Post-install Debian 13.4 Trixie — AMD , sécurité forte, gaming et outils complets

Guide complet orienté desktop avancé : backports, noyau récent, pile AMD/Mesa, Fastfetch au démarrage, boot propre avec GRUB masqué, sécurité renforcée, VPN, navigateurs, Steam, Gamemode, maintenance et outils système.

---

1) Mise à jour de base

sudo apt update && sudo apt full-upgrade -y

2) Dépôts firmwares non libres

sudo apt install firmware-linux firmware-linux-nonfree firmware-misc-nonfree firmware-amd-graphics amd64-microcode

3) Dépôt backports Debian 13 + noyau récent + pile AMD/Mesa

Créer le fichier :

sudo nano /etc/apt/sources.list.d/debian-backports.sources

Remplir ainsi :

Types: deb deb-src
URIs: http://deb.debian.org/debian
Suites: trixie-backports
Components: main contrib non-free non-free-firmware
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

sudo apt update

Installer un paquet spécifique depuis backports :

sudo apt install -t trixie-backports package-name

Mettre à jour vers le noyau le plus récent pour Debian :

sudo apt install -t trixie-backports linux-image-amd64 linux-headers-amd64

AMD MAX : pile Mesa/Vulkan/VA-API/OpenCL et firmwares récents :

sudo apt install -t trixie-backports firmware-linux firmware-linux-nonfree firmware-misc-nonfree firmware-amd-graphics amd64-microcode
sudo apt install -t trixie-backports mesa-vulkan-drivers mesa-opencl-icd libgl1-mesa-dri libglx-mesa0 mesa-va-drivers mesa-vdpau-drivers vulkan-tools radeontop

---

4) Installation des paquets supplémentaires

sudo apt install gnome-tweaks gparted curl wget cron unzip p7zip-full ffmpeg gnome-shell-extensions flatseal timeshift htop btop lm-sensors

5) Installer terminal Ptyxis et Fastfetch

sudo apt install ptyxis fastfetch

Rendre transparent le terminal Ptyxis :

gsettings set org.gnome.Ptyxis.Profile:/org/gnome/Ptyxis/Profiles/$PTYXIS_PROFILE/ opacity .50

Configurer Fastfetch — générer le fichier de config :

mkdir -p ~/.config/fastfetch
fastfetch --gen-config

Lancer Fastfetch automatiquement au démarrage du terminal Bash :

grep -qxF 'fastfetch' ~/.bashrc || echo 'fastfetch' >> ~/.bashrc

Option Zsh :

grep -qxF 'fastfetch' ~/.zshrc || echo 'fastfetch' >> ~/.zshrc

En exemple, Ma config Fastfetch :

// # Fastfetch Nawre
{
    "$schema": "https://github.com/fastfetch-cli/fastfetch/raw/dev/doc/json_schema.json",
    "logo": {
        "source": "debian",
        "color": { "1": "green" },
        "padding": { "top": 2, "left": 2 }
    },

    "display": { "separator": " ➜ ", "color": { "keys": "cyan", "output": "white" } },
    "modules": [
        "title",
        "break",
        { "type": "custom", "format": " \u001b[42m\u001b[30m Mon Debian :)   \u001b[0m", "key": " " },
        "break",
        { "type": "os", "key": "  🐧 Système  ", "format": "{3} {8}" },
        { "type": "kernel", "key": "  ⚙️  Noyau     ", "format": "{1} {2}" },
        { "type": "uptime", "key": "  ⏱️  Activité  " },
        { "type": "shell", "key": "  🐚 Shell     " },
        { "type": "packages", "key": "  📦 Paquets   " },
        "break",

        { "type": "display", "key": "  🖥️  Écran     " },
        { "type": "de", "key": "  🪟 Bureau    " },
        { "type": "terminal", "key": "  📟 Terminal  " },
        "break",

        { "type": "host", "key": "  💻 Machine  " },
        { "type": "cpu", "key": "  🧠 CPU       ", "temp": true, "format": "{6} @ {7} - {8}" },
        { "type": "gpu", "key": "  🎮 GPU       ", "hideType": "all", "format": "{2}" },
        { "type": "memory", "key": "  💾 Mémoire  ", "format": "{1} / {2} ({3})" },
        { "type": "swap", "key": "  🔄 Swap      " },
        { "type": "disk", "key": "  💽 Disque    " },
        "break",

        { "type": "localip", "key": "  🌐 IP v4     ", "showIpv6": false },
        { "type": "battery", "key": "  🔋 Énergie  ", "format": "{4} ({5})" },
        { "type": "poweradapter", "key": "  🔌 Secteur   " },
        "break", "colors"
    ]
}

---

6) Installer dépôts Flatpak

sudo apt install flatpak
sudo apt install gnome-software-plugin-flatpak
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo

Redémarrer

---

7) Installer Plymouth et masquer le menu GRUB au démarrage

sudo apt install plymouth plymouth-themes
sudo nano /etc/default/grub

Changer ces lignes :

GRUB_TERMINAL=console
GRUB_DEFAULT=0
GRUB_TIMEOUT=0
GRUB_TIMEOUT_STYLE=hidden
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash loglevel=3 rd.systemd.show_status=0 vt.global_cursor_default=0"
GRUB_CMDLINE_LINUX=""
GRUB_GFXMODE=1920x1080x32

Pour durcir encore l’audit au boot, tu peux fusionner ceci dans GRUB_CMDLINE_LINUX_DEFAULT :

audit=1 audit_backlog_limit=64

sudo sed -i 's/^quiet_boot="0"/quiet_boot="1"/' /etc/grub.d/10_linux
sudo update-grub2

sudo plymouth-set-default-theme -l
sudo plymouth-set-default-theme -R THEME-CHOISI

Redémarrer

---

8) Installer le pare-feu

sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw logging on
sudo ufw enable
sudo ufw status verbose

---

9) Installer les outils réseau

sudo apt install nmap net-tools dnsutils zenmap wireshark tcpdump traceroute mtr-tiny ethtool

---

10) Installation ClamAV

sudo apt install clamav clamav-freshclam
sudo service clamav-freshclam stop
sudo freshclam
sudo service clamav-freshclam start
clamscan -r /

---

11) Installation Rkhunter

sudo apt install rkhunter
sudo rkhunter --propupd
sudo rkhunter --update
sudo rkhunter --check --sk

---

12) Installer Sysstat

sudo apt install sysstat
sudo nano /etc/default/sysstat

ENABLED="true"

sudo systemctl start sysstat
sudo systemctl enable sysstat

---

13) Activer auditd afin de collecter des informations d’audit sur Debian

sudo apt update && sudo apt install -y auditd audispd-plugins
sudo systemctl enable auditd
sudo systemctl start auditd

Configurer des règles d’audit avec :

sudo nano /etc/audit/rules.d/cq.rules

-w /etc/passwd -p wa -k password_changes
-w /etc/group -p wa -k groups_changes
-w /etc/ -p wa -k configuration_changes

sudo mkdir -p /etc/audisp/plugins.d
sudo nano /etc/audisp/plugins.d/syslog.conf

active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO

Appliquer les règles :

sudo augenrules --load

Vérifier si les règles fonctionnent :

sudo ausearch -k password_changes

Démarrer automatiquement au boot :

sudo systemctl enable auditd

---

14) Installer AIDE (Advanced Intrusion Detection Environment)

sudo apt update && sudo apt install aide
sudo nano /etc/aide/aide.conf

Changer :

checksums=sha512

Et ajouter pour exclure :

!/tmp
!/var/tmp
!/var/log/.*
!/var/spool/.*
!/proc/.*
!/sys/.*
!/run/.*
!/mnt/.*
!/media/.*
!/home/.*
!/usr/src/.*

sudo aide --config /etc/aide/aide.conf --init
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

---

15) Configurer login.defs

Changer l’âge et l’expiration des mots de passe dans /etc/login.defs :

PASS_MAX_DAYS   90
PASS_MIN_DAYS   1
PASS_WARN_AGE   7

Configurer le nombre de tours de hachage des mots de passe dans /etc/login.defs :

ENCRYPT_METHOD SHA512
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 8000

---

16) Installer module PAM

sudo apt install libpam-passwdqc

Définir un umask système de manière permanente :

sudo nano /etc/pam.d/common-session

session optional pam_umask.so umask=027

---

17) Activer la comptabilité des processus sur Debian

sudo apt-get install acct
sudo /usr/sbin/accton on
sudo systemctl enable acct.service

Pour consulter les données :

sudo dump-acct /var/log/account/pacct

---

18) Installer Debsums

sudo apt install debsums
sudo nano /etc/default/debsums

CRON_CHECK=never

---

19) Installer Unattended Upgrades pour les mises à jour de sécurité automatiques

sudo apt install unattended-upgrades
sudo systemctl start unattended-upgrades
sudo systemctl enable unattended-upgrades

sudo systemctl status apt-daily.timer
sudo systemctl status apt-daily-upgrade.timer

sudo systemctl enable --now apt-daily.timer
sudo systemctl enable --now apt-daily-upgrade.timer

sudo dpkg-reconfigure -plow unattended-upgrades

Éditer :

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Et ajouter :

Unattended-Upgrade::Skip-Updates-On-Metered-Connections "false";

---

20) Installation d’outils sécurité supplémentaires

sudo apt install lynis chkrootkit logwatch libpam-tmpdir apt-listbugs needrestart fail2ban apt-show-versions apparmor apparmor-profiles apparmor-utils

---

21) Installer Firefox via le dépôt officiel Mozilla et supprimer Firefox ESR

sudo apt purge firefox-esr -y
sudo apt autoremove -y

sudo install -d -m 0755 /etc/apt/keyrings

wget -q https://packages.mozilla.org/apt/repo-signing-key.gpg -O- | sudo tee /etc/apt/keyrings/packages.mozilla.org.asc > /dev/null

cat <<EOF | sudo tee /etc/apt/sources.list.d/mozilla.sources
Types: deb
URIs: https://packages.mozilla.org/apt
Suites: mozilla
Components: main
Signed-By: /etc/apt/keyrings/packages.mozilla.org.asc
EOF

cat <<EOF | sudo tee /etc/apt/preferences.d/mozilla
Package: *
Pin: origin packages.mozilla.org
Pin-Priority: 1000
EOF

sudo apt update
sudo apt install firefox firefox-l10n-fr -y
sudo apt-mark hold firefox-esr

---

22) Installer ProtonVPN

wget https://repo.protonvpn.com/debian/dists/stable/main/binary-all/protonvpn-stable-release_1.0.8_all.deb
sudo dpkg -i ./protonvpn-stable-release_1.0.8_all.deb && sudo apt update
sudo apt install proton-vpn-gnome-desktop
sudo apt install gnome-shell-extension-appindicator gnome-shell-extension-prefs

Option split tunneling :

sudo apt install linux-headers-$(uname -r)
sudo apt install systemd-resolved

---

23) Installer Brave

sudo curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
sudo curl -fsSLo /etc/apt/sources.list.d/brave-browser-release.sources https://brave-browser-apt-release.s3.brave.com/brave-browser.sources
sudo apt update
sudo apt install brave-browser

---

24) Gaming — Installer Steam

sudo apt update && sudo apt upgrade -y

sudo dpkg --add-architecture i386
sudo apt update

curl -fsSL https://repo.steampowered.com/steam/archive/stable/steam.gpg | sudo tee /usr/share/keyrings/steam.gpg > /dev/null

cat </dev/null
sudo apt update

---

25) AMD MAX Gaming — Gamemode, MangoHud, outils Vulkan

sudo apt install meson libsystemd-dev pkg-config ninja-build git libdbus-1-dev libinih-dev build-essential gamemode mangohud goverlay

Tester Gamemode :

gamemode-simulate-game

Si ça n’affiche pas d’erreur, c’est bon.

Pour Steam, dans les options de lancement du jeu :

gamemoderun mangohud %command%

---

26) Optimisations SSD / NVMe et maintenance

sudo systemctl enable --now fstrim.timer

sudo apt update && sudo apt full-upgrade
sudo apt autoclean && sudo apt autoremove
sudo apt purge '~c'

Installer l’outil de test NVMe :

sudo apt install nvme-cli
sudo nvme smart-log /dev/nvme0

---

27) Outils utiles en plus

sudo apt install filezilla remmina vlc distrobox podman git-lfs jq tree ncdu rsync synaptic

---

28) Vérifications utiles après installation

uname -r
fastfetch
glxinfo -B
vulkaninfo --summary
systemctl status ufw
systemctl status fail2ban
firefox --version
steam --version