While bringing up a Debian 11.3.0 server on one of my PCs, I want to record the process so that it can be easily reproduced. My goal is to record every single action that I make while setting up the server.
- Language:
English
- Location:
United States
- Keymap:
American English
- Hostname: Anything will do
- Domain Name: Empty
- Root Password: Long password
- Full Name for New User:
Ryan
- Username for Account:
Ryan
- Password for New User: Common password
- Time Zone:
Eastern
- Partitioning Method: See Partitioning Method
- Debian Archive Mirror Country:
United States
- Debian Archive Mirror:
deb.debian.org
- HTTP Proxy Info: Empty
- Participate in Package Usage Survey:
No
- Choose Software to Install: See Software to Install
- Is the System Clock Set to UTC?:
Yes
Installation is now complete. Remove the USB installer drive and reboot the system.
If using an entire disk for root of filesystem with encryption:
- Select
Guided - use entire disk and set up encrypted LVM
- Choose disk for root
- Select
Separate /home, /var, and /tmp partitions
- Wait for disk to be written with random bits (takes a while)
- Set encryption password
- Set volume group size to fill the disk
- Finish partitioning and write to disk
Else if using an entire disk for root of filesystem without encryption:
- Select
Guided - use entire disk
- Choose disk for root
- Select
Separate /home, /var, and /tmp partitions
- Finish partitioning and write to disk
Else if using manual partitioning:
TODO: Write down steps for manual partitioning
- Select
Manual
- Create partitions manually (ideally encrypting the root filesystem).
Always choose standard system utilities
.
If using a desktop environment, choose the following:
Debian desktop environment
Xfce
If running a web server, choose web server
.
If running a ssh server, chose SSH server
These instructions describe the general user configuration used throughout multiple systems as well as the steps for setting up users.
My main user is named ryan
, but this name can be substituted for any other name.
Users root
and ryan
are properly setup by default with uid=0
and uid=1000
respectively. User backup-manager
does not exist by default.
The following commands setup each user. User ryan
will be added to the users
group. User backup-manager
will be created with a new home directory.
usermod -aG users ryan
useradd -m backup-manager
Access to the root
user will be blocked off as much as possible to prevent accidental or malicious changes to the system.
- Cannot login through ssh
- Has a very strong password
Users in the sudo
group have permission to run commands as root using sudo <COMMAND>
. Note that these users need to enter their password to run sudo <COMMAND>
. Only user ryan
is in the sudo
group for now. (NOTE: Maybe give the user ryan
sudo permissions without the group if no other user will need the permissions)
User backup-manager
can run the command sudo rsync
without needing a password. This is used for storage backup purposes. User backup-manager
cannot run any other command under sudo except for rsync
.
User ryan
is essentially user root
when the sudo
package is installed because ryan
has permission run commands as root
. However, this functionality is locked behind ryan
's password.
- Can login through ssh
- Has a decently strong password
- Can only access files inside its own home directory (unless using
sudo
) - Can run
sudo <COMMAND>
to run a command asroot
.
The backup-manager
user is used to provide client access to storage backups; both reads and writes.
- Can login through ssh
- Can have any password
- Can only access files inside its own home directory
- Can write files to the
/archive
directory when a client sends files to the rsync server
TODO: Move the following line to rsync service section
The backup files written through rsync has identical permissions, ownership, and timestamps to the original files.
As each system has different priorities and devices, storage setup will be very different for each system. General actions and settings will be listed here.
Backup archives should be stored in /archive
.
I set the permissions of /archive
to be 750
meaning only the owner (root
) can write to files under this directory and only users in the group (users
) can read the files. This prevents accidental or malicious overwrites of backup files by unprivileged users.
I have no requirements or preferences for how /archive
should be structured. It could be a single directory of system backups, or a directory tree of sorted backups. It could also contain multiple partitions. Generally each partition should be the same filesystem, but this shouldn't matter too much.
My current server has a single 2.7 TB partition with an ext4 filesystem mounted to /archive
. However, I plan to use multiple physical partitions in /archive
for my desktop system, so I will see how I want to set that up eventually.
Partitions listed in /etc/fstab
are auto-mounted on system boot.
To match device partitions to UUIDS:
lsblk -o NAME,SIZE,UUID
For adding an ext4 partition to fstab:
echo "UUID={UUID} /path/to/mount ext4 defaults 0 0" >> /etc/fstab
These instructions show the installation and configuration for every package. Only the packages that need explicit configuration changes have their own sub-sections.
Note that most configuration files require a working ssh key connected to my Github account to clone the config repository.
The following packages will be installed using apt install <PACKAGE>
:
If running an ssh server:
- openssh-server
If running a Samba server:
- samba
If running a MacOS Time Machine server:
- avahi-daemon
If running a mini-DLNA media server:
- minidlna
My default text editor.
This package is used as a fallback, as neovim will also be installed from source. This is because debian currently supports neovim version 0.4
while version 0.6
is needed for a default runtime with toml
syntax highlighting. I need the newer version because I edit Rust toml files often.
Thus, the obsolete version is only used if my installation from source is not available for some reason.
Config directory: ~/.config/nvim/
My config files are hosted on Github.
Make sure to install in all /home/<USER>
directories for users that use neovim (possibly including root
at /root
).
TODO: Move the following line to their respective shell's section
Set nvim
as EDITOR
environment variable:
- bash:
echo 'export EDITOR=nvim' >> ~/.profile
- fish:
set -Ux EDITOR nvim
Creates extra permissions for running processes as user root
.
Add ryan
to the sudo
group:
usermod -aG sudo ryan
These instructions are for setting up individual services and their purposes.
Note that most configuration files require a working ssh key connected to my Github account to clone the config repository.
Services that will be enabled using systemctl start <SERVICE>
and systemctl enable <SERVICE>
:
Allow clients to access this machine through the ssh protocol.
Config files:
/etc/ssh/sshd_config
~/.ssh/authorized_keys
The configuration process needs to be done in the following steps:
- Start running the
sshd
service with the default config file. - Create ssh keys for each potential client and send them to the ssh server using
scp
. - Add these keys to
~/.ssh/authorized_keys
file for each user that can login through ssh. - Install custom config file from Github to allow ssh keys and disable passwords.
On the client machines, do not forget to add the created keys to the ~/.ssh/config
file.
Allow clients to read and write backups to the server's local storage.
Config file: /etc/rsyncd.conf
Example config file that allows reads/writes to/from the /archive
directory:
[archive]
path = /archive
comment = Backup Archive
read only = no
uid = 0
gid = 0
Run visudo
and add the following line:
backup-manager ALL= NOPASSWD:/usr/bin/rsync
This allows user backup-manager
to run only sudo rsync
or sudo /usr/bin/rsync
. Trying to run any other command with sudo will fail for this user. To backup a directory from a client machine, an ssh key for backup-manager
is needed.
From a client machine, the following command can be run to backup a directory on the client machine to the /archive
directory on the server:
sudo rsync -avP --rsync-path="sudo rsync" -e "ssh" /path/to/backup rsync://backup-manager@<SERVER_ADDR>/archive
The command sudo
is used to ensure file permissions and ownership stay unaltered.
Allow MacOS/Windows clients to read/write to the system's local storage.
Config file: /etc/samba/smb.conf
Example global config:
[global]
workgroup = WORKGROUP
security = user
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
# Time machine global settings
min protocol = SMB2
ea support = yes
vfs objects = fruit streams_xattr
fruit:metadata = stream
fruit:model = MacSamba
fruit:veto_appledouble = yes
fruit:posix_rename = yes
fruit:zero_file_id = yes
Example config file that opens /archive
up as a read-only samba share:
[archive]
path = /archive
comment = Archive
browseable = yes
read only = yes
writable = no
valid users = ryan
public = no
guest ok = no
Samba uses different user permissions than Linux does. So ryan
needs to be added as a samba user to access this samba share. Note that for a samba user to exist, a Linux user with the same name needs to also exist.
Run the following command to add ryan
as a samba user (it will prompt for a password; use a strong one):
smbpasswd -a ryan
Samba can act as a time machine server by adding a time machine share and installing avahi-daemon
.
Example config that creates a time machine share:
[timemachine]
vfs objects = fruit streams_xattr
fruit:aapl = yes
fruit:time machine = yes
path = /archive/timemachine
browseable = no
read only = no
writable = yes
valid users = ryan
public = no
guest ok = no
fruit:time machine max size = 200G
Allow DLNA clients to stream media from the server.
Config file: /etc/minidlna.conf
Add at least the following lines to the config file:
user=minidlna
mediadir=/path/to/media
Ensure the following statements are true:
-
The directory used as
mediadir
must have permissions for theusers
group to read files. -
The
minidlna
user should be added to theusers
group with the following command run as root:usermod -aG users minidlna