This repository contains automation scripts to set up a secure Debian-based VPS with essential security features and Docker installation. The setup is completely automated using GitHub Actions and can be easily forked and customized for your own use.
-
User Management
- Creates a non-root user with sudo privileges
- Configures SSH key-based authentication
- Disables root login and password authentication
-
Security
- Sets up UFW firewall (allows only SSH, HTTP, HTTPS)
- Installs and configures fail2ban to prevent brute-force attacks
- Configures unattended-upgrades for automatic security updates
- Implements secure SSH configuration
-
Docker
- Installs Docker and Docker Compose
- Adds user to docker group
-
System Updates
- Configures automatic security updates
- Sets up unattended-upgrades with email notifications
- Automatic system cleanup
-
Coolify Installation (Optional)
- Install Coolify
- Open temporary ports (8000, 6001, 6002)
- Provide instructions for securing after domain setup
There are two options on how to use this script:
-
Run the (interactive) setup script (
setup-interactive.sh
) on your local machine or vps. -
Duplicate this repository, configure the variables as Secrets and use the included github action (
.github/workflows/deploy.yml
) to automatically run this script on your VPS when you push your updates.
You can run this script on your local machine or vps. It is necessary, that you have root ssh access to your remote VPS.
VPS_HOST
ist your vps hostname or ip adress.
a) On your local machine
ssh root@VPS_HOST "bash <(curl -s https://raw.githubusercontent.com/legout/vps-setup/refs/heads/main/setup-interactive.sh)"
b) On your VPS
ssh root@VPS_HOST
# you are on your remote VPS now
bash <(curl -s https://raw.githubusercontent.com/legout/vps-setup/refs/heads/main/setup-interactive.sh)
Duplicate this repository and make it private to safely store your configurations.
git clone --bare https://github.com/legout/vps-setup.git
cd vps-setup
git push --mirror https://github.com/<your-github-username>/vps-setup.git
cd ..
rm -r vps-setup
git clone https://github.com/<your-github-username>/vps-setup.git
In your forked repository, go to Settings > Secrets and variables > Actions and add the following secrets:
VPS_HOST
: Your VPS IP address or hostnameVPS_ROOT_PASSWORD
: Initial root passwordVPS_USER
: Desired username for the non-root userVPS_USER_PASSWORD
: Password for the new userSSH_PUBLIC_KEY
: Your SSH public key content (from~/.ssh/id_rsa.pub
)INSTALL_COOLIFY
: Set to "true" to install Coolify, "false" to skip (defaults to "false")AUTO_REBOOT
: Set to "true" for automatic reboot after system updates, "false" to skip (defaults to "false")REMOVE_UNUSED_DEPS
: Set to "true" to remove unused dependencies, "false" to skip (defaults to "false")
- Never commit these values directly to the repository
- Always use GitHub Secrets for sensitive information
- Use strong passwords for both root and user accounts
- Keep your SSH private key secure
The setup will automatically deploy when you push to the main branch, or you can manually trigger it from the Actions tab.
After the GitHub Action completes successfully:
- Test SSH key-based login:
ssh your-user@your-vps-host
- If SSH key access works, disable password authentication:
ssh your-user@your-vps-host 'sudo sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config && sudo systemctl restart sshd'
- Only disable password authentication after confirming SSH key access works
- Keep a backup of your SSH private key
- Store your VPS root password securely (in case of emergencies)
- Monitor the GitHub Actions logs for the setup result
The setup includes an optional Coolify installation with temporary open ports:
- 8000/tcp: Coolify Web UI
- 6001/tcp: Coolify Websocket
- 6002/tcp: Coolify Terminal
ssh your-user@your-vps-host 'sudo ufw delete allow 8000/tcp && sudo ufw delete allow 6001/tcp && sudo ufw delete allow 6002/tcp'
These ports should only be open during initial setup. Once you've configured your domain and SSL in Coolify, all traffic should go through ports 80/443.
- UFW (Uncomplicated Firewall)
- fail2ban
- unattended-upgrades
- Docker & Docker Compose
- Essential system utilities
- Coolify (optinal)
- Default: deny incoming, allow outgoing
- Allowed incoming ports:
- 22 (SSH)
- 80 (HTTP)
- 443 (HTTPS)
- Monitors SSH authentication
- Bans IP after 3 failed attempts
- Ban duration: 1 hour
- Monitor window: 10 minutes
- Daily security updates
- Automatic removal of unused packages
- Configured reboot at 2 AM if necessary
- Email notifications for important updates
- Key-based authentication only
- Root login disabled
- Password authentication enabled. For security reasons you should disable it after successfull setup (see Post-Setup Security Steps below)
- Fork this repository
- Modify
setup.sh
according to your needs - Update the GitHub Actions workflow in
.github/workflows/deploy.yml
if necessary - Set up your secrets
- Deploy!
- Always keep your SSH private key secure
- Regularly update your SSH keys
- Monitor system logs regularly
- Keep Docker and system packages updated
- Review automatic update logs periodically
After deployment, you can monitor various aspects:
- Fail2ban logs:
/var/log/fail2ban.log
- UFW logs:
/var/log/ufw.log
- Unattended upgrades:
/var/log/unattended-upgrades/
- System logs:
/var/log/syslog
- This script is designed for Debian-based systems (tested on Debian 12)
- Ensure you have root access to your VPS before running
- Make sure to test the setup in a development environment first
- Keep your forked repository private to protect sensitive information
- Regularly update your SSH keys and monitor system logs
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License - see the LICENSE file for details.
Please give it a ⭐!
If you find this project useful and are looking for a VPS provider, consider using my affiliate link:
- Get a Netcup VPS - Starting from €3.99/month
- Excellent performance and reliability
- Perfect for running this setup
🙏 Using this link supports the maintenance and development of this project at no extra cost to you.
If you discover any security issues, please send an email to ligno.blades@gmail.com instead of using the issue tracker.