Skip to content
/ debian-stretch-server Public
forked from cdelorme/debian-stretch-server

Documentation and automation for a basic debian stretch server

License

Zlib license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Chrnos/debian-stretch-server

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
install
install
 
 
notes
notes
 
 
.gitignore
.gitignore
 
 
build.json
build.json
 
 
license
license
 
 
preseed.cfg
preseed.cfg
 
 
readme.md
readme.md
 
 
stretch.sh
stretch.sh
 
 

Repository files navigation

debian stretch server

These days I tend to provision light weight servers in AWS and DigitalOcean.

I don't use "configuration management software".

To help alleviate testing of images I use packer to build a base image using virtualbox. In the future I may also add builders for aws and digital ocean. Currently the only required variable is -var "root_password=", which is used by the preseed of debian from an iso. When running packer be sure to set PACKER_CACHE_DIR to someplace outside the root folder or it will upload the iso with the repository onto the image.

If you are provisioning a machine using a debian stretch image you can also use my automation script as "user-data", or run it with sudo on an already provisioned machine.

expectations

My expectations for a server are a healthy supply of tools, an enhanced prompt, and generally nginx as a proxy service.

Note that some packages may already exist on the machine, but are included to be certain. For example, ca-certificates exists on a base debian iso install with only "standard utilities", but not on the latest aws base debian image; inversely resolvconf exists on the aws base debian image, but not as part of the "standard utilities" of bare debian iso install.

I lock everything down with iptables, but leave a commented rule for standard web traffic to be easily enabled. A non-root user should be configured with sudo privileges (but not passwordless). The root account should be unable to login via ssh. Multiple failed login attempts should block for 15 minutes.

I choose not to install any interpreters or build tools. The primary reason is that the purpose of a machine will vary and there are a lot of tools that may not be needed. The secondary reasons are possibly bad practice compiling on your production server, disk space consumption by all the additional tools, and potential security gaps when adding extra software needlessly.

I have documented the installation process for many additional tools, although some may be outdated:

I won't cover installation of databases (eg. mysql, postgresql, mongodb, etc...) or docker. That's an exercise I leave to the reader.

Also if you are running raw hardware, you may want to invest some effort into lm-sensors and watchdog packages to deal with hardware failure.

For further documentation, refer to my notes.

usage

Here is how to run packer:

PACKER_CACHE_DIR=/tmp/packer_cache packer build -var "root_password=securepassword" build.json

About

Documentation and automation for a basic debian stretch server

Resources

Readme

License

Zlib license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Vim Script 48.8%
  • Shell 45.7%
  • DIGITAL Command Language 5.5%