PostgreSQL on Debian 13 (Linode)
This guide explains how to configure PostgreSQL on a Linode (Debian) server.
NOTE
This setup uses a Private Subnet to restrict database access exclusively within the VPC. This significantly reduces the risk of unauthorized access to the database.
NOTE
You can follow the steps in this guide as written, but replace the following placeholders with your own names:
<PostgreSQL Server Private IP Address>: Your Linode's Private IP Address<Other Linode Private IP>: Your other Linode's Private IP Addressnon_root: Your non-root usernameyour-database-name: Your database nameyour-db-username: Your database username
You should also update the IP addresses and VPC CIDR blocks, to match your VPC settings.
Setup Linode (Debian) for PostgreSQL
Launch a Linode
| Parameter | Value |
|---|---|
| Region | in-maa (Chennai) |
| OS | Debian (Debian 13 as of 22-Feb-2026) |
| Plan | Nanode 1 GB (Shared CPU) |
| Label | Give your preferred label (Label can't have spaces) |
| Root Password | Create a Strong Password and store it somewhere safe |
| SSH Keys | You can add an existing SSH key or add this later when you deploy a new server |
| Disk Encryption | Enable |
| VPC | Create and assign a VPC |
| Subnet | Select a private subnet since Postgres Server can't be accessed outside the VPC |
| Auto-assign a VPC IPv4 | Enable |
| Allow public IPv4 access | Disable |
| Network Interface Type | Linode Interfaces |
| VPC Interface Firewall | Create and assign a Firewall (that allows all outbound and no inbound - configured later in this guide) |
| Backups | Enable |
NOTE
The Linode dashboard may display a Public IP address for this server. This IP is merely reserved for your account, it is not bound to the server's network interface and cannot receive public internet traffic. Your server remains completely private.
Upgrade Packages
TIP
Use the LISH Console to connect to the Linode server. If you added an SSH key above, you can log in from your local machine directly.
Upgrade the packages on the server:
sudo apt update && sudo apt upgrade -ySet Timezone
Install all locales first to disable locale warnings:
sudo apt install locales-allAll new Linode servers are set to UTC time by default. To change it to IST, use:
timedatectl set-timezone 'Asia/Kolkata'Confirm the date by running the date command in the terminal.
Disable Root Login
NOTE
The LISH Console doesn't rely on SSH, so you can still access the internals of your system using it, including root login.
First, create a limited user account:
adduser non_root
# You'll be prompted to provide passwordAdd the new user to the sudo group for administrative privileges:
adduser non_root sudoExit the session and SSH back into the server as your new user:
exit
ssh non_root@<PostgreSQL Server Private IP Address>Create an SSH directory and add the public key from the other Linode server in your VPC to the authorized keys file:
mkdir ~/.ssh && vi ~/.ssh/authorized_keysDisable Root login and Password Authentication:
sudo vi /etc/ssh/sshd_config
# Set `PasswordAuthentication` to `no`
# Set `PermitRootLogin` to `no`
# Set `AddressFamily` to `inet` (to disable IPv6 connections)Finally, restart the SSH service to apply the changes:
sudo systemctl restart sshdConfigure Firewall
Add the following inbound rules to the PostgreSQL Firewall to explicitly allow the necessary connections:
| Rule Purpose | Label | Protocol | Ports | IP / Netmask | Action |
|---|---|---|---|---|---|
| Allow ICMP (ping) traffic within the VPC | Choose a label | ICMP | Leave blank | VPC CIDR block (Ex: 10.0.0.0/24) | Accept |
| Allow SSH connections from other Linode Servers | Choose a label | TCP | SSH (22) | Other Linode IP address (use /32) | Accept |
Create and Configure a Forward Proxy
WARNING
The region of Forward Proxy server must match the region of the Postgres server.
Since this private server can't access internet directly, you need a forward proxy to download the required packages. Refer to this guide to configure a forward proxy server.
Once the server is set up, test ping and connectivity through the forward proxy as explained in that document.
Install and Configure PostgreSQL
Install the Postgres packages:
sudo apt install -y postgresql postgresql-contribStart the Postgres service:
sudo systemctl start postgresqlUpdate Authentication method:
By default, the
postgresrole is created with the authentication method set topeerfor local connections. Update it totrust.
# Change version 17 in the path if applicable
sudo vi /etc/postgresql/17/main/pg_hba.conf
# Change postgres local connections from peer to trust
# Change all other local connections from peer to scram-sha-256
# Also, add Other Linode (that require postgres access) Private IP and set the authentication method to scram-sha-256 (see the below line)
# host your-database-name your-db-username <Other Linode Private IP>/32 scram-sha-256
# You may need to allow SSH from the other Linode in the private server's firewall.Enable Connections from External Addresses:
# Change version 17 in the path if applicable
sudo vi /etc/postgresql/17/main/postgresql.conf
# Change listen_addresses to '*'Restart the PostgreSQL Service:
sudo systemctl restart postgresqlRelease Proxy Server
Once the PostgreSQL database server is fully configured and the software is installed, you no longer need the forward proxy server. You can safely delete or release the proxy server at this point to save resources.
Create Database and User
Refer to this guide to set up your specific database and user credentials.
(Optional) Backup and Restore
This is applicable only if you need to migrate data from an existing database hosted on another server to the new database.
Refer to this guide for instructions on transferring your data.
You should now have a working PostgreSQL database server securely isolated within your VPC.