Collections
Deploying a Debian Host
Basics

Basics

By default, sudo is not included in Debian’s based operating system. So lets get that going so we can easily manage the host from our non-root account following proper security practices.

ℹ️
Sudo allows non-administrative accounts to have administrative rights when necessary. It’s similar in principle to the UAC prompt in Microsoft Windows.

Connect

Connect to your host via one of the available options.

If logging in via a Virtual Console, you can directly login via the root account. Simply enter the username root and the password you specified during the OS installation process.

If logging in via SSH, you’ll notice that the root account does not work. This is purposeful as Debian blocks logins to root via SSH by default. To work around this, login as your non-root user and switch to the root account.

  1. Login as a non-root user.
ssh username@host
  1. Switch to the root account using the command below.
su - root

Install

With administrative access gained, install sudo.

apt install sudo

Permissions

Lastly, we need to add our non-root account to the sudo group. This tells sudo to give administrative rights when requested by this account.

usermod -a -G sudo username

Logout

For the changes to take effect, logout of all accounts and re-login under your non-root account.

logout

Updates

Its best that we’re always running the latest software available. This avoids running into installation or configuration issues that are due to previously fixed software bugs.

First check that our apt package cache is up-to-date as this lets us know about any new versions of software and where to go to download them.

sudo apt update

Next, install all available updates.

sudo apt upgrade

The Kernel

A note about updating the kernel.

Unlike Windows, Linux rarely needs to be restarted after updates are installed. The one exception to this rule is when the kernel is updated. If you see a package starting with linux-image, you can be assured that the kernel has been updated and a restart should be performed.

Below is an example of what you’ll see when apt lists all packages that require updates.

linux-image-6.1.0-11-amd64/stable-security 6.1.38-4 amd64

If you’d rather not look for this package, another method you can use to check if a reboot is required is by looking for the reboot-required file under /var/run. This file only exists when a reboot is needed. If found, give the host a reboot.

shutdown -r now

/role_name/tasks/main.yml

- name: Installing all available updates.
  apt:
    update_cache: yes
    force_apt_get: yes
    cache_valid_time: 3600
  become: yes

- name: checking if reboot-required file exists.
  stat:
    path: /var/run/reboot-required
  register: reboot

- name: reboot if required.
  reboot:
    reboot_timeout: 1200
  when: reboot.stat.exists == true
  become: yes

Hostname

ℹ️
If you configured a hostname during the installation of the OS, this step can be skipped.

Apply a hostname following your organization’s conventions. To see the resulting hostname change in your terminal session, re-login.

sudo hostnamectl set-hostname [hostname]

/role_name/tasks/main.yml

- name: Set hostname.
  ansible.builtin.hostname:
    name: hostname

Logs

By default Debian does not allow non-administrative accounts access to the logs. To correct this, add your user account to the adm group.

sudo usermod -a -G adm username
Baseline Packages