Debian 13 (Trixie) 完整自动化配置文档
文档说明
本文档汇总了 Debian 13 系统的完整配置流程,包含系统更新、网络加速、安全防护、开发环境和 Shell 美化等所有功能。
执行顺序: 从上到下依次执行各代码块
一、系统更新与基础优化
#!/bin/bash
# Debian 13 系统全面更新与基础配置
# 1.1 更新软件源并升级系统
echo "【步骤1】更新系统软件包..."
sudo apt update && sudo apt upgrade -y
# 1.2 安装基础工具
echo "【步骤2】安装基础工具..."
sudo apt install -y \
curl wget git vim htop net-tools lsof \
apt-transport-https ca-certificates \
gnupg lsb-release software-properties-common
# 1.3 清理旧版本软件包
echo "【步骤3】清理系统..."
sudo apt autoremove -y
sudo apt autoclean
# 1.4 修复已知Bug(如主机名解析问题)
echo "【步骤4】修复sudo主机名解析问题..."
CURRENT_HOSTNAME=$(hostname)
if ! grep -q "$CURRENT_HOSTNAME" /etc/hosts; then
echo "127.0.1.1 $CURRENT_HOSTNAME" | sudo tee -a /etc/hosts
echo "✅ 已添加主机名映射"
else
echo "✅ 主机名映射已存在"
fi
# 1.5 系统参数优化
echo "【步骤5】系统性能优化..."
sudo sysctl -w vm.swappiness=10
sudo bash -c 'cat > /etc/sysctl.d/99-system-optimize.conf << EOF
# 系统性能优化参数
vm.swappiness = 10
fs.file-max = 1000000
fs.inotify.max_user_instances = 8192
EOF'
sudo sysctl -p /etc/sysctl.d/99-system-optimize.conf
# 1.6 更新GRUB(如需要)
echo "【步骤6】更新GRUB引导..."
sudo update-grub
sudo update-initramfs -u
echo "✅ 系统更新与优化完成!建议重启系统使部分更改生效"二、网络加速配置(BBR3启用)
#!/bin/bash
# Debian 13 BBR3 网络加速配置
# 注意:Debian 13内核6.12+已内置BBR v3,无需升级内核
echo "【BBR3配置】启用TCP BBR v3拥塞控制算法..."
# 2.1 检查内核版本
KERNEL_VERSION=$(uname -r | cut -d. -f1-2)
echo "当前内核版本: $KERNEL_VERSION"
if (( $(echo "$KERNEL_VERSION >= 6.3" | bc -l) )); then
echo "✅ 内核版本支持BBR v3"
else
echo "⚠️ 内核版本过低,建议升级至6.3+"
fi
# 2.2 创建BBR3配置文件
sudo bash -c 'cat > /etc/sysctl.d/10-bbr.conf << EOF
# TCP BBR v3 网络加速配置
net.core.default_qdisc = fq_pie
net.ipv4.tcp_congestion_control = bbr
# 额外优化参数
net.ipv4.tcp_notsent_lowat = 16384
net.ipv4.tcp_ecn = 1
EOF'
# 2.3 应用配置
sudo sysctl -p /etc/sysctl.d/10-bbr.conf
# 2.4 验证BBR3是否生效
echo "【验证】检查BBR3状态..."
sleep 1
if sysctl net.ipv4.tcp_congestion_control | grep -q "bbr"; then
echo "✅ BBR已启用"
else
echo "❌ BBR启用失败"
fi
# 2.5 检查BBR版本
echo "【验证】检查BBR模块版本..."
if modinfo tcp_bbr 2>/dev/null | grep -q "version: 3"; then
echo "✅ BBR v3 已成功加载"
modinfo tcp_bbr | grep version
else
echo "⚠️ 当前为BBR v1/v2,但功能已启用"
fi
# 2.6 TCP窗口优化(可选)
echo "【优化】调整TCP窗口参数..."
sudo bash -c 'cat >> /etc/sysctl.d/10-bbr.conf << EOF
# TCP窗口优化
net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.tcp_wmem = 4096 65536 33554432
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
EOF'
sudo sysctl -p /etc/sysctl.d/10-bbr.conf
echo "✅ BBR3网络加速配置完成!建议重启使所有参数生效"三、SSH安全防护配置
#!/bin/bash
# Debian 13 SSH安全加固与防护软件安装
echo "【SSH安全】配置Fail2ban和基础SSH加固..."
# 3.1 修改SSH默认端口(推荐)
echo "【步骤1】修改SSH端口..."
read -p "请输入新的SSH端口 (默认2222): " NEW_SSH_PORT
NEW_SSH_PORT=${NEW_SSH_PORT:-2222}
sudo sed -i "s/#Port 22/Port $NEW_SSH_PORT/" /etc/ssh/sshd_config
sudo sed -i "s/Port 22/Port $NEW_SSH_PORT/" /etc/ssh/sshd_config
echo "✅ SSH端口已修改为: $NEW_SSH_PORT"
# 3.2 禁止root登录SSH
sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
echo "✅ 已禁止root登录"
# 3.3 安装Fail2ban
echo "【步骤2】安装Fail2ban..."
sudo apt install -y fail2ban
# 3.4 配置Fail2ban
sudo bash -c 'cat > /etc/fail2ban/jail.local << EOF
[sshd]
enabled = true
port = '$NEW_SSH_PORT'
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 600
ignoreip = 127.0.0.1/8 ::1
EOF'
# 3.5 启动Fail2ban服务
sudo systemctl enable fail2ban
sudo systemctl restart fail2ban
echo "✅ Fail2ban已启动并配置完成"
# 3.6 配置UFW防火墙
echo "【步骤3】配置防火墙..."
sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow $NEW_SSH_PORT/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw --force enable
sudo ufw status verbose
echo "✅ 防火墙配置完成"
# 3.7 提示重启SSH服务
echo "⚠️ 需要重启SSH服务以应用端口更改"
read -p "是否立即重启SSH服务? (y/n): " RESTART_SSH
if [[ $RESTART_SSH == "y" ]]; then
sudo systemctl restart sshd
echo "✅ SSH服务已重启,请使用新端口 $NEW_SSH_PORT 重新连接"
else
echo "⚠️ 请稍后手动重启SSH服务: sudo systemctl restart sshd"
fi
echo "✅ SSH安全防护配置完成!"四、系统安全与防病毒
#!/bin/bash
# Debian 13 系统安全加固与ClamAV安装
echo "【系统安全】安装ClamAV防病毒软件..."
# 4.1 安装ClamAV
sudo apt install -y clamav clamav-daemon clamav-freshclam
# 4.2 更新病毒库
sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam
# 4.3 启用ClamAV服务
sudo systemctl enable clamav-daemon
sudo systemctl start clamav-daemon
echo "✅ ClamAV防病毒系统已安装"
# 4.4 设置每周定时扫描
sudo bash -c 'cat > /etc/cron.weekly/clamav-scan << EOF
#!/bin/bash
LOGFILE="/var/log/clamav/weekly-scan-\$(date +%Y%m%d).log"
clamscan -r -i /home --log=\$LOGFILE
EOF'
sudo chmod +x /etc/cron.weekly/clamav-scan
echo "✅ 已配置每周自动扫描"
# 4.5 安全审计工具(可选)
echo "【可选】安装安全审计工具..."
sudo apt install -y lynis chkrootkit rkhunter
echo "✅ 安全审计工具已安装"
# 4.6 系统日志监控
sudo apt install -y logwatch
sudo bash -c 'cat > /etc/logwatch/conf/logwatch.conf << EOF
MailTo = root
Detail = Med
Range = yesterday
EOF'
echo "✅ 日志监控已配置"五、Node.js开发环境安装
#!/bin/bash
# Debian 13 Node.js 开发环境配置
echo "【开发环境】安装Node.js和npm..."
# 5.1 安装Node.js 20.x LTS(推荐)
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs
# 5.2 验证安装
node --version
npm --version
# 5.3 更新npm到最新版
sudo npm install -g npm@latest
# 5.4 配置npm全局安装路径(避免权限问题)
mkdir -p ~/.npm-global
npm config set prefix '~/.npm-global'
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.bashrc
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.zshrc
# 5.5 安装常用全局工具
npm install -g \
pm2 \
yarn \
pnpm \
@vue/cli \
create-react-app
echo "✅ Node.js开发环境配置完成"六、Shell环境自动化配置(Zsh)
#!/bin/bash
# Debian 13 Zsh + Powerlevel10k 完美配置
echo "【Shell配置】卸载Powerline并安装Zsh..."
# 6.1 卸载Powerline(如果存在)
sudo apt remove -y powerline fonts-powerline
sudo rm -rf /usr/share/powerline
sed -i '/powerline/d' ~/.bashrc
sed -i '/POWERLINE/d' ~/.bashrc
fc-cache -f -v
echo "✅ Powerline已卸载"
# 6.2 安装Zsh和基础工具
sudo apt install -y zsh git wget curl fonts-firacode
# 6.3 安装Oh My Zsh(无交互模式)
sh -c "$(wget -O- https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended
# 6.4 安装Powerlevel10k主题
git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ${ZSH_CUSTOM:-$HOME/.oh-my-zsh/custom}/themes/powerlevel10k
# 6.5 安装Nerd Font字体
mkdir -p ~/.local/share/fonts
wget -O ~/.local/share/fonts/FiraCodeNerdFont-Regular.ttf \
https://github.com/ryanoasis/nerd-fonts/raw/master/patched-fonts/FiraCode/Regular/FiraCodeNerdFont-Regular.ttf
fc-cache -fv
# 6.6 安装Oh My Zsh插件
git clone --depth=1 https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-$HOME/.oh-my-zsh/custom}/plugins/zsh-autosuggestions
git clone --depth=1 https://github.com/zsh-users/zsh-syntax-highlighting.git ${ZSH_CUSTOM:-$HOME/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting
sudo apt install -y autojump command-not-found
# 6.7 生成完整.zshrc配置
cat > ~/.zshrc << 'EOF'
# Enable Powerlevel10k instant prompt
if [[ -r "${XDG_CACHE_HOME:-$HOME/.cache}/p10k-instant-prompt-${(%):-%n}.zsh" ]]; then
source "${XDG_CACHE_HOME:-$HOME/.cache}/p10k-instant-prompt-${(%):-%n}.zsh"
fi
# Path to Oh My Zsh
export ZSH="$HOME/.oh-my-zsh"
# Theme configuration
ZSH_THEME="powerlevel10k/powerlevel10k"
# Plugin configuration
plugins=(
git
docker
docker-compose
kubectl
zsh-autosuggestions
zsh-syntax-highlighting
autojump
command-not-found
colored-man-pages
extract
history-substring-search
)
source $ZSH/oh-my-zsh.sh
# History configuration
export HISTSIZE=100000
export HISTFILESIZE=100000
export HISTCONTROL=ignoredups:erasedups
export HISTTIMEFORMAT="%F %T "
setopt SHARE_HISTORY
# Completion configuration
autoload -U compinit && compinit
zstyle ':completion:*' menu select
zstyle ':completion:*' list-colors "${(@s.:.)LS_COLORS}"
# Aliases
alias ll='ls -alhF --color=auto'
alias la='ls -A'
alias l='ls -CF'
alias grep='grep --color=auto'
alias df='df -h'
alias du='du -sh'
alias ..='cd ..'
alias ...='cd ../..'
alias zshconfig='nano ~/.zshrc'
alias reloadzsh='source ~/.zshrc'
# kubectl & Docker completion
[[ $commands[kubectl] ]] && source <(kubectl completion zsh)
[[ $commands[docker] ]] && source <(docker completion zsh)
# autojump
[[ -s /usr/share/autojump/autojump.sh ]] && source /usr/share/autojump/autojump.sh
# Powerlevel10k configuration
[[ ! -f ~/.p10k.zsh ]] || source ~/.p10k.zsh
EOF
# 6.8 设置Zsh为默认Shell
chsh -s $(which zsh)
echo "✅ Zsh基础配置完成!"
# 6.9 提示用户手动配置Powerlevel10k
echo "⚠️ 接下来需要手动启动Zsh完成Powerlevel10k配置"
echo "请执行: zsh"
echo "然后按照Powerlevel10k配置向导的提示进行选择"
echo "推荐选择: Rainbow主题, Unicode字符集, 24小时制时间"七、系统验证与测试
#!/bash/bash
# Debian 13 配置完整性验证脚本
echo "【系统验证】检查所有配置是否生效..."
# 7.1 系统版本验证
echo "=== 系统版本 ==="
cat /etc/os-release
uname -r
# 7.2 BBR3验证
echo -e "\n=== BBR3状态 ==="
sysctl net.ipv4.tcp_congestion_control
sysctl net.core.default_qdisc
lsmod | grep bbr
# 7.3 SSH安全验证
echo -e "\n=== SSH安全 ==="
sudo fail2ban-client status sshd
sudo ufw status verbose
sudo grep "Port" /etc/ssh/sshd_config | grep -v "^#"
# 7.4 防病毒验证
echo -e "\n=== ClamAV状态 ==="
sudo systemctl is-active clamav-daemon
sudo systemctl is-enabled clamav-daemon
clamscan --version
# 7.5 Node.js验证
echo -e "\n=== Node.js环境 ==="
node --version
npm --version
echo "npm全局路径: $(npm config get prefix)"
# 7.6 Zsh验证
echo -e "\n=== Zsh环境 ==="
zsh --version
echo "当前Shell: $SHELL"
if [ -f ~/.oh-my-zsh/oh-my-zsh.sh ]; then
echo "✅ Oh My Zsh已安装"
else
echo "❌ Oh My Zsh未安装"
fi
echo -e "\n=== 验证脚本执行完成 ==="
echo "如果所有检查项都显示正常,说明配置成功!"
echo "建议执行 'sudo reboot' 重启系统使所有更改完全生效"八、一键执行所有配置(主脚本)
#!/bin/bash
# Debian 13 完整自动化配置主脚本
# 执行时间:约15-30分钟(取决于网络速度)
set -e # 遇到错误立即退出
echo "=========================================="
echo "Debian 13 完整自动化配置脚本"
echo "执行时间: $(date)"
echo "=========================================="
# 步骤1: 系统更新与优化
echo "【阶段1/7】系统更新与优化..."
/bin/bash <(curl -s https://your-domain.com/config/01-system-update.sh)
# 步骤2: BBR3网络加速
echo "【阶段2/7】配置BBR3网络加速..."
/bin/bash <(curl -s https://your-domain.com/config/02-bbr3.sh)
# 步骤3: SSH安全防护
echo "【阶段3/7】配置SSH安全防护..."
/bin/bash <(curl -s https://your-domain.com/config/03-ssh-security.sh)
# 步骤4: 防病毒系统
echo "【阶段4/7】安装防病毒软件..."
/bin/bash <(curl -s https://your-domain.com/config/04-antivirus.sh)
# 步骤5: Node.js环境
echo "【阶段5/7】安装Node.js开发环境..."
/bin/bash <(curl -s https://your-domain.com/config/05-nodejs.sh)
# 步骤6: Zsh配置
echo "【阶段6/7】配置Zsh Shell环境..."
/bin/bash <(curl -s https://your-domain.com/config/06-zsh.sh)
# 步骤7: 系统验证
echo "【阶段7/7】验证所有配置..."
/bin/bash <(curl -s https://your-domain.com/config/07-validation.sh)
echo "=========================================="
echo "✅ 所有配置已完成!"
echo "请执行 'sudo reboot' 重启系统"
echo "重启后执行 'zsh' 完成Powerlevel10k配置"
echo "=========================================="附录:常用维护命令
# 系统更新
sudo apt update && sudo apt upgrade -y && sudo apt autoremove -y
# BBR3状态检查
sysctl net.ipv4.tcp_congestion_control
sysctl net.core.default_qdisc
# Fail2ban管理
sudo fail2ban-client status sshd
sudo fail2ban-client set sshd unbanip <IP>
# ClamAV手动扫描
sudo clamscan -r -i /home
# Node.js版本切换(如使用nvm)
# nvm install --lts && nvm use --lts
# Zsh重新配置
p10k configure
# 查看系统日志
sudo journalctl -xe
cat /var/log/fail2ban.log文档版本: 1.0
适用系统: Debian 13 (Trixie)
最后更新: 2025年11月
注意事项: 生产环境建议在测试服务器验证后再执行
Comments 1 条评论
能不能打包可以直接下载啊,这样还要一个一个文件COPY