Difference between revisions of "Packages (Buster)"
Jump to navigation
Jump to search
(Created page with "__TOC__ This document covers package management itself, in addition to documenting some smaller packages that I use. == Apt == I tend to use aptitude rather than apt-get, pe...") |
|||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 6: | Line 6: | ||
I tend to use aptitude rather than apt-get, personally, and I always turn off 'auto-resolve dependencies' and 'install recommended packages automatically'. | I tend to use aptitude rather than apt-get, personally, and I always turn off 'auto-resolve dependencies' and 'install recommended packages automatically'. | ||
| − | * apt-get install aptitude aptitude-doc-en | + | * apt-get install aptitude aptitude-doc-en apt-transport-https lsb-release ca-certificates curl |
Your mileage may vary, but I try to know something about every component going into my system. | Your mileage may vary, but I try to know something about every component going into my system. | ||
| Line 24: | Line 24: | ||
deb-src http://ftp.us.debian.org/debian/ buster-backports main | deb-src http://ftp.us.debian.org/debian/ buster-backports main | ||
| − | + | If running PHP, you may want to go for the [https://deb.sury.org/ package maintainer's repo]. Run: | |
| + | curl -sSL -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg | ||
| + | sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list' | ||
Generally a good idea to try to find your closest mirror. Sometimes your host even provides a mirror - will certainly make them happier if you use it. | Generally a good idea to try to find your closest mirror. Sometimes your host even provides a mirror - will certainly make them happier if you use it. | ||
| Line 61: | Line 63: | ||
** /etc/console-setup may need to get removed manually | ** /etc/console-setup may need to get removed manually | ||
| − | == ntpdate == | + | == ntpsec-ntpdate == |
Significantly more lightweight than ntp, easier to configure and one less server to run. If you have a number of machines at a site, you may want to run one server and have the others pull off of it. Beyond this, though, | Significantly more lightweight than ntp, easier to configure and one less server to run. If you have a number of machines at a site, you may want to run one server and have the others pull off of it. Beyond this, though, | ||
| − | * /etc/ | + | You will need to create the config: |
| − | + | ||
| − | + | * /etc/ntpsec/ntp.conf | |
| + | # /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help | ||
| + | |||
| + | driftfile /var/lib/ntpsec/ntp.drift | ||
| + | leapfile /usr/share/zoneinfo/leap-seconds.list | ||
| + | |||
| + | # You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging. | ||
| + | #statsdir /var/log/ntpsec/ | ||
| + | #statistics loopstats peerstats clockstats | ||
| + | #filegen loopstats file loopstats type day enable | ||
| + | #filegen peerstats file peerstats type day enable | ||
| + | #filegen clockstats file clockstats type day enable | ||
| + | |||
| + | # Comment this out if you have a refclock and want it to be able to discipline | ||
| + | # the clock by itself (e.g. if the system is not connected to the network). | ||
| + | tos minclock 4 minsane 3 | ||
| + | |||
| + | # Specify one or more NTP servers. | ||
| + | |||
| + | # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will | ||
| + | # pick a different set every time it starts up. Please consider joining the | ||
| + | # pool: <https://www.pool.ntp.org/join.html> | ||
| + | # I switched to Google's servers, as ntpdate tends to pick one and fails hard if there's an issue rather than trying a different server. | ||
| + | server time1.google.com iburst | ||
| + | server time2.google.com iburst | ||
| + | server time3.google.com iburst | ||
| + | server time4.google.com iburst | ||
| + | #server time.cloudflare.com | ||
| + | #pool 0.debian.pool.ntp.org iburst | ||
| + | #pool 1.debian.pool.ntp.org iburst | ||
| + | #pool 2.debian.pool.ntp.org iburst | ||
| + | #pool 3.debian.pool.ntp.org iburst | ||
| + | |||
| + | # Note that Google implements leap smearing. Don't combine leap-smearing and non-leap-smearing servers. | ||
| + | |||
| + | # Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html | ||
| + | # for details. | ||
| + | # | ||
| + | # Note that "restrict" applies to both servers and clients, so a configuration | ||
| + | # that might be intended to block requests from certain clients could also end | ||
| + | # up blocking replies from your own upstream servers. | ||
| + | |||
| + | # By default, exchange time with everybody, but don't allow configuration. | ||
| + | restrict default kod nomodify nopeer noquery limited | ||
| + | |||
| + | # Local users may interrogate the ntp server more closely. | ||
| + | restrict 127.0.0.1 | ||
| + | restrict ::1 | ||
| + | |||
* /etc/cron.hourly/ntpdate | * /etc/cron.hourly/ntpdate | ||
#!/bin/sh | #!/bin/sh | ||
#/etc/cron.hourly/ntpdate | #/etc/cron.hourly/ntpdate | ||
#ntpdate autorun | #ntpdate autorun | ||
| + | # -4 forces ipv4, -6 forces ipv6. | ||
if [ -f /usr/sbin/ntpdate-debian ]; then | if [ -f /usr/sbin/ntpdate-debian ]; then | ||
| − | + | /usr/sbin/ntpdate-debian -4B >/dev/null | |
fi | fi | ||
Latest revision as of 18:28, 21 January 2021
This document covers package management itself, in addition to documenting some smaller packages that I use.
Apt
I tend to use aptitude rather than apt-get, personally, and I always turn off 'auto-resolve dependencies' and 'install recommended packages automatically'.
- apt-get install aptitude aptitude-doc-en apt-transport-https lsb-release ca-certificates curl
Your mileage may vary, but I try to know something about every component going into my system.
- /etc/apt/sources.list
deb http://deb.debian.org/debian/ buster main deb-src http://deb.debian.org/debian/ buster main
deb http://security.debian.org/debian-security buster/updates main deb-src http://security.debian.org/debian-security buster/updates main
deb http://deb.debian.org/debian/ buster-updates main deb-src http://deb.debian.org/debian/ buster-updates main
deb http://ftp.us.debian.org/debian/ buster-backports main deb-src http://ftp.us.debian.org/debian/ buster-backports main
If running PHP, you may want to go for the package maintainer's repo. Run:
curl -sSL -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
Generally a good idea to try to find your closest mirror. Sometimes your host even provides a mirror - will certainly make them happier if you use it.
To save time, I automatically run apt-get update hourly, through cron:
- /etc/cron.hourly/apt-get-update
#!/bin/sh #/etc/cron.hourly/apt-get-update # Much simpler than the cron-apt package. /usr/bin/apt-get update /usr/bin/apt-get -dy upgrade
Run:
chmod 0750 /etc/cron.hourly/apt-get-update
This automatically checks for updates, and downloads them, but it does not apply them.
Package Additions
- conntrack sysstat iotop lm-sensors sash libpam-tmpdir zip unzip libdigest-whirlpool-perl acct nmap cgdb sudo
- You may want to devote some time to what acct and sysstat can do for you.
- Development: apt-get install fakeroot debhelper build-essential
Package Removal
Debian has some defaults that you probably do not need on a server:
- Careful purge: task-ssh-server (be sure not to lose your actual ssh server).
- Basic Purge: task-english console-setup-linux isc-dhcp-client isc-dhcp-common laptop-detect libx11-data libxau6 libxdmcp6 portmap tasksel xauth xkb-data
- The culturally insensitive may also purge: console-setup console-terminus kbd keyboard-configuration
- /etc/console-setup may need to get removed manually
ntpsec-ntpdate
Significantly more lightweight than ntp, easier to configure and one less server to run. If you have a number of machines at a site, you may want to run one server and have the others pull off of it. Beyond this, though,
You will need to create the config:
- /etc/ntpsec/ntp.conf
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntpsec/ntp.drift leapfile /usr/share/zoneinfo/leap-seconds.list
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging. #statsdir /var/log/ntpsec/ #statistics loopstats peerstats clockstats #filegen loopstats file loopstats type day enable #filegen peerstats file peerstats type day enable #filegen clockstats file clockstats type day enable
# Comment this out if you have a refclock and want it to be able to discipline # the clock by itself (e.g. if the system is not connected to the network). tos minclock 4 minsane 3
# Specify one or more NTP servers.
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the # pool: <https://www.pool.ntp.org/join.html> # I switched to Google's servers, as ntpdate tends to pick one and fails hard if there's an issue rather than trying a different server. server time1.google.com iburst server time2.google.com iburst server time3.google.com iburst server time4.google.com iburst #server time.cloudflare.com #pool 0.debian.pool.ntp.org iburst #pool 1.debian.pool.ntp.org iburst #pool 2.debian.pool.ntp.org iburst #pool 3.debian.pool.ntp.org iburst
# Note that Google implements leap smearing. Don't combine leap-smearing and non-leap-smearing servers.
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html # for details. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration. restrict default kod nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1
- /etc/cron.hourly/ntpdate
#!/bin/sh #/etc/cron.hourly/ntpdate #ntpdate autorun # -4 forces ipv4, -6 forces ipv6. if [ -f /usr/sbin/ntpdate-debian ]; then /usr/sbin/ntpdate-debian -4B >/dev/null fi
- Run:
chmod 0750 /etc/cron.hourly/ntpdate
Random silly packages
- fortunes (and friends), cowsay, filters
- Is good to greet visitors with a talking cow. Reminds you how seriously you should take your job.
- bsdgames, nethack-console, slashem
- One of these decades I will get around to ascending...