Debian 13 (Trixie) installer

[ingoratsdorf]

Created Debian13 (Trixie) installer, test run it.
nginx and php version fixes.
Trixie comes by default with PHP 8.4.

Summary by CodeRabbit

• New Features

  • Official Debian 13 (Trixie) install and startup support with automated deployment scripts.
  • NGINX server block using PHP 8.4 FPM, default server on port 20211 with first-load no-cache.
  • Supports TZ, PORT, and LISTEN_ADDR customization; tmpfs-backed logs and auto vendor-db updates.

• Improvements

  • Safer install/update/start flows with service management, cleanup, permission fixes, and environment checks.

• Documentation

  • Corrected Debian path reference in Dockerfile comment.

[jokob-sk]

Lmk when good v to merge

[ingoratsdorf]

Where's CodeRabbit? ;-)

Anyway, I'd say all good to merge. Test ran it and it's not modifying any actual project files.
There may be edge cases for some users on non vanilla Trixie installs, we will see.

[jokob-sk]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Walkthrough

Adds Debian 13 (Trixie) install/start scripts and an Nginx site config for NetAlertX, introduces end-to-end setup and startup flows, and updates a Dockerfile comment path. Includes package installation, environment prep, service management, repository cloning/updating, config linking, and process launch steps.

Changes

Cohort / File(s)	Summary of Changes
Debian 13 installer and runtime install/debian13/install.debian13.sh, install/debian13/start.debian13.sh, install/debian13/netalertx.conf	Introduces new Debian 13 installer and start scripts, plus an Nginx config. Implements install/update/start modes; sets up system packages, Python venv, PHP-FPM 8.4, Nginx site, tmpfs dirs, configs/DB bootstrap, permissions, and launches services and NetAlertX server.
Dockerfile doc path tweak Dockerfile.debian	Updates a comment to reference new installer path /install/debian12/install_dependecies.debian12.sh; trims trailing blank lines.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant U as Root User
  participant I as install/debian13/install.debian13.sh
  participant G as GitHub Repo
  participant FS as Filesystem (/app, /config, /db)
  participant S as start.debian13.sh
  participant APT as APT/OS
  participant N as NGINX
  participant P as PHP-FPM 8.4
  participant X as NetAlertX Server

  U->>I: Execute installer (Debian 13)
  I->>APT: Update, install prerequisites (sudo, git)
  alt /app exists
    I->>U: Prompt: install | update | start
    opt install
      I->>N: stop
      I->>X: terminate running processes
      I->>FS: unmount tmpfs (if mounted), clean /app
      I->>G: clone repo to /app
    end
    opt update
      I->>N: stop
      I->>G: git pull in /app
    end
    opt start
      Note over I: No code changes
    end
  else /app missing
    I->>G: clone repo to /app
  end
  I->>FS: ensure front/buildtimestamp.txt
  I->>S: chmod +x and invoke start.debian13.sh

  rect rgba(200,240,255,0.2)
  Note right of S: System setup and launch
  S->>APT: Install system deps (nginx, php8.4-fpm, python, arp-scan, sqlite3, cron, etc.)
  S->>FS: Create venv, pip install Python deps
  S->>N: disable default site, link netalertx.conf
  S->>FS: Prepare web UI, tmpfs logs/api, configs/DB, permissions
  S->>P: start php-fpm
  S->>N: start nginx
  S->>X: launch NetAlertX (background)
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Bare metal Installer rework #1173 — Introduces the per-system installer structure and path conventions that this PR extends for Debian 13.

Poem

A rabbit taps the Trixie keys, so spry and keen,
Spinning up NGINX where the PHP gears preen.
Venvs hop, logs pop, tmpfs light as air—
Debian 13 burrows with meticulous care.
NetAlertX awakens—ears up, services align.
Thump-thump: shipped! All systems fine. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title clearly and concisely describes the main purpose of the pull request, namely adding a Debian 13 (Trixie) installer, and is specific enough for a reviewer to understand the primary change without extraneous detail.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

install/debian13/start.debian13.sh (1)

215-228: Fix Python entrypoint: use module form, absolute venv path, and update process-kill patterns

Verified: server/main.py and init.py exist — running a directory path is fragile. Replace the relative venv activation and directory-start with a module invocation and update any pkill/pgrep that expect the old argv.

Apply (still relevant):

-#  Activate the virtual python environment
-source myenv/bin/activate
+source "$INSTALLER_DIR/myenv/bin/activate"
@@
-# Start the NetAlertX python script
-# All error and console output being diverted to null,
-# otherwise we can get critical errors re I/O
-python "$INSTALL_PATH/server/" 2>/dev/null 1>/dev/null &
+# Start the NetAlertX python app
+cd "$INSTALL_PATH"
+# Prefer module form to support packages with __main__.py
+python -m server 1>/dev/null 2>/dev/null &

Also update/replace any pkill -f "python ${INSTALL_DIR}/server" (example locations: install/debian13/start.debian13.sh, install/ubuntu24/start.ubuntu24.sh, install/debian12/start.debian12.sh, dockerfiles/start.sh, dockerfiles/init.sh) to match the new invocation (or switch to pidfile/systemd-managed service) so stop/restart behavior remains correct.

🧹 Nitpick comments (10)

Dockerfile.debian (1)

30-30: Clarify cross-file sync note (include Debian 13; verify path spelling).

The comment references only Debian 12 and uses “dependecies” (likely typo). Suggest clarifying and including Debian 13 scripts to avoid drift.

Apply:

-# ❗ IMPORTANT - if you modify this file modify the /install/debian12/install_dependecies.debian12.sh file as well ❗ 
+# ❗ IMPORTANT: keep Dockerfile and installer scripts in sync. If you modify this file, also update: ❗
+# - /install/debian12/install_dependecies.debian12.sh   # (verify exact path/name)
+# - /install/debian13/install.debian13.sh
+# - /install/debian13/start.debian13.sh

Please confirm the Debian 12 filename is indeed “install_dependecies.debian12.sh”; if it’s “install_dependencies…”, fix the comment accordingly to avoid confusion.

install/debian13/netalertx.conf (2)

6-7: Remove proxy header in FastCGI context; pass it via FastCGI if needed.

proxy_set_header has no effect in a FastCGI location. If the app expects X-Forwarded-Prefix, pass it as a FastCGI param.

Apply:

-    add_header X-Forwarded-Prefix "/netalertx" always;
-    proxy_set_header X-Forwarded-Prefix "/netalertx";
+    add_header X-Forwarded-Prefix "/netalertx" always;
@@
   location ~* \.php$ {
+    fastcgi_param  HTTP_X_FORWARDED_PREFIX  "/netalertx";

Also applies to: 9-16

---

10-12: Make Cache-Control header unconditional.

Without always, the header won’t apply to non-2xx/3xx responses.

Apply:

-    add_header Cache-Control "no-store";
+    add_header Cache-Control "no-store" always;

install/debian13/install.debian13.sh (3)

1-6: Enable strict mode for safer installs.

Fail fast and catch unset vars to avoid partial/unsafe installs.

Apply:

 #!/usr/bin/env bash
+
+set -Eeuo pipefail
+IFS=$'\n\t'

---

53-73: Harden destructive cleanup (SC2115).

Use “${var:?}” guards and a compact, dotglob-safe pattern.

Apply:

-      # Remove all contents safely
-      rm -rf -- "$INSTALL_DIR"/* "$INSTALL_DIR"/.[!.]* "$INSTALL_DIR"/..?* 2>/dev/null
+      # Remove all contents safely (dotfiles included)
+      rm -rf -- "${INSTALL_DIR:?}"/{.,}* 2>/dev/null || true

---

82-85: Unify process stop pattern (python vs python3).

Use a single, robust pkill that matches both python and python3.

Apply:

-    pkill -f "python ${INSTALL_DIR}/server" 2>/dev/null
+    pkill -f "python.*${INSTALL_DIR}/server" 2>/dev/null

install/debian13/start.debian13.sh (4)

51-61: Run apt-get update and use noninteractive mode.

Precede installs with update; avoid prompts on fresh systems.

Apply:

-# Install dependencies
-apt-get install -y \
+export DEBIAN_FRONTEND=noninteractive
+apt-get update -yq
+apt-get install -yq \
@@
-apt-get install nginx-core php${PHPVERSION} php${PHPVERSION}-sqlite3 php php-cgi php-fpm php-sqlite3 php-curl php-fpm php${PHPVERSION}-fpm php-cli -y
+apt-get install -yq nginx-core php${PHPVERSION} php${PHPVERSION}-sqlite3 php php-cgi php-fpm php-sqlite3 php-curl php${PHPVERSION}-fpm php-cli

---

97-109: Quote paths and ensure idempotent symlink creation.

Avoid failures when re-running the script.

Apply:

-if [ -d $WEB_UI_DIR ]; then
+if [ -d "$WEB_UI_DIR" ]; then
@@
-  rm -R $WEB_UI_DIR
+  rm -rf -- "$WEB_UI_DIR"
 fi
@@
-ln -s $INSTALL_PATH/front $WEB_UI_DIR
+ln -sfn "$INSTALL_PATH/front" "$WEB_UI_DIR"
@@
-ln -s "${INSTALLER_DIR}/$NGINX_CONF_FILE" $NGINX_CONFIG_FILE
+ln -sfn "${INSTALLER_DIR}/$NGINX_CONF_FILE" "$NGINX_CONFIG_FILE"

---

148-158: Make unmounts quiet/idempotent.

Suppress noise if not mounted; don’t fail.

Apply:

-umount "${INSTALL_DIR}/log"
-umount "${INSTALL_DIR}/api"
+umount "${INSTALL_DIR}/log" 2>/dev/null || true
+umount "${INSTALL_DIR}/api" 2>/dev/null || true

---

185-192: Guard destructive wipes during ALWAYS_FRESH_INSTALL.

Add safety braces and quiet errors.

Apply:

-  rm -rf "${INSTALL_PATH}/config/"*
+  rm -rf -- "${INSTALL_PATH}/config/"* 2>/dev/null || true
@@
-  rm -rf "${INSTALL_PATH}/db/"*
+  rm -rf -- "${INSTALL_PATH}/db/"* 2>/dev/null || true

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9adcd4c and 3530229.

📒 Files selected for processing (4)

• Dockerfile.debian (1 hunks)
• install/debian13/install.debian13.sh (1 hunks)
• install/debian13/netalertx.conf (1 hunks)
• install/debian13/start.debian13.sh (1 hunks)

🧰 Additional context used

🪛 Shellcheck (0.11.0)

install/debian13/install.debian13.sh

[warning] 72-72: Use "${var:?}" to ensure this never expands to /* .

(SC2115)

[coderabbitai]

⚠️ Potential issue

Overly permissive 0777 ACLs on web and app dirs.

Setting a+rwx on the whole tree is a security risk. Tighten permissions and ownership.

Apply:

-chown root:www-data "${INSTALL_DIR}"/api/user_notifications.json
-
-echo "[INSTALL] Fixing WEB_UI_DIR: ${WEB_UI_DIR}"
-
-chmod -R a+rwx $WEB_UI_DIR
-
-echo "[INSTALL] Fixing INSTALL_DIR: ${INSTALL_DIR}"
-
-chmod -R a+rw $INSTALL_PATH/log
-chmod -R a+rwx $INSTALL_DIR
+chown -R www-data:www-data "${INSTALL_DIR}/api"
+echo "[INSTALL] Fixing WEB_UI_DIR: ${WEB_UI_DIR}"
+chown -R www-data:www-data "$WEB_UI_DIR"
+find "$WEB_UI_DIR" -type d -exec chmod 755 {} + 
+find "$WEB_UI_DIR" -type f -exec chmod 644 {} +
+echo "[INSTALL] Fixing INSTALL_DIR: ${INSTALL_DIR}"
+chmod -R 664 "$INSTALL_PATH/log" || true
+chown -R www-data:www-data "$INSTALL_PATH/log"

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In the file install/debian13/start.debian13.sh around lines 169 to 180, the code
sets overly permissive 0777 access control lists (ACLs) on the web and app
directories, which is a security risk. Instead, you should tighten the
permissions and ownership on these directories. For the user_notifications.json
file, set the ownership to root:www-data. For the $WEB_UI_DIR directory, use
more restrictive permissions like 755 instead of 0777. And for the $INSTALL_DIR
directory, use 0775 or similar rather than 0777.

[coderabbitai]

⚠️ Potential issue

cp uses invalid flag (--update=none); starter files may not be copied.

This likely fails silently (no set -e), leaving missing config/DB on first run.

Apply:

-# Copy starter $DB_FILE and $CONF_FILE if they don't exist
-cp --update=none "${INSTALL_PATH}/back/$CONF_FILE" "${INSTALL_PATH}/config/$CONF_FILE" 
-cp --update=none "${INSTALL_PATH}/back/$DB_FILE"  "$FILEDB"
+#!/usr/bin/env bash
+# Copy starter $DB_FILE and $CONF_FILE if they don't exist (no overwrite)
+install -D -m 664 -o www-data -g www-data "${INSTALL_PATH}/back/$CONF_FILE" "${INSTALL_PATH}/config/$CONF_FILE"
+install -D -m 660 -o www-data -g www-data "${INSTALL_PATH}/back/$DB_FILE" "$FILEDB"
@@
-chmod -R a+rwx $INSTALL_DIR # second time after we copied the files
-chmod -R a+rw $INSTALL_PATH/config
-chgrp -R www-data  $INSTALL_PATH
+find "$INSTALL_PATH/config" -type d -exec chmod 755 {} + 
+find "$INSTALL_PATH/config" -type f -exec chmod 644 {} +
+chown -R www-data:www-data "$INSTALL_PATH/config" "$FILEDB"

Also applies to: 201-208

🤖 Prompt for AI Agents

In install/debian13/start.debian13.sh around lines 196-198 (and also apply same
fix to lines 201-208), the cp invocations use an invalid flag (--update=none) so
starter files may not be copied; replace the invalid flag with the intended
behavior (either --no-clobber/-n to avoid overwriting existing files or
--update/-u to only copy when source is newer) and update all similar cp lines
accordingly, and ensure the script enables strict failure handling (add set -e
or set -o errexit near the top) so cp errors don't fail silently.

[ingoratsdorf]

Ah, sweet. That took longer than usual ;-)
All good, the usual warnings.

The overly permissive file modes are an issue across all installers.
Fixed the cp --update` issue. For consistency, will fix that in ubuntu24 as well later.

[adamoutler]

Since it's a docker container, wouldn't --update=none be inappropriate, due to the fact that we control all the inputs and it starts from a known state? I think coderabbit is right here because:

1. if something changes and causes problems then we're not in a known-working state and there's no warning/failure
2. it's extra branch logic in the build stage

[ingoratsdorf]

Since it's a docker container, wouldn't --update=none be inappropriate, due to the fact that we control all the inputs and it starts from a known state? I think coderabbit is right here because:

For docker, the whole thing does not matter as there is no existing config. Should never be. And even if there is, there's no point making a copy for a self-contained temporary system. Everything will be deleted and recreated with a restart.

For the bare metal installers, I have changed this to cp -u now for Debian13 and will also change it for Ubuntu24. Meaning the file is only copied when the source is newer or the target does not exist.
As per my previous comment:

Fixed the cp --update` issue.

[JVKeller]

Oh sure... After I spent all day working on it. Lol

JK. I'll try it out on Monday.

Some of the things I was working on was adding a requirements.txt and some other automations.
https://github.com/JVKeller/netalerttemp

[jokob-sk]

I like the requitrements.txt approach, not sure if it can be backported to all installation methods

[adamoutler]

As long as pip exists you can use the one-file-per-line requirements.txt with the break system packages option. The system packages are usually slightly out of date. It's pretty standard to break system packages for a docker for security purposes although it may one day cause a problem on some system.

Maybe it's best to support single build like alpine or Debian instead of maintaining several build systems. With devcontainer coming, they can develop and use tools on any system they want, as long as it doesn't break the container.

[ingoratsdorf]

I like the requitrements.txt approach, not sure if it can be backported to all installation methods

Can be backported, no issue.

[jokob-sk]

is this ready to merge @ingoratsdorf / @adamoutler - WDYT?

[adamoutler]

I think the chmod a+rwx is excessive. As Coderabit said. That's chmod 777. No need for that.

[ingoratsdorf]

OK, I'll backport the requirements.txt back to ubuntu24.
Happy to maintain the Ubuntu parts as I prefer that. I am not really using Debian unless I have to. Just a personal choice ;-)

If @JVKeller would like to maintain the Trixie installer?

I'll look at the permission suggestion and see what runs and what does not.
I have also decided to follow @JVKeller 's approach and have all install stuff move to install.sh.
Plus I'd like to include a systemd service to start/stop. Cleaner and more logical.

[adamoutler]

I'd like to propose we stick to performing all resource installation and static configuration within the Dockerfile.

My reasoning is that building a self-contained, immutable image is a core principle of containerization. This approach gives us several key advantages:

• Reproducibility & Auditability: The Dockerfile becomes the single source of truth for the image's contents. Anyone can build an identical, production-ready image at any time, which is great for security audits and debugging.
• Performance: We fully leverage Docker's layer caching, which makes subsequent builds significantly faster. It also improves container startup time, as the setup work is already done.
• Portability: The resulting image is complete and doesn't rely on scripts that might fail at runtime, making it more robust and portable across environments.

Runtime scripts (e.g., entrypoint.sh) are best reserved for tasks that can only happen when the container starts, such as:

1. Applying configurations from environment variables.
2. Fetching secrets from a vault.
3. Running database migrations before the application starts.
4. Waiting for a dependent service to become available.

Moving static installation into a runtime script makes the container's state less predictable and slows down its startup.

Would you be open to keeping the installation steps within the Dockerfile?

[adamoutler]

I mean, as it is, it appears the NetAlertX Debian package doesn't ship with NetAlertX 😄. What's the point of a container? Just make a installer script and let people choose to run on bare metal or in a container.

[JVKeller]

I'm not in a position to maintain it, but thanks.

I was thinking more along the lines of the Debian installer as a bare metal, as the initial installer did. Not containerized... so I had the script make the requirements.txt file. The last few projects I played with seemed to lean that way. It's still all in one installer script.

Makes for a good proxmox lxc setup for testing before deployment.

[adamoutler]

I'd say move it all to the script and delete the Debian non-NetAlertX Dockerfile.debian. A proper container includes everything needed and can be made read-only with some select tmpfs mounts in various places. You should use jokobsk/netalertx:latest. Updating a container from within the container is bad practice and should not occur on any official project.

• Bare metal script which can be used in a container as an entry point is a good way to go.
• Container with everything added is a good way to go.

But treating a container as a VM is not a good practice. Currently the Dockerfile.debian doesn't contain NetAlertX so it's really just a custom Debian distribution and should be removed. All the installs should occur in the script as previously stated.

@jokob-sk thoughts?

[ingoratsdorf]

Following on from @JVKeller 's comment, I agree that the whole thread was about providing a bare metal Trixie installer along with Ubuntu. This was never about docker really.
Think docker images should be a separate discussion.

Personally, I only use docker in an LXC if there is really no install option other than docker available. Otherwise, I prefer a bare metal. I do understand that docker may be the easier option for a lot of (most) people. In which case many people will prefer the Alpine base image version due to resource savings - mostly disk space though.

I def see the need for docker, whether Debian or Alpine, however, I'd be contributing to the bare metal installers only, I do not really use docker a lot and have insufficient knowledge. Obviously happy to collab wherever needed. :-)

[adamoutler]

Sure. But do put the newline at the end of the dockerfile you removed. All files should end with a newline allowing an echo >>into/the.file;. I mentioned this because the dockerfile was altered.

[ingoratsdorf]

All files should end with a newline allowing an echo >into/the.file;. I mentioned this because the dockerfile was altered.

Sweet, thanks for the heads-up.

[jokob-sk]

My stance is: I support whatever makes the app easy to maintain, and adhere to general best practices (e.g. the DRY principle). I can't really chip in discussions around Proxmox, LXC, or the different bare-metal scripts as I don't actively use them (implemented the initial bare-metal install script, but maintaining all this by myself is stretching me really thin, so really appreciate the help from everyone here).

I trust users and contributors like you in this thread, who are using these deployment approaches, as they have more knowledge and experience.

Happy to make a call if necessary, but overall those are my thoughts :)

[ingoratsdorf]

After the rework of the Ubuntu24 installer, I'd suggest to cancel this one and rewrite the installer as well following the Ubuntu24 model.
It will include the better chmods, a systemd unit and a single installer without start script.
The learnings and discussion from this PR went into the ubuntu 24 installer and I'll port them to Trixie.
This will also fix up the dockerfiles again. :-)
And we now use a requirements.txt file.

[adamoutler]

I'd suggest a unified installer. Ubuntu is based on Debian with a few different package names and some version differences. It would be a good idea to have a single file where

grep Ubuntu /etc/lsb-release && isUbuntu=true|| isDebian=true
test -z isUbuntu && apt-get -y this || true
test -z isDebian && apt-get -y that.|| true 
``

[adamoutler]

Obviously replace the tests with if then blocks to properly handle failures instead of just || true