doc/note/setup-debian/setup-debian.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128


How to Setup debian for MY needs
================================

## Partitioning

Use the smaller & faster SSD for the system. Make sure it consists of TWO
partitions so system can be easily upgraded later by just replacing it by a new
install in the other partition.

I prefer to put users home to a larger (maybe a HDD) for data storage. If
there's only ONE drive, we need an additional partition for the home too.


## Base system

Install base system through debians ISO installers. Usually net installer is
fine.

Do NOT install ANY additional bloat! Eg untick ALL extra software like desktops
etc. Even disable the standard-system-utilities option.


## Install core tools

ALWAYS use '--no-install-recommends' when installing something to prevent
useless bloat to be installed.

  && apt install -y --no-install-recommends vim net-tools openssh-server openssh-client bash bash-completion


## Setup firewall

WARN: Does NOT setup the effective rules. Rules need to be filled in by admin.

WARN: This snippet may cut-off network connections. Including your remote shell!

  && $SUDO apt install -y --no-install-recommends iptables iptables-persistent \
  && printf '# TODO add contents here\n' | $SUDO tee /etc/iptables/src-default >/dev/null \
  && printf '\n[WARN ] Needs more setup: /etc/iptables/src-default\n\n' \
  && printf '%s\n' \
       '## Apply from file' '' \
       'ncat /etc/iptables/src-default | $SUDO iptables-restore' '' \
       '## store current session as default' '' \
       '$SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null' \
       | $SUDO tee /etc/iptables/README >/dev/null \
  && printf '# TODO setup file contents\n' | $SUDO tee /etc/iptables/src-default4 >/dev/null \
  && printf '%s\n' \
       '*filter' '' \
       '# Loopback' \
       '-A INPUT  -i lo -j ACCEPT' \
       '-A OUTPUT -o lo -j ACCEPT' '' \
       '# Log blocked connection attemps' \
       '-A INPUT   -j LOG --log-prefix "Fw6BadInn: " --log-level 6' \
       '-A FORWARD -j LOG --log-prefix "Fw6BadFwd: " --log-level 6' \
       '-A OUTPUT  -j LOG --log-prefix "Fw6BadOut: " --log-level 6' '' \
       '# Disallow any non-whitelisted packets' \
       '-A INPUT   -j DROP' \
       '-A FORWARD -j REJECT' \
       '-A OUTPUT  -j REJECT' '' \
       'COMMIT' | $SUDO tee /etc/iptables/src-default6 >/dev/null \
  && printf '%s\n' \
       '*filter' \
       '-A INPUT   -j ACCEPT' \
       '-A FORWARD -j ACCEPT' \
       '-A OUTPUT  -j ACCEPT' \
       'COMMIT' | $SUDO tee /etc/iptables/src-allowAll4 >/dev/null \
  && $SUDO touch /etc/iptables/src-tmp \


## Mount home partition

# /etc/fstab
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx  /mnt/nameOfHdd  ext4  noatime  0  2
/mnt/nameOfHdd/home  /home  none  bind  0  0


## Configure Locale

- In "/etc/locale.gen" Enable all of:
  "de_CH.UTF-8 UTF-8", "de_CH ISO-8859-1", "en_DK.UTF-8 UTF-8", "en_DK ISO-8859-1".
- Run "locale-gen".
- Check list with "locale -a".
- Change "/etc/default/locale" contents to:
    LANG=en_DK.UTF-8
    LANGUAGE="en_US:en"


## Install Desktop Env

  && $SUDO apt install -y --no-install-recommends xorg openbox mate-terminal lightdm light-locker feh scrot lxpanel qalculate-gtk gmrun gnome-system-monitor vim-gtk3 \
  && mkdir ~/.config ~/.config/openbox || true \
  && update-alternatives  \

Populate "/etc/environment" as described by "./etc-environment".


## Install whatever needed

  && $SUDO apt install -y --no-install-recommends \
       `# basic CLI` \
       vim htop pv openssh-client iptables iptables-persistent xxd zip unzip xz-utils p7zip-full \
       file trash-cli genisoimage ncat \
       `# basic UI` \
       firefox-esr file-roller thunderbird chromium evince \
       `# software devel` \
       git sqlite3 manpages-dev gdb qemu-utils qemu-system wireshark samba tigervnc-viewer \
       `# server` \
       nginx-light \
       `# multimedia` \
       pulseaudio pavucontrol vlc audacity eom darktable gimp lame flac opus-tools ffmpeg \
       `# encryption` \
       keepassxc gpg \
       `# UI customization` \
       gnome-themes-extra \
       `# Office Suite` \
       libreoffice-writer libreoffice-calc libreoffice-draw libxrender1 libgl1 \
       fonts-crosextra-caladea fonts-crosextra-carlito fonts-dejavu fonts-liberation \
       fonts-liberation2 fonts-linuxlibertine fonts-noto-core fonts-noto-mono fonts-noto-ui-core \
       fonts-sil-gentium-basic pdftk-java \
       `# Others` \
       lm-sensors fancontrol \
       `# Nvidia graphics (open)` \
       mesa-utils clinfo mesa-opencl-icd \
       `# Nvidia graphics (non-free, DoesNotWorkYet)` \
       nvidia-detect nvidia-tesla-470-driver linux-headers-amd64 \