Debian 11 (Bullseye) Minimal Server: Legacy Installation Guide

Debian 11, codenamed Bullseye, reached its end of full support in mid-2024 and is currently in its Long Term Support (LTS) phase. This guide documents the procedure for deploying a minimal server instance. Such installations are primarily relevant for maintaining legacy production environments, reproducing specific software behaviors, or hardware-constrained systems where modern kernels are incompatible.

1. Scope and Prerequisites

This guide focuses on a netinstall approach to minimize bloat and ensure only essential binaries are present.

Infrastructure Requirements

• Media: Debian 11 amd64 netinst ISO.
• Architecture: x86_64 (Standard for most legacy server deployments).
• Connectivity: Ethernet with DHCP or static IP (Wifi is discouraged for server stability).
• Storage: 2GB minimum for system files; additional space for data.

Constraints

• Security: Debian 11 is moving toward the end of its lifecycle. Do not deploy in public-facing environments without rigorous firewalling and specific LTS repository monitoring.
• Kernel: Uses Linux Kernel 5.10.

2. Initial Installation Phase

The goal is to bypass the Desktop Environment (DE) and unnecessary services during the installation media boot.

Partitioning Strategy

For a minimal server, a simplified partition scheme is often preferred to reduce complexity, though specific use cases may require LVM (Logical Volume Manager).

• / (root): Contains the OS. 10GB-20GB is usually sufficient for minimal builds.
• Swap: Equal to RAM if hibernation is needed, or 1GB-2GB for basic memory overflow.
• /var: Recommended as a separate partition if the server will host logs or databases to prevent root exhaustion.

Software Selection (Tasksel)

When the installer reaches the tasksel stage, uncheck every option except:

1. SSH Server: Required for remote management.
2. Standard System Utilities: Provides essential command-line tools (sed, awk, tar).

Note: Ensure "Debian desktop environment" and "GNOME/XFCE" remain unchecked to maintain the "Minimal" status.

3. Post-Installation Configuration

After the first reboot, the system operates in a CLI-only environment.

Repository Sources

Verify the /etc/apt/sources.list file. Since Bullseye is in the LTS phase, the naming convention for security updates changed compared to previous versions.

Entries should point to:

• bullseye (Main repository)
• bullseye-updates (Volatile packages)
• bullseye-security (Security patches)

Network Configuration

Debian 11 uses systemd-networkd or the traditional ifupdown package. For minimal servers, editing /etc/network/interfaces remains the standard method for static IP assignment.

Sudo Privileges

By default, if a root password was set during installation, sudo is not installed.

1. Install the sudo package.
2. Add the primary user to the sudo group.
3. Logout and log back in for changes to take effect.

4. Minimal System Hardening

A minimal installation is inherently more secure due to a reduced attack surface, but several manual steps are required.

SSH Hardening

Modify /etc/ssh/sshd_config:

• Disable root login (PermitRootLogin no).
• Disable password authentication in favor of SSH keys (PasswordAuthentication no).
• Change the default port (optional, helps reduce log noise).

Firewall (NFTables)

Debian 11 uses nftables as the default firewall framework, replacing the legacy iptables.

• Enable the nftables service.
• Define a strict input policy to drop all traffic except for SSH and necessary service ports.

5. Maintenance and Legacy Considerations

Handling Obsolete Packages

As a legacy system, certain dependencies may no longer be available in the primary repositories. The use of Debian Snapshot archives may be necessary to pin the system to a specific date in the past for compatibility testing.

Package Cleanup

To ensure the system remains minimal, regularly run:

• apt autoremove: Removes orphaned dependencies.
• apt clean: Clears the local repository of retrieved package files.

6. Known Limitations

• Hardware Support: Debian 11 may lack drivers for hardware released after 2022.
• Software Versions: Bullseye ships with older versions of runtimes (e.g., Python 3.9, PHP 7.4). If newer versions are required, consider backports or containerization (Docker), though this increases the system's footprint.
• LTS Window: Users must monitor the Debian LTS team announcements to know when security support for Bullseye officially terminates.