A production-ready Linux server bootstrap toolkit that turns a fresh VPS into a hardened server ready for Dockerized web applications. Idempotent and safe to re-run.
| OS | Versions |
|---|---|
| Ubuntu | 20.04, 22.04, 24.04 |
| Debian | 11, 12, 13 |
git clone <this-repo>
cd linux-server-bootstrap
sudo bash scripts/setup-server.shAfter completion, add your SSH key for the deploy user and (optionally) obtain an SSL certificate:
ssh-copy-id deploy@your-server-ip
sudo certbot --nginx -d example.com| Step | Component | Description |
|---|---|---|
| 1 | System update | apt update, upgrade, autoremove, unattended-upgrades |
| 2 | Dependencies | Installed as needed by each script |
| 3 | Docker | docker-ce, docker-compose-plugin; deploy user in docker group |
| 4 | Nginx | Nginx with gzip, HTTP/2-ready, security headers, server_tokens off |
| 5 | Firewall | UFW: deny incoming, allow 22/80/443 |
| 6 | Fail2ban | SSH + Nginx jails; maxretry=5, bantime=1h |
| 7 | SSH hardening | PermitRootLogin no, MaxAuthTries 3, etc. (drop-in config) |
| 8 | Certbot | certbot + python3-certbot-nginx; certbot.timer enabled |
| 9 | Security headers | X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy |
| 10 | Deploy user | User deploy with sudo, home dir, SSH key support |
Additional hardening: kernel sysctl (e.g. SYN cookies, no ICMP redirects, RP filter).
linux-server-bootstrap/
├── scripts/
│ ├── setup-server.sh # Main entrypoint
│ ├── system-updates.sh
│ ├── install-docker.sh
│ ├── install-nginx.sh
│ ├── install-certbot.sh
│ ├── configure-firewall.sh
│ ├── configure-fail2ban.sh
│ ├── security-hardening.sh
│ ├── create-deploy-user.sh
│ └── optional-packages.sh # Node.js, Git, htop, swap
├── config/
│ ├── nginx/ # default.conf, security-headers.conf
│ ├── fail2ban/ # jail.local
│ ├── ufw/ # rules.sh (custom rules)
│ ├── sysctl/ # hardening.conf
│ └── ssh/ # sshd_config reference, deploy_authorized_keys
├── docs/
│ ├── setup.md
│ ├── security.md
│ └── troubleshooting.md
└── README.md
--with-optional— Install Node.js LTS, Git, htop, iotop, and create a 1GB swap file.--skip-docker— Do not install Docker.--skip-nginx— Do not install Nginx.--skip-certbot— Do not install Certbot.
Example:
sudo bash scripts/setup-server.sh --with-optional --skip-certbot- Username:
deploy(override withDEPLOY_USER=myuserwhen running the script). - Sudo: NOPASSWD by default; restrict in
/etc/sudoers.d/deployif needed. - SSH: Add keys to
config/ssh/deploy_authorized_keysbefore running, or usessh-copy-id deploy@serverafter.
- Setup guide — Supported systems, installation, optional steps, re-runs.
- Security — Firewall, Fail2ban, SSH, kernel, Nginx, deploy user.
- Troubleshooting — Common issues and fixes.
Scripts detect existing installations and configuration. You can run setup-server.sh multiple times; it will skip or update only as needed.
Use and modify as needed for your environment.