Difference between revisions of "Packages (Buster)"

From Hexwiki
Jump to navigation Jump to search
(Created page with "__TOC__ This document covers package management itself, in addition to documenting some smaller packages that I use. == Apt == I tend to use aptitude rather than apt-get, pe...")
 
 
(3 intermediate revisions by 2 users not shown)
Line 6: Line 6:
 
I tend to use aptitude rather than apt-get, personally, and I always turn off 'auto-resolve dependencies' and 'install recommended packages automatically'.
 
I tend to use aptitude rather than apt-get, personally, and I always turn off 'auto-resolve dependencies' and 'install recommended packages automatically'.
  
* apt-get install aptitude aptitude-doc-en
+
* apt-get install aptitude aptitude-doc-en apt-transport-https lsb-release ca-certificates curl
  
 
Your mileage may vary, but I try to know something about every component going into my system.
 
Your mileage may vary, but I try to know something about every component going into my system.
Line 24: Line 24:
 
  deb-src http://ftp.us.debian.org/debian/ buster-backports main
 
  deb-src http://ftp.us.debian.org/debian/ buster-backports main
  
I personally don't go for -sloppy, at least not currently.
+
If running PHP, you may want to go for the [https://deb.sury.org/ package maintainer's repo]. Run:
 +
curl -sSL -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
 +
sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
  
 
Generally a good idea to try to find your closest mirror. Sometimes your host even provides a mirror - will certainly make them happier if you use it.
 
Generally a good idea to try to find your closest mirror. Sometimes your host even provides a mirror - will certainly make them happier if you use it.
Line 61: Line 63:
 
** /etc/console-setup may need to get removed manually
 
** /etc/console-setup may need to get removed manually
  
== ntpdate ==
+
== ntpsec-ntpdate ==
  
 
Significantly more lightweight than ntp, easier to configure and one less server to run. If you have a number of machines at a site, you may want to run one server and have the others pull off of it. Beyond this, though,  
 
Significantly more lightweight than ntp, easier to configure and one less server to run. If you have a number of machines at a site, you may want to run one server and have the others pull off of it. Beyond this, though,  
  
* /etc/default/ntpdate
+
You will need to create the config:
** NTPOPTIONS=" -B "
+
 
** forces slewing. Prevents time travel. Time travel bad.
+
* /etc/ntpsec/ntp.conf
 +
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 +
 
 +
driftfile /var/lib/ntpsec/ntp.drift
 +
leapfile /usr/share/zoneinfo/leap-seconds.list
 +
 
 +
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
 +
#statsdir /var/log/ntpsec/
 +
#statistics loopstats peerstats clockstats
 +
#filegen loopstats file loopstats type day enable
 +
#filegen peerstats file peerstats type day enable
 +
#filegen clockstats file clockstats type day enable
 +
 
 +
# Comment this out if you have a refclock and want it to be able to discipline
 +
# the clock by itself (e.g. if the system is not connected to the network).
 +
tos minclock 4 minsane 3
 +
 
 +
# Specify one or more NTP servers.
 +
 
 +
# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
 +
# pick a different set every time it starts up.  Please consider joining the
 +
# pool: <https://www.pool.ntp.org/join.html>
 +
# I switched to Google's servers, as ntpdate tends to pick one and fails hard if there's an issue rather than trying a different server.
 +
server time1.google.com iburst
 +
server time2.google.com iburst
 +
server time3.google.com iburst
 +
server time4.google.com iburst
 +
#server time.cloudflare.com
 +
#pool 0.debian.pool.ntp.org iburst
 +
#pool 1.debian.pool.ntp.org iburst
 +
#pool 2.debian.pool.ntp.org iburst
 +
#pool 3.debian.pool.ntp.org iburst
 +
 
 +
# Note that Google implements leap smearing. Don't combine leap-smearing and non-leap-smearing servers.
 +
 
 +
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
 +
# for details.
 +
#
 +
# Note that "restrict" applies to both servers and clients, so a configuration
 +
# that might be intended to block requests from certain clients could also end
 +
# up blocking replies from your own upstream servers.
 +
 
 +
# By default, exchange time with everybody, but don't allow configuration.
 +
restrict default kod nomodify nopeer noquery limited
 +
 
 +
# Local users may interrogate the ntp server more closely.
 +
restrict 127.0.0.1
 +
restrict ::1
 +
 
 
* /etc/cron.hourly/ntpdate
 
* /etc/cron.hourly/ntpdate
 
  #!/bin/sh
 
  #!/bin/sh
 
  #/etc/cron.hourly/ntpdate
 
  #/etc/cron.hourly/ntpdate
 
  #ntpdate autorun
 
  #ntpdate autorun
 +
# -4 forces ipv4, -6 forces ipv6.
 
  if [ -f /usr/sbin/ntpdate-debian ]; then
 
  if [ -f /usr/sbin/ntpdate-debian ]; then
    /usr/sbin/ntpdate-debian -B
+
    /usr/sbin/ntpdate-debian -4B >/dev/null
 
  fi
 
  fi
  

Latest revision as of 18:28, 21 January 2021

This document covers package management itself, in addition to documenting some smaller packages that I use.

Apt

I tend to use aptitude rather than apt-get, personally, and I always turn off 'auto-resolve dependencies' and 'install recommended packages automatically'.

  • apt-get install aptitude aptitude-doc-en apt-transport-https lsb-release ca-certificates curl

Your mileage may vary, but I try to know something about every component going into my system.

  • /etc/apt/sources.list
deb http://deb.debian.org/debian/ buster main
deb-src http://deb.debian.org/debian/ buster main
deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates main
deb http://deb.debian.org/debian/ buster-updates main
deb-src http://deb.debian.org/debian/ buster-updates main
deb http://ftp.us.debian.org/debian/ buster-backports main
deb-src http://ftp.us.debian.org/debian/ buster-backports main

If running PHP, you may want to go for the package maintainer's repo. Run:

curl -sSL -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'

Generally a good idea to try to find your closest mirror. Sometimes your host even provides a mirror - will certainly make them happier if you use it.

To save time, I automatically run apt-get update hourly, through cron:

  • /etc/cron.hourly/apt-get-update
#!/bin/sh
#/etc/cron.hourly/apt-get-update
# Much simpler than the cron-apt package.
/usr/bin/apt-get update
/usr/bin/apt-get -dy upgrade

Run:

chmod 0750 /etc/cron.hourly/apt-get-update

This automatically checks for updates, and downloads them, but it does not apply them.

Package Additions

  • conntrack sysstat iotop lm-sensors sash libpam-tmpdir zip unzip libdigest-whirlpool-perl acct nmap cgdb sudo
    • You may want to devote some time to what acct and sysstat can do for you.
  • Development: apt-get install fakeroot debhelper build-essential

Package Removal

Debian has some defaults that you probably do not need on a server:

  • Careful purge: task-ssh-server (be sure not to lose your actual ssh server).
  • Basic Purge: task-english console-setup-linux isc-dhcp-client isc-dhcp-common laptop-detect libx11-data libxau6 libxdmcp6 portmap tasksel xauth xkb-data
  • The culturally insensitive may also purge: console-setup console-terminus kbd keyboard-configuration
    • /etc/console-setup may need to get removed manually

ntpsec-ntpdate

Significantly more lightweight than ntp, easier to configure and one less server to run. If you have a number of machines at a site, you may want to run one server and have the others pull off of it. Beyond this, though,

You will need to create the config:

  • /etc/ntpsec/ntp.conf
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable
# Comment this out if you have a refclock and want it to be able to discipline
# the clock by itself (e.g. if the system is not connected to the network).
tos minclock 4 minsane 3
# Specify one or more NTP servers.
# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <https://www.pool.ntp.org/join.html>
# I switched to Google's servers, as ntpdate tends to pick one and fails hard if there's an issue rather than trying a different server.
server time1.google.com iburst
server time2.google.com iburst
server time3.google.com iburst
server time4.google.com iburst
#server time.cloudflare.com
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst
# Note that Google implements leap smearing. Don't combine leap-smearing and non-leap-smearing servers.
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# for details.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict default kod nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
  • /etc/cron.hourly/ntpdate
#!/bin/sh
#/etc/cron.hourly/ntpdate
#ntpdate autorun
# -4 forces ipv4, -6 forces ipv6. 
if [ -f /usr/sbin/ntpdate-debian ]; then
   /usr/sbin/ntpdate-debian -4B >/dev/null
fi
  • Run:
chmod 0750 /etc/cron.hourly/ntpdate

Random silly packages

  • fortunes (and friends), cowsay, filters
    • Is good to greet visitors with a talking cow. Reminds you how seriously you should take your job.
  • bsdgames, nethack-console, slashem
    • One of these decades I will get around to ascending...