安装配置 Debian

debian 9 桌面 LXDE¹

修改 root 密码

passwd

新建用户²

adduser git
apt update
apt upgrade
apt install sudo
visudo

root    ALL=(ALL:ALL) ALL
git     ALL=(ALL:ALL) ALL

禁止Root从SSH直接登录

vi /etc/ssh/sshd_config

PermitRootLogin yes > no|without-password
  -no 不允许 root 登录
  -without-password 只允许 root 以 ssh key 登录
Port 22

service ssh restart
mkdir ~/.ssh
touch ~/.ssh/authorized_keys

时区的修改

dpkg-reconfigure tzdata

安装必要的软件

apt install nginx sudo vim git ipset curl htop unzip tmux net-tools dnsutils pwgen dirmngr python3 python3-pip python3-dev

用 Let’s Encrypt 配置 nginx

apt install certbot
certbot certonly -d "*.cadavez.xyz" -d cadavez.xyz --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
vi /etc/nginx/sites-available/blog
ln -s /etc/nginx/sites-available/blog /etc/nginx/sites-enabled/
crontab -e

0 3,6 * * 6 systemctl stop nginx && certbot renew >/dev/null 2>&1 && systemctl start nginx

# Docker

docker run \
-v ~/data/certbot/cloudflare.ini:/opt/certbot/cloudflare.ini:ro \
-v ~/data/certbot/letsencrypt/:/etc/letsencrypt/ \
-v ~/data/certbot/manual/:/var/lib/letsencrypt/ \
-v ~/data/certbot/logs/:/var/log/letsencrypt/ \
--rm certbot/dns-cloudflare certonly \
--dns-cloudflare \
--dns-cloudflare-credentials cloudflare.ini \
-d "*.example.com" -d "example.com" \
--email "[email protected]" --no-eff-email --agree-tos

# Renew

docker run \
-v ~/data/certbot/cloudflare.ini:/opt/certbot/cloudflare.ini:ro \
-v ~/data/certbot/letsencrypt/:/etc/letsencrypt/ \
-v ~/data/certbot/manual/:/var/lib/letsencrypt/ \
-v ~/data/certbot/logs/:/var/log/letsencrypt/ \
--rm certbot/dns-cloudflare renew

升级 Kernel³ 到 4.12.14

mkdir kernel && cd kernel
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.12.14/linux-headers-4.12.14-041214_4.12.14-041214.201709200843_all.deb
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.12.14/linux-image-4.12.14-041214-generic_4.12.14-041214.201709200843_amd64.deb
dpkg -i linux-*.deb
dpkg -l|grep linux-image
update-grub
reboot
uname -r
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_all = 1 " >> /etc/sysctl.conf
sysctl -p
sysctl net.ipv4.tcp_available_congestion_control
sysctl net.ipv4.tcp_congestion_control
lsmod | grep bbr

添加 backports 源⁴

sh -c 'printf "deb http://deb.debian.org/debian stretch-backports main" > /etc/apt/sources.list.d/stretch-backports.list'
vi /etc/apt/preferences

Package: *
Pin: release a=stretch-backports
Pin-Priority: 100

apt update

修改 crontab 的默认编辑器 select-editor

修改 visudo 的默认编辑器 update-alternatives --config editor

修改用户默认 SHELL chsh