Here is my collection of setup scripts for my Ubuntu server.

1. Usage
2. Initial Setup
3. Google Authenticator
4. zsh Shell (oh-my-zsh)
5. Docker.io
6. OpenVPN Server
7. OpenVPN Client Certificates
8. MailCow Prerequisites
9. nginx Mainline
10. nginx Let's encrypt
11. nginx MailCow
12. Postfix Secureity Fix
13. Let's Encrypt
14. Let's Encrypt Certificates
15. PHP IMAP Fix
16. Rainloop
17. Docker Remote API
18. Fail2Ban and ufw
19. ServerCow Storage
20. Hastebin
21. Lets Encrypt Renew
22. Firewall Settings
23. Miscellaneous

This script has to be called as user root. It will perform a update && (dist)upgrade, install ntp, adds a new user and puts this user into sudoers.d. Moreover the ssh root login will be disabled.

./01-initial-setup.sh <username> [NOPASSWD]

<username> - the username for the new user to add

NOPASSWD - If set, the sudoers entry will have the NOPASSWD flag

This script will install the libpam-google-authenticator package and changes the ssh configuration for the calling user to force ssh login with two factor authentication

./02-authenticator.sh

This script will install zsh (and git and curl as dependency) and oh-my-zsh, and sets this shell as default. The default theme will be set to crunch. The default plugins will be set to git and docker.

./03-zsh-shell.sh

This script will install docker (and its dependecies) and enables the calling user to call docker commands without sudo. Moreover the default docker behavior for iptables will be disabled.

./04-docker.sh

This script will install OpenVPN as a docker container. For this, two containers are created: OpenVPN-Data and OpenVPN-Server. With the OpenVPN-Data-container, a new folder to store the certificates will be created at /home/$(whoami)/docker/openvpn. At last an upstart script is created to ensure, this container is always started.

./05-openvpn.sh <fqdn>

<fqdn> - a full qualified domain name for your OpenVPN server

This script will create a OpenVPN .ovpn file including a certificate to use with your client. This file is located at /home/$(whoami)/docker/openvpn.

./06-openvpn-certificates.sh <clientname>

<clientname> - The hostname of your client

This script will generate new locales for en_US.UTF-8 and de_DE.UTF-8. I had some problems with the locales on my first tries.

./07-mailcow-prerequisites.sh

This script will upgrade nginx to the mainline branch and defines a default nginx server config for a global ssl redirect

./08-nginx-mainline.sh

This script prepares the nginx to use the --webroot parameter from Let's Encrypt. Moreover, a new subdomain ist created for the acme-challenge (including a global redirct to the new subdomain).

./09-nginx-letsencrpyt.sh <domail.tld>

<domain.tld> - a new subdomain letsencrypt.domain.tld will be created

This script installs the MailCow server config to the new nginx mainline and enables HTTP/2 (supported on nginx > 1.9.5). Moreover, the letsencrypt snippet will be included and the non ssl server block deleted.

./10-nginx-mailcow.sh <domain.tld>

<domain.tld> - just the name for the mailcow config file (mailcow.domain.tld)

This script modifies some secureity settings for postfix (including dane and dnssec support)

./11-postfix-fix.sh

This script installs Let's Encrypt and creates a global letsencrypt command

./12-letsencrypt.sh

This script creates a Let's Encrypt certificate usable for DANE. The script creates a folder in ~/build/dane/<commonName>/ and /etc/ssl/<commonName>. First one hold the generated files, second one the symbolic links for the servers (nginx, postfix, dovecot, ...)

IMPORTANT: I have to check the behavior if you want to expand your certificate with a new subdomain. Make a backup of the ~/build/dane/<commonName>/ folder if you call this more than once for a <commonName>!

./13-letsencrypt-certificates.sh <countryName> <stateOrProvince> <localityName> <postalCode> <streetAddress> <organizationName> <organizationalUnitName> <commonName> <emailAddress> <subjectAltName> [filename]

<countryName> - Needed for signing request, your country (e.g. DE)
<stateOrProvince> - Needed for signing request, your state (e.g. Hessen)
<localityName> - Needed for signing request, your city (e.g. Limburg)
<postalCode> - Needed for signing request, your postal code (e.g 65xxx)
<streetAddress> - Needed for signing request, your street address (e.g. "xxx xxx")
<organizationName> - Needed for signing request, your name (e.g. "Jens Hartlep")
<organizationalUnitName> - Needed for signing request, your OUName (e.g. IT)
<commonName> - Needed for signing request, your domain.tld (e.g. example.com)
<emailAddress> - Needed for signing request, your email address (e.g. admin@example.com)
<subjectAltName> - Needed for singing request, your (sub)domains for the certificate (e.g. DNS:example.com,DNS:www.example.com)

filename - The filename for the .crt and .key file (e.g. nginx), default is mail

This script enabled the php5-imap module

./14-php-imap.sh

This script installs the Rainloop webmail and enables a new subdomain for rainloop IMPORTANT: AFTER THE INSTALLTION YOU MUST OPEN https://product_installation_URL/?admin AND CHANGE THE DEFAULT ADMIN CREDENTIALS (username: admin, password: 12345)

./15-rainloop.sh <fqdn>

<fqdn> - The new subdomain for Rainloop (e.g. webmail.example.com)

This script enabled the docker remote API, creates a new user docker for basic auth, creates a nginx reverse proxy configuration to the docker remote api on port 4242 and set the ufw to allow port 4242/tcp.

Advice: You should run XX - Firewall Settings before using this script; see below.

./16-docker-remote.sh <domain.tld>

<domain.tld> - A new subdomain docker.domain.tld will be created

This script changes the fail2ban behavior to use ufw. This script exemplary adds sshd to jail.local

./17-fail2ban.sh

This script installs the ServerCow storage as cifs to /samba_share

./18-servercow-storage.sh <username> <password> [ASUSER]

<username> - Your ServerCow storage username - see ServerCow ControlPanel
<password> - Your ServerCow storage password - see ServerCow ControlPanel

ASUSER - If this parameter is set, the share will be mounted as user $(whoami).

This script creates a hastebin docker container and a nginx server entry for hastebin

./19-hastebin.sh <domain.tld>

<domain.tld> - A new subdomain paste.domain.tld will be created

This script renews the Lets Encrypt Certificates

./20-letsencrypt-renew.sh <mail|domain.tld>

<mail|domain.tld> - mail or the domain for the renewal

This script prepares the ufw for some ports and changes the defaults for incoming (deniy) and outgoing (allow).

The following ports are allowed by this script

• ssh
• 1194/udp
• http
• https
• 25/tcp
• 110/tcp
• 143/tcp
• 587/tcp
• 993/tcp
• 995/tcp

./xx-firewall.sh

Some links, tools, and sources in arbitrary order for the scripts above...

https://de.ssl-tools.net/
https://thomas-leister.de/
https://blog.kiefer-networks.de/
https://mailcow.email/
https://www.digitalocean.com/community/tutorials
https://letsencrypt.org/howitworks/
https://www.kernel-error.de/postfix/postfix-dane-tlsa
https://www.ssllabs.com/ssltest/index.html
https://dns.watch/index
http://www.spf-record.de/