I always resisted running Ubuntu in production, even when it was much easier to install the necessary software. When you pick a distro, you're picking their packaging and maintainer culture. I've always prefered CentOS for that reason. Even the little things, like installing a new package won't start/enable the services (because you should have a chance to configure it first) always came off as more pragmatic for system administration.
I run Debian on my workstation and laptops but still prefer to use CentOS/RHEL on my servers.
The automatic startup of newly installed services (before you even have the opportunity to configure them) on Debian (and derivatives) has always bothered me and is a (small) factor in my decision.
Fortunately, there are a few "workarounds" to prevent newly installed services from being automatically started!
First, there's the brute-force / heavy-handed approach -- override the systemd presets [0] to set all services to disabled by default:
Alternatively, as a one-time thing, you can "mask" the service before installing the package but this requires you to manually create the symlink (instead of using "systemctl mask") -- and requires you to know the name of the service unit beforehand:
Finally, there's the old, "sloppy" (IMO) method of "hacking" the /usr/sbin/policy-rc.d script to immediately exit with a status code of 101 ("action forbidden") [1].
(I'd recommend avoiding the latter entirely and going with whichever of the first two options better suits your needs.)
---
EDIT: Just remembered another method but I'm not sure if it still works:
