.
Notes
Reserved blocks can be used by privileged system processes to write to disk - useful if a full filesystem blocks users from writing - and reduce disk fragmentation. On large non-root partitions, extra space can be gained by reducing this reserve. Example: Highlight and select /home
partition, select Reserved blocks:
and reduce the default 5%
reserve set aside by Debian to 1%
.
Task selection menu can be used post-install by running the command tasksel
.
You can like, share, or comment on this post on Mastodon 💬
» Next: Roll your own Linux desktop using Sway
« Previous: #23. Space Software