This document covers package management itself, in addition to documenting some smaller packages that I use.
I tend to use aptitude rather than apt-get, personally, and I always turn off 'auto-resolve dependencies' and 'install recommended packages automatically'.
- apt-get install aptitude aptitude-doc-en apt-transport-https lsb-release ca-certificates curl
Your mileage may vary, but I try to know something about every component going into my system.
deb http://deb.debian.org/debian/ buster main deb-src http://deb.debian.org/debian/ buster main
deb http://security.debian.org/debian-security buster/updates main deb-src http://security.debian.org/debian-security buster/updates main
deb http://deb.debian.org/debian/ buster-updates main deb-src http://deb.debian.org/debian/ buster-updates main
deb http://ftp.us.debian.org/debian/ buster-backports main deb-src http://ftp.us.debian.org/debian/ buster-backports main
If running PHP, you may want to go for the package maintainer's repo. Run:
curl -sSL -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
Generally a good idea to try to find your closest mirror. Sometimes your host even provides a mirror - will certainly make them happier if you use it.
To save time, I automatically run apt-get update hourly, through cron:
#!/bin/sh #/etc/cron.hourly/apt-get-update # Much simpler than the cron-apt package. /usr/bin/apt-get update /usr/bin/apt-get -dy upgrade
chmod 0750 /etc/cron.hourly/apt-get-update
This automatically checks for updates, and downloads them, but it does not apply them.
- conntrack sysstat iotop lm-sensors sash libpam-tmpdir zip unzip libdigest-whirlpool-perl acct nmap cgdb sudo
- You may want to devote some time to what acct and sysstat can do for you.
- Development: apt-get install fakeroot debhelper build-essential
Debian has some defaults that you probably do not need on a server:
- Careful purge: task-ssh-server (be sure not to lose your actual ssh server).
- Basic Purge: task-english console-setup-linux isc-dhcp-client isc-dhcp-common laptop-detect libx11-data libxau6 libxdmcp6 portmap tasksel xauth xkb-data
- The culturally insensitive may also purge: console-setup console-terminus kbd keyboard-configuration
- /etc/console-setup may need to get removed manually
Significantly more lightweight than ntp, easier to configure and one less server to run. If you have a number of machines at a site, you may want to run one server and have the others pull off of it. Beyond this, though,
You will need to create the config:
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntpsec/ntp.drift leapfile /usr/share/zoneinfo/leap-seconds.list
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging. #statsdir /var/log/ntpsec/ #statistics loopstats peerstats clockstats #filegen loopstats file loopstats type day enable #filegen peerstats file peerstats type day enable #filegen clockstats file clockstats type day enable
# Comment this out if you have a refclock and want it to be able to discipline # the clock by itself (e.g. if the system is not connected to the network). tos minclock 4 minsane 3
# Specify one or more NTP servers.
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the # pool: <https://www.pool.ntp.org/join.html> # I switched to Google's servers, as ntpdate tends to pick one and fails hard if there's an issue rather than trying a different server. server time1.google.com iburst server time2.google.com iburst server time3.google.com iburst server time4.google.com iburst #server time.cloudflare.com #pool 0.debian.pool.ntp.org iburst #pool 1.debian.pool.ntp.org iburst #pool 2.debian.pool.ntp.org iburst #pool 3.debian.pool.ntp.org iburst
# Note that Google implements leap smearing. Don't combine leap-smearing and non-leap-smearing servers.
# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html # for details. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration. restrict default kod nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1
#!/bin/sh #/etc/cron.hourly/ntpdate #ntpdate autorun # -4 forces ipv4, -6 forces ipv6. if [ -f /usr/sbin/ntpdate-debian ]; then /usr/sbin/ntpdate-debian -4B >/dev/null fi
chmod 0750 /etc/cron.hourly/ntpdate
Random silly packages
- fortunes (and friends), cowsay, filters
- Is good to greet visitors with a talking cow. Reminds you how seriously you should take your job.
- bsdgames, nethack-console, slashem
- One of these decades I will get around to ascending...