01_Debian_Headless.md

Debian Headless

Installation Media

1. Download the latest Debian netinstall release, specifically amd64.
2. Flash image to USB drive.

   sudo dd if=debian-XX.X.X-amd64.netinst.iso of=/dev/TARGET_DEVICE bs=1M

Installer Options

Boot into the non-graphical installer. Choose default (sane) options, noting these specific details:

System

1. Enter a sensible lowercase hostname. Prefer 2-3 syllables, and non-ambiguous spelling.
2. Leave domain name blank.
3. Leave root password blank, to disable the root account. Prefer to use a normal-privileged user with sudoer rights instead.
4. Use the "single partition" guided method. No need for a separate /home parition when all storage will be handled by the storage driver.

Packages

1. Uncheck Debian desktop environment and print server.
2. Check only SSH server and standard systems utilities.

Initial Setup

1. Verify your login works.
2. For console-aesthetics reasons, force color prompt:

   sed -i 's/#force_color/force_color/g' ~/.bashrc
   source ~/.bashrc

3. Configure a static IP address (optional, but useful)

   sudo nano /etc/network/interfaces
   # CHANGE TO:
   #   auto INTERFACE_NAME
   #   iface INTERFACE_NAME inet static
   #   address 192.168.1.XXX
   #   gateway 192.168.1.1
   sudo service networking restart

4. Define the additional users you want to create. This will be used in later steps.

   echo "user1 user2 user3" > users.txt

5. Create users with password login disabled (for now).

   for user in `cat users.txt`; do
       sudo adduser --disabled-password --gecos "" $user
   done

   • Configure passwords later with sudo passwd USER
6. Add users to publisher group.

   sudo groupadd publisher
   for user in $USER `cat users.txt`; do
       sudo usermod -a -G publisher $user
   done

7. Add desired administrators users to sudo group.

   echo "user1 user2" > admins.txt
   for admin in `cat admins.txt`; do
       sudo adduser ${admin} sudo
   done

General Tools

1. Install these handy tools

   sudo apt-get install htop screen smartmontools parted rsync curl

Unattended Upgrades

Enable automatic security (and regular) updates. Source: debian.org

1. Install requisite packages.

   sudo apt-get install unattended-upgrades apt-listchanges

2. Enable mailing information about the upgrades.

   sudo sed -i 's#//Unattended-Upgrade::Mail "";#Unattended-Upgrade::Mail "root";#g'  /etc/apt/apt.conf.d/50unattended-upgrades

3. Enable auto-upgrades

   echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | sudo debconf-set-selections
   sudo dpkg-reconfigure -f noninteractive unattended-upgrades

Postfix Email

Route root emails to a gmail account. Source: easyengine.io

1. Install packages

   sudo apt-get install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules

   • Choose Internet Site, and keep the default entry for your hostname during the installation.
2. Edit postfix config sudo nano /etc/postfix/main.cf to add the following:

   relayhost = [smtp.gmail.com]:587
   smtp_sasl_auth_enable = yes
   smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
   smtp_sasl_security_options = noanonymous
   smtp_tls_CAfile = /etc/postfix/cacert.pem
   smtp_use_tls = yes
   

3. Create smtp credentials file.

   sudo nano /etc/postfix/sasl_passwd

   1. Use the following template:

      [smtp.gmail.com]:587    USERNAME@gmail.com:PASSWORD
      

   2. Restrict permissions, add to postmap.

      sudo chmod 400 /etc/postfix/sasl_passwd
      sudo postmap /etc/postfix/sasl_passwd

4. Fix errors with certificate validation.

   cat /etc/ssl/certs/thawte_Primary_Root_CA.pem | sudo tee -a /etc/postfix/cacert.pem
   sudo service postfix reload

5. Set alias for routing root mail to a specific user.

   echo "
   root: user1
   user1: you@example.com
   " | sudo tee -a /etc/aliases
   sudo newaliases

   • Sources: brismuth.com, stackexchange.com
6. Finally, test the configuration

   echo "Test mail from postfix, sent `date`" | mail -s "Test Postfix" you@example.com

Fixing Issues

See headings below for how to address common issues.

Silencing kvm: disabled by bios

Create a modprobe conf file to blacklist the offending kvm modules: bash echo "blacklist kvm blacklist kvm_intel blacklist kvm_amd" | sudo tee /etc/modprobe.d/blacklist-kvm.conf

Source: askubuntu answer

Rescuing GRUB from another OS

1. Boot into live OS similar to the one being rescued.
2. Mount the drive to be rescued, including separate /boot, /var, and /usr partitions if applicable.
3. Bind mount some necessary stuff: for i in /sys /proc /run /dev; do sudo mount --bind "$i" "/mnt$i"; done
4. If EFI mode is used (see this if unsure), use sudo fdisk -l | grep -i efi to find the EFI partition. Then: sudo mount /dev/sdXY /mnt/boot/efi
5. sudo chroot /mnt
6. update-grub. Can generally stop at this step.
7. grub-install /dev/sdX
8. update-grub
9. Update EFI partition UUID if it changed.

   blkid | grep -i efi
   grep -i efi /etc/fstab
   

10. If no errors, proceed with reboot. exit; sudo reboot

Source: askubuntu answer

Next Steps

• Setup SSH access

Homepage