Personal Docs

Toggle Theme

PostgreSQL on Debian 12 Linode

This setup utilizes a Private Subnet to restrict database access exclusively within the VPC. This significantly reduces the risk of unauthorized access to the database.

The marketplace app of PostgreSQL is not used, since the goal is to install other databases on the same server.

Launch Linode for Postgres

ParameterValue
Regionin-maa (Chennai)
OSDebian (Debian 12 as of 5-Jun-2025)
PlanNanode 1 GB (Shared CPU)
LabelGive your preferred label (Label can't have spaces)
Root PasswordCreate a Strong Password and store it in iCloud Passwords
SSH KeysYou can add an existing SSH key or add this later when you deploy a new server
Disk EncryptionEnable
VPCCreate and assign a VPC
SubnetSelect a private subnet since Postgres Server can't be accessed outside the VPC
Auto-assign a VPC IPv4Enable
Assign a public IPv4Disable
FirewallCreate and assign a Firewall (that allows all outbound and no inbound)
BackupsEnable
Private IPDisable

NOTE

In the Linode UI, the private server will have a Public IP address. It is provisionally reserved but not assigned to the network interfaces in this configuration profile. This means that you can have that IP if you want it, but it isn't configured on the linode or publicly visible.

TIP

Use LISH Console to connect to the Linode server.

Set timezone

Install all locales first to disable locale warnings:

shell
sudo apt-get install locales-all

All new Linode servers are set to UTC time by default. To change it to IST, use:

shell
timedatectl set-timezone 'Asia/Kolkata'

Confirm date by running date command in the terminal.

Disable Root Login

NOTE

LISH Console doesn't rely on SSH, so you can still access internals of your system using it, including root login.

  • First create a limited user account using:
shell
adduser piratedev
  • Add new user to the sudo group for administrative privileges:
shell
adduser piratedev sudo
  • Exit and SSH as the new user using password:
shell
exit
ssh piratedev@<Linode IP>
  • Add SSH Public key (of other Linode servers with the same VPC that need SSH into this server) to authorized keys:
shell
vi ~/.ssh/authorized_keys
  • Disable Root login and Password Authentication:
sh
sudo vi /etc/ssh/sshd_config
# Set `PasswordAuthentication` to `no`
# Set `PermitRootLogin` to `no`
# Set `AddressFamily` to `inet` (to disable IPv6 connections)
  • Restart SSH service:
sh
sudo systemctl restart sshd

Configure Firewall

Add the following inbound rules to the Postgres Firewall:

  • Allow ICMP (ping) traffic within the VPC:
    • Label: Choose a label
    • Protocol: ICMP
    • Ports: Leave this field blank
    • IP / Netmask: VPC CIDR block (10.0.0.0/24)
    • Action: Accept
  • Allow SSH connections from other Linode servers:
    • Label: Choose a label
    • Protocol: TCP
    • Ports: SSH (22)
    • IP / Netmask: Other Linode IP addresses (try to use /32 addresses)
    • Action: Accept

Create and Configure a Forward Proxy

WARNING

The region of Forward Proxy server must match with that of the Postgres server.

Since this private server can't access internet, we'll need a forward proxy to download required packages. Refer this doc for launching a forward proxy.

After the setup, test ping and connectivity through forward proxy as explained in the above doc.

Install Postgres

  • Install Postgres:
sh
sudo apt install -y postgresql postgresql-contrib
  • Start the Postgres service:
sh
sudo systemctl start postgresql
  • Update Authentication method
    • By default, the postgres role is created with the authentication method set to peer for local connections. Update it to trust.
sh
# Change version 15 in the path if applicable
sudo vi /etc/postgresql/15/main/pg_hba.conf
# Change postgres local connections from peer to trust
# Change all other local connections from peer to md5
# Also, add Other Linode (that require postgres access) Private IP and set the authentication method to md5 (see the below line)
# host piratdev piratdev <Other Linode Private IP>/32 md5
# You may need to allow SSH from the other Linode in the private server's firewall.
  • Enable Connections from External Addresses:
sh
# Change version 15 in the path if applicable
sudo vi /etc/postgresql/15/main/postgresql.conf
# Change listen_addresses to '*'
  • Restart PostgreSQL Service:
sh
sudo systemctl restart postgresql

Create Database and User

Refer this doc

(Optional) Backup and Restore

This section is applicable only if you need to migrate data from an existing database hosted on another server to the new database.

Refer this doc

🎉 Congrats! You should have a working Postgres Server now.