Linux: Debian 12 "Bookworm" (incomplete, Work in progress!)

Debian logo



This page contains miscellaneous notes about the installation of (and also "upgrade to") Debian 12 "Bookworm" on several of my computers. Historically, this page is a follow-up to my "other" Debian pages and supersedes these. It also documents some specific installation cases and also includes rants about some issues that I encountered. - As usual, this document has been "anonymised" in a few places; in particular IP addresses have been replaced by xxx or yyy.

Note that some of the configurations will deviate from the previous settings. The main reason is that we have modified several parts of our setup: my desktop computer is no longer the "central" server and router; instead, it has been converted back to a "standard" desktop. A separate, low-power computer (also running Debian 12 of course) is now acting as router, and it also serves as a secondary back-up NFS server and a Samba server.

Upgrading from Debian 11 to Debian 12


On a few machines, I simply performed an in-place upgrade of the existing system, instead on a new installation.

First, make sure the system is fully up to date:

apt update && apt upgrade
apt autoremove

Next, edit /etc/apt/sources.list and replace all occurrences of bullseye with bookworm and add the new non-free-firmware parts. The final file looks as follows:

deb bookworm main non-free-firmware contrib non-free
deb-src bookworm main non-free-firmware contrib non-free

deb bookworm-security main non-free-firmware contrib non-free
deb-src bookworm-security main non-free-firmware contrib non-free

deb bookworm-updates main non-free-firmware contrib non-free
deb-src bookworm-updates main non-free-firmware contrib non-free

Now, verify if we can access all upgrades:

apt update

If the previous command shows no error, we can proceed:

apt upgrade --without-new-pkgs
apt full-upgrade

That's all :-) The process can take anything between a few minutes and a few hours, depending on the speed of the machine and the number of packages installed.

You will be asked several times if you want to keep existing configuration files or if you want to overwrite them with the version provided by the package maintainer: For most of the server-related packages and for customized services such as ssh, I kept my version.

Once the upgrade is finished, reboot the system.

If you run other operating systems on the same machine, you may want to run:

dpkg-reconfigure grub-pc

Installing Debian 12 from scratch

Base install

The initial installation was performed using the Debian 12 64-bit "netinstall" USB stick. A while earlier, I had replaced the conventional 1-TB HDD by a 500-GB SSD as system disk and repurposed the "old" HDD for file storage. Also, the machine had been upgraded from 8 GB to 12 GB RAM. Overall, the disk layout is now as follows:

Partition Size Filesystem Label mount point Comment
/dev/sda1 250 MB vfat EFI /boot/efi
/dev/sda2 38 GB ext4 debian / This is the root filesystem of Debian 12 (on the fast SSD).
/dev/sda3 11 GB swap swap swap Swap space.
/dev/sda4 120 GB ext4 home /home Home directories, now on the fast SSD.
/dev/sda5 305 GB ext4 vbox /mnt/vbox VirtualBox files. This really benefits from the fast SSD!
/dev/sdb1 128 MB vfat EFI (currently not mounted)
/dev/sdb2 430 GB ext4 share /mnt/share Local NFS export for music, photos, etc.
/dev/sdb3 430 GB ext4 backup_local /mnt/backup_local Yet another backup space.
/dev/sdb3 12 GB swap swap swap Swap space.

Packages: During the installation, I select at least ssh server, file server and standard system utilities for any computer.

Desktop: For machines running the KDE desktop, I select this. For low-end machines, I prefer the XFCE desktop and install it with the Debian installer.

Once the initial installation finished and the system has booted, log in. The first thing I do is to apt install vim, edit /etc/vim/vimrc and un-comment syntax on.

Next, edit /etc/apt/sources.list and add the new non-free-firmware parts on all 6 lines. The final file is shown above.

apt update
apt install firmware-linux* firmware-misc-nonfree acpi-support hwinfo ntpdate hwinfo lshw mc acl \
            firmware-amd-graphics firmware-realtek firmware-atheros firmware-iwlwifi

Basic Network Security


If not already included in some metapackage, do apt install openssh-server and set up sshd. Some key entries in my /etc/ssh/sshd_config are:

Port 1234   # obviously not THIS port but you get the idea
Protocol 2
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication yes
AcceptEnv LANG LC_*
Banner /etc/
AllowUsers joe jack

Create the banner file that is shown upon login:

cat <<EOF > /etc/ 
* This system is for the use of authorized users only.             *
* Unauthorized access to this system is prohibited.                *
*                                                                  *
* Usage of this system is monitored and recorded.                  *
* Anyone using this system expressly consents to such monitoring   *
* and is advised that if such monitoring reveals possible          *
* evidence of criminal activity, system personnel may provide the  *
* evidence from such monitoring to law enforcement officials.      *

Adjust some network-related files

On the server, /etc/hosts contains some fixed IP addresses and aliases in my local network (most are handled by dnmasq, see below).


ALL: LOCAL 192.168.* (or 192.168.999.* or whatever fits your subnet)


sshd: ALL EXCEPT LOCAL : rfc931 : spawn (/usr/sbin/safe_finger -l @%h | \
      mail -s%d-%h root) & : twist /bin/echo "Access prohibited by system administration. Go away."

Enable automatic security updates

On all my machines except laptops, I want security updates to be downloaded and applied automatically:

apt install unattended-upgrades 
dpkg-reconfigure unattended-upgrades


New names for the network interfaces

Bad News: The network interfaces have been renamed. While this is supposed to bring more consistency in the device naming, it also introduces a lot of problems since scripts are no longer transferable between computers:

In the "past", the first interface was always assigned to eth0. Even if the system had multiple interface cards, the old naming scheme allowed to define "which card is what interface" in /etc/udev/rules.d/70-persistent-net.rules. Afterwards, you could use eth0 and eth1 across multiple systems. In standard systems with a single network card, only eth0 was present anyway and the details did not matter. This was universal and could be replicated across all kinds of systems, from firewall rules through the Samba configuration up to utilities such as Conky. It meant that you could swap entire harddisks between computers and be sure that the machine would boot and connect.

With the "new" interface names, all these scripts need to be revised on every single computer. On different computers I have seen interface names as colorful as enp3s0, enp4s0, enp0s25, enp63s0 (?!), wlp2s0, wlp3s0, wlp5s0 and others. Where is the consistency in this?

After figuring out "which card does what" with ip a, I adjusted /etc/network/interfaces to assigned the way the two cards are operated. At the same time, this is where the firewall is launched:

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# firewall
pre-up iptables-restore < /etc/iptables.conf

# the external network card
auto enp3s0
allow-hotplug enp3s0
iface enp3s0 inet dhcp

# The primary (internal) network interface
auto enp4s0
allow-hotplug enp4s0
iface enp4s0 inet static
  # do NOT set any gateway here!

Firewall, Router and NAT


For any machine that does not require routing, the uncomplicated firewall ufw is probably the easiest solution out there:

apt install ufw
ufw enable
ufw allow in 1234/tcp

However, I could not figure out how to use ufw with a router and NAT (and make the rules persists after a reboot!). After wasting too much time with different firewall options, I decided to stick with good old iptables for the router since it was the "easiest" to configure. The file /etc/network/iptables.conf contains mostly the same firewall rules as before:

-A INPUT -i lo -j ACCEPT
-A INPUT -i enp4s0 -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -p 50 -j ACCEPT
-A INPUT -p 51 -j ACCEPT
-A INPUT -p udp --dport 5353 -d -j ACCEPT

# sshd runs on a non-standard port. Obviously not THIS one but you get the idea ;-)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1234 -j ACCEPT

# router
-A FORWARD -i enp3s0 -o enp4s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp4s0 -o enp3s0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited



For a system that is used as a router, edit /etc/sysctl.conf and activate routing by un-commenting the line net.ipv4.ip_forward=1.

To have a local DHCP server, apt install dnsmasq, then edit /etc/dnsmasq.conf:

dhcp-host=01:12:23:34:45:56,thing    # assign name "thing" to MAC address 01:12:23:34:45:56


At this point, the router functionality should be established and your machines on the internal network should be able to access Internet again. Test if DNS is working, e.g.:

dig @localhost
nslookup localhost
nslookup i5.localnet

Read the log files


While we're at it, let's create a directory for my backup log files ...

mkdir /var/log/backup

Installing the Desktop


I prefer not to install all language packs. Here, be careful to select the languages you want to keep! Generally I select the generic language plus the UTF-8 variant, e.g. de and then dialects such as de_DE.UTF-8 and de_CH.UTF-8 :

apt install localepurge

Now, install the desktop files.


apt install kde-config-systemd kde-style-qtcurve-qt5 gtk2-engines-qtcurve print-manager gtk2-engines-oxygen oxygen-icon-theme plasma-theme-oxygen

apt install lyx texlive-font-utils texlive-lang-english texlive-lang-french texlive-lang-german  # typesetting
apt install pdftk qpdf pdfmod ghostscript cups-pdf atril pdfgrep   # handling PDF 
apt install gftp bluefish tidy sitecopy                             # HTML authoring
apt install gpsbabel qmapshack                                      # GPS related 
apt install kicad gerbv                                             # electronics development
apt install inkscape gnuplot-x11                                    # graphics and science :-) 
apt install vlc k3b kde-config-cddb audacity easytag clementine     # Multimedia and CD authoring

XFCE, MATE: For less complex desktop environments, I usually choose the "Debian Desktop with XFCE" (or MATE) option using tasksel. A typical installation (again ... you could put all this on one line):

# the following two lines are specific for the MATE desktop:
apt install mate-desktop-environment     # metapackage
apt install caja-sendto caja-open-terminal caja-wallpaper caja-xattr-tags caja-image-converter 

apt install firefox-esr thunderbird chromium deluge lynx curl nmap dnsutils build-essential module-assistant 
apt install ufw dos2unix ark rar unrar sharutils subversion rsync unison-gtk  
apt install ttf-mscorefonts-installer fonts-liberation libreoffice gnote glabels  
apt install enchant aspell-fr aspell-de hunspell-en-us hunspell-fr hunspell-de-de hunspell-de-ch 
apt install gimp gimp-gutenprint imagemagick digikam vlc k3b 
apt install sqlite sqlitebrowser python-dateutil filelight conky k3b  
apt install pdftk qpdf pdfmod ghostscript cups-pdf atril system-config-printer


Time for some clean-up. On a desktop system, we do not need the Network Manager applet, and I don't understand why minidlna is installed by default without asking. In addition, I observed some trouble with Intel graphics:

apt remove network-manager kde-nm nm minidlna
apt remove xserver-xorg-video-intel
apt purge  xserver-xorg-video-intel

When you install KDE, Debian 12 will automatically install Wayland. I prefer to stay with the standard X server, so lets remove Wayland altogether:

apt remove plasma-workspace-wayland

Enable Alt-Ctrl-Backspace to kill X server. This needs to be done AFTER X is set up; the setting we want is on the very last screen:

dpkg-reconfigure keyboard-configuration

File and Print Services

NFS Export

For machines that make files available via NFS (i.e. NFS server):

apt install nfs-kernel-server nfs-common
vim /etc/exports

For read-only export, /etc/exports contains something like:


For read-write access, /etc/exports contains something like:


The corresponding clients will have something like this in their /etc/fstab:  /mnt/nas  nfs    noauto,user,bg,hard,intr,_netdev   0 0

... and they need the NFS tools, of course:

apt install nfs-common

Apache Webserver

I keep a fully functional webserver on my local machine, so that I can test webpages with PHP scripts and other functionalities without publishing them on my "real" webserver yet (I use sitecopy to publish these data later on, synchronizing my local directories 1:1 with those on the webserver). Installing Apache on Debian is done with a single command:

apt install apache2 php libapache2-mod-php

Since I create and modify all the HTML and PHP files in a folder www/<sitename> inside my home directory, I want to access them directly inside this location (i.e. without copying them to the server). Per-user web directories come to the rescue, but the entire Apache configuration seems to be "hardwired" to the folder location public_html. Since I am using www, some files need to be modified:

a2enmod userdir
sed -i "s/public_html/www/" /etc/apache2/mods-available/userdir.conf  
sed -i "s/public_html/www/" /etc/apache2/mods-available/php8.2.conf
# in this file, follow also the instructions in the section '# Running PHP scripts in user directories is disabled by default'
systemctl restart apache2

I noticed that some of my PHP files would not run. The error log in /var/log/apache2/error.log showed PHP Fatal error: Uncaught Error: Class "IntlDateFormatter" not found in .... The problem was solved by installing the "intl" extension to PHP:

apt install php8.2-intl
systemctl restart apache2

Since this server is only accessed on the local machine, I do not need to open ports 80 (http) and 443 (https) on the firewall.

Samba server

We did not set up a specific Samba user. Instead, the Samba shares were created by root and then assigned to an existing user:

    mkdir /mnt/share/win/ /mnt/share/win/transfer
    chmod 2755 /mnt/share/win/ /mnt/share/win/transfer
    chown -R joe:joe /mnt/share/win/

Note: the Linux file permissions are always applied, overriding the things you wish to happen via the Samba config file. Since we are not using per-user logins here, all file access is simply assigned to the Linux user who owns the Samba share (and that we just defined above). This is the reason why we use force user and force group in the config file below.

apt install samba (for the clients: apt install samba-client cifs-utils), then adjust the configuration file /etc/samba/smb.conf. Check with testparm. Some useful entries (not everything is shown) might be:

   follow symlinks = yes		   # Make symlinks accessible
   wide links = yes
   allow insecure wide links = yes
   map to guest = bad user  
   create mask = 0664
   directory mask = 2755
   force create mode = 0644
   force directory mode = 2755

[share]             # read-only
    comment = Shared drive (read-only) 
    path = /mnt/share/win
    public = yes
    writable = no
    force user = joe
    force group = joe

[transfer]           # read-write
    comment = Transfer drive (read/write for everyone) 
    path = /mnt/share/win/transfer
    public = yes
    writable = yes
    force user = joe
    force group = joe

Specific Hardware

As usual, almost everything worked right out of the box or with only minor tweaks, most of these are related to vendor-specific quirks:

Palm PDA

Synchronising with the Palm T2 works, but the related packages seem to be un-maintained today. We need to enable some of the old sources in /etc/apt/sources.list:

cat >>  /etc/apt/sources.list 
# jpilot is only available in the old (deb10) repos:
deb buster main
apt update                      # refresh
apt install jpilot pilot-link   # install software
usermod -a -G dialout joe       # add "joe" to the "dialout" group

Remember to use usb: as the communication port.


kdeconnect is a great little application that integrates Android phones and Android Tablets into the KDE desktop. Some use cases that I could appreciate immediately:


First, install the generic Linux tools for scanning and OCR, then add the user to the scanner group:

apt install sane sane-utils xsane parallel tesseract-ocr tesseract-ocr-fra tesseract-ocr-deu
usermod -a -G scanner joe

Epson Perfection 1660 Photo scanner

This scanner requires a proprietary driver that is available from the Epson support pages (I don't provide a specific link here - just search for "Epson Image Scan! for Linux"). After downloading and unpacking, launch the installer:

cd /path/to/downloaded/epson/iscan-bundle-1.0.4.x64.deb/
bash ./

Fujitsu SP1120 scanner with ADF

This scanner is my workhorse for document scanning. It requires a proprietary driver that is available from Fujitsu (I don't provide a specific link here - just search for "Fujitsu Image Scanner Driver for Linux"). After downloading, install the .deb package with dpkg:

cd /path/to/downloaded/fujitsu/fujitsu-sp1120/   
dpkg -i pfusp-ubuntu18.04_2.1.1_amd64.deb

As mentioned before, the Fujitsu scanner driver is using some extended ACL that prevents a normal user from using the device. The fix is to create a specific udev rule to correct the rights:

cat >> /etc/udev/rules.d/50-libsane.rules 
# Fujitsu SP1120
ATTRS{idVendor}=="04c5", ATTRS{idProduct}=="1473", ENV{libsane_matched}="yes", MODE="0664",OWNER="root",GROUP="root"
udevadm trigger

These ATTRS can be found by looking at the output of lsusb:

$ lsusb
Bus 002 Device 013: ID 04c5:1473 Fujitsu, Ltd

To ensure a fast start of the scanners, I disabled most drivers in /etc/sane.d/dll.conf, except the net entry (for scanning over the network). Both the Fujitsu pfusb and the Epson epkowa drivers will receive their own files and are no longer "embedded" in /etc/sane.d/dll.conf.

Scanning over the network

If you use scanners over the network, remember to enable the "SANE daemon" on the machine where the scanners are attached.


My two network printers, a HP Laserjet 5MP and an OKI 531C, were identified in CUPS and installed without problems. The Laserjet required a specific driver before it would work:

apt install printer-driver-hpcups

Also, most printers have menus that presents way too may options. As an example, I mostly print in DIN A4 as standard paper size, followed by occasional A5 and rarely A6. All other page sizes are not interesting and will only clutter the menu. Therefore, I modified the corresponding PPD files and only kept "my" paper sizes. Of course, I keep a copy of these PPD files for any re-installation.

The CUPS printing system provides also the traditional lpr functionality, so we set the default printer (as user):

lpstat -p -d         # see which printers are available
lpoptions -d LJ5MP   # set default printer

Specify the default papersize:

echo "a4" > /etc/papersize
tl-paper set all a4

Brother P-touch QL-1100

For the Brother P-touch QL-1100 label printer, Brother only provides driver for 32-bit architecture. We need to add this to the system before we can install the driver:

dpkg --add-architecture i386
apt update
apt install lib32z1        # this is needed
dpkg -i brother.ql1100pdrv-2.1.4-0.i386.deb 

To define labels in A6 size (the standard shipping label for international parcels):

brpapertoollpr_ql1100 -P QL-1100 -n customA6 -w 103 -h 152

To print such a label, use Page Scaling NONE and Auto Rotate and Center ON (the page orientation does not matter).

To define labels in A7 size (small shipping labels for national parcels):

brpapertoollpr_ql1100 -P QL-1100 -n customA7 -w 103 -h 78

To print such a label, use Orientation PORTRAIT, Page Scaling NONE and Auto Rotate and Center OFF.

NVIDIA graphics card

The main desktop computer is equipped with a NVIDIA Corporation GK208B [GeForce GT 710] graphics card that I mostly use for 3D visualisation. This card seems to be not very well supported, but you get the full 3D functionality even without installing any on the proprietary NVIDIA drivers.

If you really want to install the NVIDIA drivers:

apt install nvidia-detect
# then install what is proposed here, e.g. 
apt install nvidia-tesla-470-driver


apt remove  nvidia-*
apt purge nvidia*

Specific Software


I use VirtualBox to run instances of Microsoft Windows and other software as "guest" inside the Linux system. I used to get these files directly from Oracle, but Debian has complicated the handling of such external files due to the required file signatures. However, we can now use the Debian fasttrack system:

cat >> /etc/apt/sources.list
# VirtualBox - get it through Debian fasttrack
deb bookworm-fasttrack main contrib
deb bookworm-backports-staging main contrib
apt install fasttrack-archive-keyring
apt update
apt install virtualbox virtualbox-guest-additions-iso
adduser joe vboxusers

To enable USB support you need to download and install a module from the Virtualbox website; the process is self-explaining.

If you use Microsoft Windows 10 as "guest" under Linux and have problems using the microphone, please launch pavucontrol ("PulseAudio Volume Control") while the Windows "guest" is running, then verify the settings in check two places:

CalDaV, CardDAV and Google Calendar

apt install kaccounts-providers

To add a CardDAV account (Contacts list) to the KDE KOrganizer, go into Kontact > Settings > Configure Kontact > Calendar (!) > General > Tab "Calendars" > Add > DAV Groupware Ressource > enter your account.

To add a Google Calendar to the KDE KOrganizer, go into Kontact > Settings > Configure Kontact > Calendar > General > Tab "Calendars" > Add > Google Calendars and Tasks > enter your gmail account.


The Arduino development package provided by Debian is outdated (due to license issues for the newer versions). To install the actual 2.x version, I downloaded the AppImage version from the Arduino website, then proceeded as follows:

mkdir /opt/arduino
chown -R joe:joe /opt/arduino/
ln -s /opt/arduino/arduino-ide_2.2.1_Linux_64bit.AppImage arduino
usermod -a -G dialout joe

Issues and weird things

Bash and PATH

One issue is that the local ~/bin directory is no longer in the PATH (unless you use a login shell), i.e. users cannot execute any scripts in their local bin directory without specifying the full path. To correct this for all users, edit the system-wide /etc/bash.bashrc and add:

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then

KDE and KMail settings

I do not like the Breeze Theme (why do so many Linux Desktops try to copy the worst of Microsoft Windows?). Fortunately, the good old Oxygen style is still there and can be installed with apt install oxygen-icon-theme plasma-theme-oxygen. Once installed, I modified the following settings to get a much more compact display:

Similar to this, the default KMail screen layout is a waste of screen space, so I did the following:

ImageMagick policies

Another weird thing is a security policy of Imagemagick, which does not allow conversion pdf-related conversions. This issue exists for quite a while now. A workaround is to disable a section in /etc/ImageMagick-6/policy.xml by commenting it out (i.e. moving the comment-closing sign at the bottom):

  <!-- disable ghostscript format types 
  <policy domain="coder" rights="none" pattern="PS" />
  <policy domain="coder" rights="none" pattern="PS2" />
  <policy domain="coder" rights="none" pattern="PS3" />
  <policy domain="coder" rights="none" pattern="EPS" />
  <policy domain="coder" rights="none" pattern="PDF" />
  <policy domain="coder" rights="none" pattern="XPS" />

Debian on Laptops


I'm using Debian on all of my computers; this includes laptops. The installation of Debian 12 on a laptop is performed along the same lines as described above and went mostly seamless. Specific points are listed below; a few generic comments and hints:

Lenovo T440s


Acer ES1-131

I'm using an Acer ES1-131 (the sticker on the box says "Aspire E 11") as 2nd portable computer. Mine has an Intel Celeron N3050 Dual-Core CPU @ 1.6 GHz and came with a 500-GB harddisk, 2 GB of RAM and Windows 10 and was totally underpowered for that purpose. Fortunately, it runs very well once you install Linux with a light desktop such as XFCE or MATE, and a later update to 8 GB of RAM and replacing the harddisk by a 512-GB SSD made even Windows 10 usable on the machine :-)

Here is the current disk layout (gpt):

Partition Size Filesystem Label mount point Comment
/dev/sda1 100 MB vfat ESP /boot/efi EFI system with boot files.
/dev/sda2 16 MB Microsoft reserved - - left untouched.
/dev/sda3 97 GB Microsoft basic data Acer /mnt/win Windows 10 partition, resized
/dev/sda4 0.8 GB Windows recovery environment - - Windows recovery, unused, shrunk to the minimum.
/dev/sda5 20 GB ext4 debian8 / This is the root filesystem of Debian 12.
/dev/sda6 20 GB ext4 debian /mnt/debian-old This was the "old" Debian 11 root filesystem.
/dev/sda7 8 GB swap swap swap Swap space.
/dev/sda8 85 GB ext4 home /home Home directories.
/dev/sda9 246 GB ext4 share-local /mnt/share-local Backup copy of the local NFS server data.

Using UEFI Boot

To use UEFI boot, simply proceed as follows:

  1. Enter the BIOS (F2) and move to the Boot screen.
  2. Leave the Boot Mode to UEFI, but disable Secure Boot (you may have to set a superuser password first)
  3. Move the Cursor onto the Debian entry, and move this one up (using the F5/F6 keys) above the HDD and Windows Bootloader entries.

Installation from scratch

Since I am using two different partitions for the root filesystem, I can perform a complete installation in one partition and still keep the "old" system, should some problem occur. Again, this all went without problems:

# as root:
apt install vim                   # my preferred editor ;-)
vim /etc/vim/vimrc                # un-comment "syntax on"
vim /etc/ssh/sshd_config          # adjust port, Banner and AllowUsers

vim /etc/apt/sources.list         # add "contrib non-free" to all entries, as explained above
apt update
dpkg-reconfigure grub-efi-amd64   # required since this is a dual-boot machine

mkdir /mnt/win                    # prepare windows mountpoint
tail -3 /mnt/debian-old/etc/fstab >> /etc/fstab 
vim /etc/fstab                    # windows mount: /dev/sda3  /mnt/win  ntfs  utf8  0  0

apt install firmware-linux* firmware-atheros firmware-ath9k-htc firmware-misc-nonfree 
apt install lyx unison-gtk chromium deluge curl nmap dnsutils build-essential module-assistant \
    dos2unix rar unrar sharutils subversion ttf-mscorefonts-installer glabels pdftk qpdf pdfarranger \
    aspell-fr aspell-de hunspell-fr hunspell-de-de hunspell-de-ch gimp-gutenprint vlc \
    sqlite3 sqlitebrowser python-is-python3 python3-dateutil mailutils nfs-common \     
    smartmontools lshw hwinfo ntpdate filelight conky munin-client acpi-support \
    thunderbird android-file-transfer qmapshack bluez-firmware blueman  

dpkg-reconfigure keyboard-configuration  # allow Alt-Ctrl-Backspace to kill the X server

apt install localepurge

Wireless network and suspend/resume

With Debian 12, the machine fully supports suspend/resume when closing the lid. Graphics, Network and WiFi survive the sleep mode without any problems :-)

Debian Buster with RAID1


On one of our servers, I decided to do a complete re-installation. After booting from USB stick, the system automatically detected the pre-existing RAID configuration and suggested the corresponding mdX devices. I merely had to select the mount points of the individual partitions.

On this machine, Debian was installed in a separate root partition. Again, I could copy many configuration files from the previous version:

# as root:
usermod -aG sudo joe           # add joe to the sudoers 
apt install vim                # my preferred editor ;-)
vim /etc/vim/vimrc             # un-comment "syntax on"
vim /etc/ssh/sshd_config       # adjust port, Banner and AllowUsers
vim /etc/apt/sources.list      # add "contrib non-free" to all entries, as explained above

tail -1  /mnt/debian11/etc/exports >> /etc/exports 
cat  /mnt/debian11/etc/ >> /etc/ 

cp -v /mnt/debian11/etc/resolv.conf /etc/resolv.conf 
cp -v /mnt/debian11/etc/hosts.deny /etc/hosts.deny 
cp -v /mnt/debian11/etc/hosts.allow /etc/hosts.allow 
## /etc/hosts was identical

vim /etc/network/interfaces    # add permanent connection (this is a server)
vim /etc/resolv.conf           # check for local network

dpkg-reconfigure grub-pc
apt remove xsane saned
apt install firmware-linux* firmware-misc-nonfree acpi-support ntpdate hwinfo lshw mc mailutils smartmontools
apt install nfs-kernel-server nfs-common 

apt install unattended-upgrades
dpkg-reconfigure unattended-upgrades
apt install localepurge

We are using munin to monitor the status of the machines on our network. The installation is simple and the /etc/munin/munin-node.conf configuration file on the clients essentially contains the address of the munin server: allow ^192\.168\.xx\.yy$.

apt install munin-node
cp -v /mnt/debian11/etc/munin/munin-node.conf /etc/munin/
munin-node-configure --shell --families=contrib,auto | sh -x

Grub and RAID

If the grub package is updated automatically, it may happen that the system does not boot anymore. In such a case, simply boot into the rescue system and run:

grub-install /dev/sda 
grub-install /dev/sdb

Both drives will be able to boot alone.