Differences between revisions 1 and 22 (spanning 21 versions)
Revision 1 as of 2010-01-28 16:26:51
Size: 288
Editor: SamatJain
Comment:
Revision 22 as of 2014-07-11 03:24:24
Size: 3494
Editor: SamatJain
Comment: Add mosh to installed packages
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Describe DebianChecklist here. Chris Lamb has a good [[http://www.chris-lamb.co.uk/2009/06/03/checklist-configuring-debian-system/|Debian installation checklist]], from which I stole most of this list.
Line 5: Line 5:
# Enable log compression with date postfix'd extension
cat /etc/logrotate.conf | sed "s/#compress/compress/" > /etc/logrotate.conf.tmp
echo "dateext" >> /etc/logrotate.conf.tmp		 # Configure sudo, adding my user to the sudo group so I don't get password prompts
aptitude install sudo
adduser xjjk sudo
echo '%sudo ALL=NOPASSWD: ALL' > /etc/sudoers.d/No-Passwords-for-sudo-Group
chmod 0440 /etc/sudoers.d/No-Passwords-for-sudo-Group

# Disable installation of recommended packages
echo 'APT::Install-Recommends "false";' > /etc/apt/apt.conf.d/90recommends

# Configure locales to prevent harassment about it later
aptitude install locales
dpkg-reconfigure -plow locales
# …or install all locales so they don't need to be configured/reinstalled
aptitude install locales-all

# Enable log compression with date suffixed extension
cat /etc/logrotate.conf | sed "s/#compress/compress\ndateext/" > /etc/logrotate.conf.tmp
Line 9: Line 23:

# Disable root login—public key access only!
cat /etc/ssh/sshd_config | sed "s/PermitRootLogin yes/PermitRootLogin without-password/" > /etc/ssh/sshd_config.tmp
mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config
service ssh restart

# Prevent PAM from allowing easily-crackable passwords
aptitude install libpam-cracklib

# Install essential utilities
sudo aptitude install \
openssh-server screen \
rsync \
atool lzma rzip xz-utils \
htop dstat iotop \
manpages manpages-dev \
strace tcpdump lsof \
moreutils \
mosh \
dnsutils \
chrony \
vim less \
bash-completion \
sysfsutils procps \
vnstat \
unattended-upgrades \
ncurses-term \
cpufrequtils powertop \
molly-guard

# Enable automatic security updates (careful!) (TODO: this is interactive; how to pass "yes"?)
sudo dpkg-reconfigure -plow unattended-upgrades

# HDD Temperature/SMART monitoring utilities
aptitude install hddtemp smartmontools
sed -i 's/^#start_smartd=yes/start_smartd=yes/' /etc/default/smartmontools
/etc/init.d/smartmontools start

# Configure rsyslog for daily archival logging
cat << EOF > /etc/rsyslog.d/51-cron.conf
# Enable cron logging
cron.* /var/log/cron.log
EOF
cat << EOF > /etc/rsyslog.d/99-archive.conf
\$template DailyLogs,"/var/log/archive/%\$YEAR%%\$MONTH%/%\$YEAR%%\$MONTH%%\$DAY%.log"
# Archive logging
*.* -?DailyLogs
EOF
cat << EOF > /etc/cron.daily/rsyslog-archive
#!/bin/sh
# Compress *.log-files not changed in more than 24 hours
find /var/log/archive -type f -mtime +1 -name "*.log" -exec xz '{}' \;
EOF
chmod +x /etc/cron.daily/rsyslog-archive

# Async logging for rsync (commit every 30m)
cat << EOF > /etc/rsyslog.d/98-async.conf
\$OMFileFlushInterval 1800
\$OMFileASyncWriting on
EOF

# Use tmpfs for /var/run and /var/lock (may break some buggy packages), like Ubuntu
cat << EOF >> /etc/default/rcS
RAMRUN=yes
RAMLOCK=yes
EOF

# Allow running X11 apps remotely
sudo aptitude install xbase-clients

# Add noatime,commit=900 to entries in /etc/fstab

# Enable SATA ALPM
echo SATA_ALPM_ENABLE=true | sudo tee /etc/pm/config.d/sata_alpm
Line 10: Line 98:

== New account setup ==

=== Remote ===

{{{#!highlight sh
# Quiet login
touch .hushlogin
cd ~
mkdir -p .ssh/controls
mkdir -p .vim/tmp
chmod -R 755 .ssh
chmod 644 .ssh/authorized_keys
}}}

=== Locally ===

{{{#!highlight sh
# Setup dot files
git clone https://github.com/samatjain/dotfiles.git
source dotfiles/init
dots groups set base
dots install
}}}

Chris Lamb has a good Debian installation checklist, from which I stole most of this list. 

   1 # Configure sudo, adding my user to the sudo group so I don't get password prompts
   2 aptitude install sudo
   3 adduser xjjk sudo
   4 echo '%sudo ALL=NOPASSWD: ALL' > /etc/sudoers.d/No-Passwords-for-sudo-Group
   5 chmod 0440 /etc/sudoers.d/No-Passwords-for-sudo-Group
   6 
   7 # Disable installation of recommended packages
   8 echo 'APT::Install-Recommends "false";' > /etc/apt/apt.conf.d/90recommends
   9 
  10 # Configure locales to prevent harassment about it later
  11 aptitude install locales
  12 dpkg-reconfigure -plow locales
  13 # …or install all locales so they don't need to be configured/reinstalled
  14 aptitude install locales-all
  15 
  16 # Enable log compression with date suffixed extension
  17 cat /etc/logrotate.conf | sed "s/#compress/compress\ndateext/" > /etc/logrotate.conf.tmp
  18 mv /etc/logrotate.conf.tmp /etc/logrotate.conf
  19 
  20 # Disable root login—public key access only!
  21 cat /etc/ssh/sshd_config | sed "s/PermitRootLogin yes/PermitRootLogin without-password/" > /etc/ssh/sshd_config.tmp
  22 mv /etc/ssh/sshd_config.tmp /etc/ssh/sshd_config
  23 service ssh restart
  24 
  25 # Prevent PAM from allowing easily-crackable passwords
  26 aptitude install libpam-cracklib
  27 
  28 # Install essential utilities
  29 sudo aptitude install \
  30 openssh-server screen \
  31 rsync \
  32 atool lzma rzip xz-utils \
  33 htop dstat iotop \
  34 manpages manpages-dev \
  35 strace tcpdump lsof \
  36 moreutils \
  37 mosh \
  38 dnsutils \
  39 chrony \
  40 vim less \
  41 bash-completion \
  42 sysfsutils procps \
  43 vnstat \
  44 unattended-upgrades \
  45 ncurses-term \
  46 cpufrequtils powertop \
  47 molly-guard
  48 
  49 # Enable automatic security updates (careful!) (TODO: this is interactive; how to pass "yes"?)
  50 sudo dpkg-reconfigure -plow unattended-upgrades
  51 
  52 # HDD Temperature/SMART monitoring utilities
  53 aptitude install hddtemp smartmontools
  54 sed -i 's/^#start_smartd=yes/start_smartd=yes/' /etc/default/smartmontools
  55 /etc/init.d/smartmontools start
  56 
  57 # Configure rsyslog for daily archival logging
  58 cat << EOF > /etc/rsyslog.d/51-cron.conf
  59 # Enable cron logging
  60 cron.* /var/log/cron.log
  61 EOF
  62 cat << EOF > /etc/rsyslog.d/99-archive.conf
  63 \$template DailyLogs,"/var/log/archive/%\$YEAR%%\$MONTH%/%\$YEAR%%\$MONTH%%\$DAY%.log"
  64 # Archive logging
  65 *.* -?DailyLogs
  66 EOF
  67 cat << EOF > /etc/cron.daily/rsyslog-archive
  68 #!/bin/sh
  69 # Compress *.log-files not changed in more than 24 hours
  70 find /var/log/archive -type f -mtime +1 -name "*.log" -exec xz '{}' \;
  71 EOF
  72 chmod +x /etc/cron.daily/rsyslog-archive
  73 
  74 # Async logging for rsync (commit every 30m)
  75 cat << EOF > /etc/rsyslog.d/98-async.conf
  76 \$OMFileFlushInterval 1800
  77 \$OMFileASyncWriting on
  78 EOF
  79 
  80 # Use tmpfs for /var/run and /var/lock (may break some buggy packages), like Ubuntu
  81 cat << EOF >> /etc/default/rcS
  82 RAMRUN=yes
  83 RAMLOCK=yes
  84 EOF
  85 
  86 # Allow running X11 apps remotely
  87 sudo aptitude install xbase-clients
  88 
  89 # Add noatime,commit=900 to entries in /etc/fstab
  90 
  91 # Enable SATA ALPM
  92 echo SATA_ALPM_ENABLE=true | sudo tee /etc/pm/config.d/sata_alpm

New account setup

Remote

   1 # Quiet login
   2 touch .hushlogin
   3 cd ~
   4 mkdir -p .ssh/controls
   5 mkdir -p .vim/tmp
   6 chmod -R 755 .ssh
   7 chmod 644 .ssh/authorized_keys

Locally

   1 # Setup dot files
   2 git clone https://github.com/samatjain/dotfiles.git
   3 source dotfiles/init
   4 dots groups set base
   5 dots install

SamatsWiki: DebianChecklist (last edited 2019-10-18 23:01:36 by SamatJain)