Debian 初始化流水线:从裸机到生产就绪
真正的运维,不在 GUI 的点击里,而在一行行可审计、可复现的命令中。
本文记录一次完整的 Debian 13服务器初始化全过程。所有操作均基于最小化安装环境,无图形界面、无预装服务。我们将依次完成:Shell 升级 → 开发环境搭建 → Redis/MySQL/Nginx 配置 → 应用部署 → 安全加固。
每一条命令都经过验证,可直接用于你的自动化脚本或手动部署。
阶段一:Bash 初始心跳(来自 bash_history)
# 更新系统包索引
sudo apt update
# 安装基础工具链
sudo apt install -y zsh git curl wget gnupg lsb-release ca-certificates
# 切换默认 Shell 为 Zsh
chsh -s $(which zsh)
此时退出并重新登录,Shell 将自动进入 Zsh 。后续我们再覆盖它。
然后增加 github 解析
# 备份原始 hosts
sudo cp /etc/hosts /etc/hosts.bak.$(date +%Y%m%d)
# 下载并追加 GitHub520 hosts 到 /etc/hosts
sudo curl -fsSL https://raw.hellogithub.com/hosts | sudo tee -a /etc/hosts
阶段二:Zsh 精要配置
先安装 Oh My Zsh 框架:
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended
# 手动安装两个关键插件(Oh My Zsh 不自带)
git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions
git clone https://github.com/zsh-users/zsh-syntax-highlighting ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting
mkdir -p ~/.zsh && cd ~/.zsh
git clone https://github.com/catppuccin/zsh-syntax-highlighting.git
git clone https://github.com/JannoTjarks/catppuccin-zsh.git
mkdir ~/.oh-my-zsh/themes/catppuccin-flavors
ln catppuccin-zsh/catppuccin.zsh-theme ~/.oh-my-zsh/themes/
ln catppuccin-zsh/catppuccin-flavors/* ~/.oh-my-zsh/themes/catppuccin-flavors
然后替换 ~/.zshrc 为以下精简配置:
vim ~/.zshrc
'''
#ZSH_THEME="robbyrussell" //注释robbyrussell
ZSH_THEME="catppuccin"
CATPPUCCIN_FLAVOR="mocha"
CATPPUCCIN_SHOW_TIME=true
plugins=(git sudo zsh-autosuggestions zsh-syntax-highlighting)
source /root/.zsh/zsh-syntax-highlighting/themes/catppuccin_mocha-zsh-syntax-highlighting.zsh //放在source $ZSH/oh-my-zsh.sh后面
'''
# 重载配置
source ~/.zshrc
至此,你拥有了一个带语法高亮、历史建议、优雅配色的高效终端。
阶段三:服务栈部署
3.1 安装 Redis
# 安装
sudo apt update
sudo apt install -y redis-server
# 修改配置:允许远程连接(生产环境请限制 IP)
sudo sed -i 's/^bind 127.0.0.1 -::1/bind 0.0.0.0/' /etc/redis/redis.conf
sudo sed -i 's/^# requirepass .*/requirepass your_redis_password/' /etc/redis/redis.conf
# 重启生效
sudo systemctl restart redis-server
# 开机自启
sudo systemctl enable redis-server
3.2 安装 MySQL 8.0
sudo apt update
# 下载压缩包
wget https://cdn.mysql.com//Downloads/MySQL-8.4/mysql-server_8.4.7-1debian13_amd64.deb-bundle.tar
tar -xvf mysql-server_8.4.7-1debian13_amd64.deb-bundle.tar
sudo apt install ./mysql-common_*.deb ./mysql-community-client-plugins_*.deb ./mysql-community-client-core_*.deb ./mysql-community-client_*.deb ./mysql-client_*.deb ./mysql-community-server-core_*.deb ./mysql-community-server_*.deb ./mysql-server_*.deb
# 启动并设为开机自启
sudo systemctl restart mysql
sudo systemctl enable mysql
注意:Debian Bookworm 默认源中的 MySQL 可能版本较低。Apt有密钥错误,安装需要用编译包。
3.3 安装 PHP 8.3 + Swoole + Redis 扩展
# 添加 Sury PHP 仓库
sudo apt update
sudo apt install -y ca-certificates apt-transport-https lsb-release gnupg2 wget build-essential autoconf pkg-config libssl-dev libpcre2-dev libzip-dev libcurl4-openssl-dev libonig-dev libxml2-dev libgd-dev libfreetype-dev libjpeg-dev libpng-dev libxpm-dev libwebp-dev libxslt1-dev libsqlite3-dev libpq-dev libicu-dev libmagickwand-dev git unzip
wget -O /tmp/gpg.key https://packages.sury.org/php/apt.gpg
sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/php.gpg /tmp/gpg.key
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list
# 安装php8.3
sudo apt update
sudo apt install -y php8.3 php8.3-cli php8.3-common php8.3-fpm php8.3-mbstring php8.3-xml php8.3-curl php8.3-zip php8.3-gd php8.3-mysql php8.3-pgsql php8.3-sqlite3 php8.3-bcmath php8.3-intl php8.3-soap php8.3-xsl php8.3-opcache
sudo apt install -y php8.3-dev
# 安装 phpRedis
wget https://github.com/phpredis/phpredis/archive/refs/tags/6.3.0.tar.gz
tar -xzf 6.3.0.tar.gz
cd phpredis-6.3.0
phpize8.3
./configure --with-php-config=/usr/bin/php-config8.3
make -j$(nproc) # 多核编译
sudo make install
echo "extension=redis.so" | sudo tee /etc/php/8.3/mods-available/redis.ini
sudo phpenmod -v 8.3 -s ALL redis
### 检测 phpRedis
php8.3 --ri redis
php8.3 -m | grep redis
php8.3 -r "new Redis(); echo 'OK';"
# 安装 swoole
sudo apt update
sudo apt install -y php8.3-dev libssl-dev
wget https://github.com/swoole/swoole-src/archive/refs/tags/v5.1.8.tar.gz
tar -xzf v5.1.8.tar.gz
cd swoole-src-5.1.8
phpize8.3
./configure --with-php-config=/usr/bin/php-config8.3 --enable-openssl
make -j$(nproc)
sudo make install
echo "extension=swoole.so" | sudo tee /etc/php/8.3/mods-available/swoole.ini
sudo phpenmod -v 8.3 -s ALL swoole
### 检测 phpRedis
php8.3 --ri swoole
php8.3 -m | grep swoole
### 删除临时文件
rm -rf {phpredis-6.3.0,6.3.0.tar.gz,v5.1.8.tar.gz,swoole-src-5.1.8}
3.4 安装 compose
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php -r "if (hash_file('sha384', 'composer-setup.php') === 'c8b085408188070d5f52bcfe4ecfbee5f727afa458b2573b8eaaf77b3419b0bf2768dc67c86944da1544f06fa544fd47') { echo 'Installer verified'.PHP_EOL; } else { echo 'Installer corrupt'.PHP_EOL; unlink('composer-setup.php'); exit(1); }"
php composer-setup.php
sudo mv composer.phar /usr/local/bin/composer
php -r "unlink('composer-setup.php');"
export COMPOSER_ALLOW_SUPERUSER=1
# 测试
composer --version
3.5 部署应用(以 Hyperf 为例)
git clone https://your-git-server/bm_france_server.git
cd bm_france_server
composer install --optimize-autoloader --no-dev
php bin/hyperf.php start
3.6 Nginx + HTTPS(Let's Encrypt)
sudo apt update
sudo apt install -y nginx
mkdir -p /home/vhost
mkdir -p /home/ssl
# 修改配置
vim /etc/nginx/nginx.conf
'''
# http块增加
http {
...
include /home/vhost/*.conf;
...
}
'''
# 配置站点(示例)
sudo tee /home/vhost/test.conf << 'EOF'
server {
listen 80;
server_name your.domain.com;
root /home/your_user/bm_france_server/public;
location / {
try_files $uri $uri/ @hyperf;
}
# 转发 PHP 请求到 Hyperf(Swoole HTTP Server)
location @hyperf {
# 转发到 Hyperf(默认端口 9501)
proxy_pass http://127.0.0.1:9501;
}
}
EOF
sudo systemctl reload nginx
# 安装 acme
sudo apt update
apt install -y curl socat openssl
curl https://get.acme.sh | sh -s email=xxx@email.com
# 记录 ali key
export Ali_Key="xxx"
export Ali_Secret="xxx"
/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt
# 申请泛域名
chmod 600 /root/.acme.sh/account.conf
/root/.acme.sh/acme.sh --issue --dns dns_ali -d xxx.com -d '*.xxx.com'
# 设置自动重启nginx 加载最新的证书
/root/.acme.sh/acme.sh --install-cert -d xxx.com --cert-file /home/ssl/xxx/cert.pem --key-file /home/ssl/xxx/key.pem --fullchain-file /home/ssl/xxx/fullchain.pem --reloadcmd "systemctl reload nginx"
### vim 修改 test.conf 以加载ssl 使用 443
vim /home/vhost/test.conf
'''
server{
...
listen 443 ssl http2;
ssl_certificate /home/ssl/xxx/fullchain.pem;
ssl_certificate_key /home/ssl/xxx/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE+AESGCM;
...
}
'''
阶段四:数据库权限收束(来自 mysql_history)
登录 MySQL:
sudo mysql -u root
执行以下 SQL(严格按顺序):
-- 创建应用专用用户(允许从任意 IP 连接,生产环境应限制为内网 IP)
CREATE USER 'user'@'%' IDENTIFIED BY 'StrongAppPassword123!';
-- 授予对业务数据库的全部权限(假设数据库名为 bm_france)
GRANT ALL PRIVILEGES ON bm_france.* TO 'user'@'%';
-- 关键!收回对 mysql 系统库的任何权限(防止提权)
REVOKE ALL PRIVILEGES, GRANT OPTION ON mysql.* FROM 'user'@'%';
-- 刷新权限
FLUSH PRIVILEGES;
-- 退出
EXIT;
🔒 这三步是安全底线:功能授权 + 系统隔离 + 权限刷新。缺一不可。
结语:命令即契约
以上所有命令,构成了一个从零到生产就绪的完整契约。它们可被写入 Ansible Playbook、Bash 脚本,或作为灾难恢复的黄金标准。
记住:在运维的世界里,最可靠的文档,就是那条你亲手敲下、并成功执行的命令。
下次部署,不妨直接 curl -sL https://your.blog/debian-init.sh | sudo bash —— 如果你愿意把它变成脚本的话。