First Steps on a New Server | David Álvarez Rosa | Personal WebsiteMay 17, 2026First Steps on a New Server<br>Over the last decade I&rsquo;ve been playing with dozens of servers from<br>multiple providers. These are the steps I&rsquo;ve been perfecting to get up<br>to speed fast and feel right at home on a new machine. Wrote it down<br>here mostly as a personal reference, but hopefully useful to someone<br>else too.<br>Hardware, distro, and DNS<br>&sect;<br>Clean Linux install with one large root partition plus big<br>swap.1 1<br>Predicting future partitioning needs is easy for a desktop,<br>but can be difficult for a server. One large root filesystem is easier<br>to manage.<br>While I run Arch on my laptop, Debian tends to be a better<br>fit for servers because of its stability and long support window.<br>Point your domain2 2<br>This post uses my domain alvarezrosa.com as an<br>example.<br>to your server&rsquo;s IP at your DNS provider: an A record for IPv4<br>and an AAAA record for IPv6. Wait a few minutes, then verify both.<br>$ dig alvarezrosa.com A +short<br>213.32.19.229<br>$ dig alvarezrosa.com AAAA +short<br>2001:41d0:305:2100::febc

Hardware doesn&rsquo;t matter: a VPS, a Raspberry Pi, or a dedicated box will<br>do.<br>First login<br>&sect;<br>Log in as root, change the password, and update.<br>$ ssh root@alvarezrosa.com<br>$ passwd<br>$ apt update && apt full-upgrade

Create a non-root user with sudo privileges.<br>$ useradd --create-home --groups sudo david<br>$ passwd david

Log out, then reconnect as the new user.<br>$ ssh david@alvarezrosa.com

From here on, stay on this account and use sudo when you need it.<br>Dotfiles<br>&sect;<br>I like to set up dotfiles early. Debugging on an unfamiliar shell is<br>its own kind of miserable.3 3<br>These commands treat the home directory<br>as a Git repository, which lets you track dotfiles without symlink<br>gymnastics. GitHub access can be configured shortly after this.<br>$ git init<br>$ git remote add origin https://github.com/david-alvarez-rosa/dotfiles.git<br>$ git fetch origin<br>$ git checkout -t origin/main<br>$ git submodule update --init --recursive<br>$ git config status.showUntrackedFiles no

Switch to zsh and install starship.4 4<br>Oh My Zsh is a common shell<br>add-on, but it isn&rsquo;t required for the server itself. starship is a fast<br>cross-shell prompt.<br>$ sudo apt install zsh starship<br>$ chsh --shell $(which zsh)

Log out and back in to confirm the shell loads correctly.<br>SSH keys<br>&sect;<br>Copy your public key to the server from your local machine.5 5<br>If you<br>don&rsquo;t have a key on your local machine yet, generate one first with<br>ssh-keygen.<br>$ ssh-copy-id david@alvarezrosa.com

Confirm you can get in without a password.<br>$ ssh david@alvarezrosa.com

If you need root access over SSH, install the key there too.<br>$ sudo install -d -m 700 /root/.ssh<br>$ sudo install -m 600 ~/.ssh/authorized_keys /root/.ssh/authorized_keys

Once that&rsquo;s working, disable password auth at least for<br>root.6 6<br>Debian&rsquo;s default is already PermitRootLogin prohibit-password, which only allows key-based root logins.<br>Timezone, locale, and hostname<br>&sect;<br>Set the timezone and verify with date.<br>$ timedatectl list-timezones<br>$ sudo timedatectl set-timezone Europe/Madrid<br>$ date

Then enable en_US.UTF-8 locale and make it the default.<br>$ sudo vim /etc/locale.gen # Uncomment en_US.UTF-8<br>$ sudo locale-gen<br>$ sudo update-locale LANG=en_US.UTF-8

Set a sensible hostname and make sure /etc/hosts matches.<br>$ sudo hostnamectl set-hostname homelab<br>$ cat /etc/hosts<br>127.0.0.1 localhost<br>::1 localhost ip6-localhost ip6-loopback<br>127.0.1.1 homelab

Firewall<br>&sect;<br>Deny all inbound traffic and allow only the ports you need.7 7<br>Make<br>sure SSH is allowed before enabling the firewall, or you will lock<br>yourself out of the machine.<br>$ sudo apt install ufw<br>$ sudo ufw default deny incoming<br>$ sudo ufw allow 22/tcp<br>$ sudo ufw enable

Add more rules only as services are exposed.<br>Automatic security updates<br>&sect;<br>Security patches shouldn&rsquo;t depend on remembering to log in every few<br>days.8 8<br>Logs for unattended updates live in<br>/var/log/unattended-upgrades/.<br>$ sudo apt install unattended-upgrades apt-listchanges<br>$ sudo dpkg-reconfigure --priority=low unattended-upgrades

After that, security updates mostly take care of themselves.<br>Intrusion prevention<br>&sect;<br>fail2ban watches authentication logs and temporarily blocks IPs that<br>look like they&rsquo;re brute-forcing your services.<br>$ sudo apt install fail2ban<br>$ sudo systemctl enable --now fail2ban

Web server<br>&sect;<br>Install a web server to verify everything works end to end.9 9<br>I&rsquo;ve<br>been using Apache for quite a few years, but nginx is more lightweight<br>and handles concurrent connections more efficiently.<br>$ sudo apt install nginx<br>$ sudo systemctl enable --now nginx<br>$ sudo ufw allow 80/tcp

Open your domain in a browser. You should see the default nginx page. Then<br>enable HTTPS with Let&rsquo;s Encrypt.10 10<br>Certbot obtains free TLS<br>certificates, updates the nginx configuration for you, and sets up<br>automatic renewal.<br>$ sudo ufw allow 443/tcp<br>$ sudo apt install certbot...