- Shell: zsh, oh-my-zsh, tmux
- SSH
- Web server – nginx with automatic http to https redirect and A+ SSL
- Mail server – OpenSMTPD, Dovecot, Rspamd, Redis, RainLoop (+PHP, optional)
- Brute force protection: PF
- VPN: OpenIKED, WireGuard, Unbound, PF
You will have to set up some DNS records prior to running this script. Create the following DNS records:
*.{domain}. 300 IN A {ip}
{domain}. 300 IN A {ip}
www.{domain} 300 IN A {ip}
;; DNS records for mail (will be output after stage 5)
{domain}. 300 IN MX 0 mail.{domain}. ;; so that people know which server serves mail for {domain}
@ IN TXT "v=spf1 mx a:mail.{domain} -all"
Instead of using wildcard (*.{domain}.) you can just set up these domains explicitly: vpn.{domain}, mail.{domain}, www.vpn.{domain}, www.mail.{domain}, www.{domain}, {domain}
If you want to enable IPv6, then add this line to your /etc/hostname.*:
inet6 autoconf -temporary -soii
./setup.sh [stage]
USER_NAME
– the user which will be used for everything in the script. Defaults to current user.DOMAIN_NAME
– the domain name to create websites for. Defaults to$(hostname | cut -d. -f2-)
MAIL_DOMAIN
– the domain name where mail server will be hosted. Defaults tomail.$DOMAIN_NAME
VPN_DOMAIN
– the domain name where VPNs will be hosted (including their configurations). Defaults tovpn.$DOMAIN_NAME
Bootstrap stage enables main user to do doas
and downloads all needed dependencies
Sets up zsh, tmux
- Creates nginx configuration and logs directories.
- Creates nginx configurations for domain.xxx and mail.domain.xxx
- Gets certificates via certbot
- Switches nginx configuration to use only secure versions of domains
- Sets up smtpd, dovecot, rspamd, redis
- Creates a user account username@domainname
- There are scripts available to add, change password and to delete users
- Prints DNS records that you should set up
- Local mail is forwarded to vmail directories (to be able to fetch them via IMAP)
Optional: set up RainLoop web frontend
Optional, manual: set up a reverseDNS record at your VPS provider
Required if using VPS: port 25 is required to receive mail. If you're using VPS chances are it is blocked by default. You will have to contact your VPS provider to open port 25.
Sets up packet filter to block ips which spam your SSH, HTTP, HTTPS, IMAP, SMTP ports
Sets up OpenIKED IKEv2 and WireGuard VPN. Ideas taken from EdgeWalker script https://github.com/fazalmajid/edgewalker
By default, IKEv2 configuration is not set up. IKEv2 uses Preshared key authentication. WireGuard uses asymmetric key + Preshared Key authentication.
New VPN configurations for new clients can be created via a script (WireGuard only). Configurations are made available at a random endpoint at vpn.{{domain}}/