{"id":51146866,"url":"https://github.com/franckferman/debian-server-post-install","last_synced_at":"2026-06-26T03:30:30.229Z","repository":{"id":358736245,"uuid":"1242864860","full_name":"franckferman/debian-server-post-install","owner":"franckferman","description":"Automated Debian server post-installation script with intelligent profile-based configuration, VPS-safe security hardening, and granular network   protection. Supports multiple firewall engines, Docker integration, and 10 specialized package profiles from minimal to enterprise compliance.","archived":false,"fork":false,"pushed_at":"2026-06-02T07:25:25.000Z","size":148,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"stable","last_synced_at":"2026-06-02T09:17:38.385Z","etag":null,"topics":["bash","bash-config","bash-configuration","bash-script","bash-scripting","bash-scripting-for-system-hardening","config-linux","debian","debian-hardening","debian-linux","debian-server","debian11","debian12","debian13","hardening","hardening-script","linux-script","post-install","post-install-script","post-installation"],"latest_commit_sha":null,"homepage":"https://franckferman.github.io/debian-server-post-install/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/franckferman.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-18T20:38:32.000Z","updated_at":"2026-06-02T07:25:29.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/franckferman/debian-server-post-install","commit_stats":null,"previous_names":["franckferman/debian-server-post-install"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/franckferman/debian-server-post-install","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/franckferman%2Fdebian-server-post-install","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/franckferman%2Fdebian-server-post-install/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/franckferman%2Fdebian-server-post-install/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/franckferman%2Fdebian-server-post-install/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/franckferman","download_url":"https://codeload.github.com/franckferman/debian-server-post-install/tar.gz/refs/heads/stable","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/franckferman%2Fdebian-server-post-install/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34802384,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-26T02:00:06.560Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","bash-config","bash-configuration","bash-script","bash-scripting","bash-scripting-for-system-hardening","config-linux","debian","debian-hardening","debian-linux","debian-server","debian11","debian12","debian13","hardening","hardening-script","linux-script","post-install","post-install-script","post-installation"],"created_at":"2026-06-26T03:30:24.012Z","updated_at":"2026-06-26T03:30:30.188Z","avatar_url":"https://github.com/franckferman.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Debian Server Post-Installation Script\n\nAutomates system configuration, hardening, and tooling setup for Debian servers with profile-based defaults and safe security configurations.\n\nDesigned for Debian Server, but compatible with Ubuntu Server distributions.  \nFor Ubuntu Desktop, see: [github.com/franckferman/ubuntu-post-install](https://github.com/franckferman/ubuntu-post-install)\n\n## Features\n\n- Profile-based configuration for different deployment scenarios\n- VPS-safe security hardening to prevent remote lockouts\n- Modular network hardening with 9 configurable components\n- Multiple firewall engines: UFW, nftables, iptables\n- Customizable service and package hardening\n- Secure defaults that preserve functionality\n- Proxmox and Docker compatibility\n- APT packages with specialized tool integration\n\n## Quick Start\n\n### Download and Run\n```bash\n# Download script\ncurl -O https://raw.githubusercontent.com/franckferman/debian-server-post-install/stable/debian-server-post-install.sh\nchmod +x debian-server-post-install.sh\n\n# Or direct execution (basic profile only - review first!)\ncurl -fsSL https://raw.githubusercontent.com/franckferman/debian-server-post-install/stable/debian-server-post-install.sh | bash\n\n# For root users (add --allow-root)\n./debian-server-post-install.sh --allow-root\n\n# Direct with arguments (download first)\ncurl -fsSL https://raw.githubusercontent.com/franckferman/debian-server-post-install/stable/debian-server-post-install.sh | bash -s -- --server-profile dev\n```\n\n### Profile Examples\n```bash\n# Basic installation (VPS-safe, no Docker)\n./debian-server-post-install.sh\n\n# Production server with Docker\n./debian-server-post-install.sh --server-profile prod\n\n# Development server with full stack\n./debian-server-post-install.sh --server-profile dev\n\n# Maximum security (still VPS-safe)\n./debian-server-post-install.sh --server-profile hardened\n\n# Default + Docker installation\n./debian-server-post-install.sh --install-docker        # docker.io (default)\n./debian-server-post-install.sh --docker-type io        # docker.io (explicit)\n./debian-server-post-install.sh --docker-type ce        # docker-ce (official)\n\n# Examples with different types\n./debian-server-post-install.sh --server-profile default --docker-type ce\n./debian-server-post-install.sh --server-profile default --install-docker\n```\n\n## Server Profiles\n\n### `--server-profile \u003cprofile\u003e`\n\n| Profile | Editor | Firewall | VIM | SSH | Apps | Use Case |\n|---------|--------|----------|-----|-----|------|----------|\n| **default** | both | ufw + hardened | minimal | VPS-safe | server (36) | General purpose |\n| **prod** | both | nftables + hardened | minimal | VPS-safe | server (36) | Production ready |\n| **dev** | both | ufw + transparent | full | VPS-safe | full (57) | Development friendly |\n| **minimal** | vim | ufw + hardened | minimal | VPS-safe | minimal (5) | Lightweight essential |\n| **hardened** | vim | nftables + hardened | bare | VPS-safe | defense (47) | Maximum security |\n\n### Profile Characteristics\n\n#### **default** - Balanced\n```bash\n+ Both editors (Vim + Neovim/LazyVim)\n+ UFW firewall with hardened rules\n+ Minimal Vim preset (stable)\n+ Monitoring and logging enabled\n- No Docker (use --docker-type to install)\n+ Network hardening: ICMP/TCP/Source routing protection active\n- Network hardening: IPv6/Anti-spoofing/Connection limits commented (safe)\n```\n\n#### **prod** - Production Optimized\n```bash\n+ nftables firewall (performance)\n+ SSH hardening enabled\n+ Docker + Compose\n+ Enhanced monitoring/logging\n+ Network hardening disabled for dev (transparent firewall)\n+ All other security hardening active\n```\n\n#### **dev** - Development Friendly\n```bash\n+ UFW transparent firewall (no blocking)\n+ Full Vim preset (IDE-like)\n+ Nerd Fonts for terminal\n+ Docker + Compose\n+ Complete development stack (Node.js, Go, etc.)\n- Monitoring disabled (lighter)\n- Network hardening disabled (development transparent)\n```\n\n#### **minimal** - Lightweight\n```bash\n+ Vim only (no Neovim)\n+ Essential tools only (5 packages)\n- No Docker/monitoring\n+ Essential security only\n+ Same network hardening as default\n```\n\n#### **hardened** - Maximum Security\n```bash\n+ Bare Vim preset (minimal surface)\n+ nftables firewall\n+ USBGuard enabled\n+ Defense apps profile (security tools)\n- No Docker (reduced attack surface)\n+ All basic hardening features active\n+ Same network hardening as default (conservative)\n```\n\n### SERVER_PROFILE → APPS_PROFILE Mapping\n\nWhen you choose a `--server-profile`, it automatically sets the `--apps-profile`:\n\n| SERVER_PROFILE | → APPS_PROFILE | Total Packages | Logic |\n|---------------|---------------|----------------|-------|\n| **default** | → **server** | 36 | Balanced server with management tools |\n| **prod** | → **server** | 36 | Production server with same package set |\n| **dev** | → **full** | 57 | Development server with full toolchain |\n| **minimal** | → **minimal** | 5 | Lightweight server, essential only |\n| **hardened** | → **defense** | 47 | Security-focused with audit tools |\n\n**Important:** You can override this with `--apps-profile \u003cprofile\u003e` to mix and match:\n\n```bash\n# Server profile \"default\" but with enterprise packages\n./script.sh --server-profile default --apps-profile enterprise\n\n# Production server config but minimal packages  \n./script.sh --server-profile prod --apps-profile minimal\n```\n\n## Profile System Architecture\n\n### Understanding SERVER_PROFILE vs APPS_PROFILE\n\n**SERVER_PROFILE** configures the server's overall behavior and defaults:\n- `default` = Balanced server configuration (UFW firewall, monitoring enabled)  \n- `prod` = Production server (nftables, Docker enabled)\n- `dev` = Development server (transparent firewall, full vim)\n- `minimal` = Lightweight server (vim only, no monitoring)\n- `hardened` = Security-focused server (nftables, USBGuard)\n\n**APPS_PROFILE** determines which software packages are installed:\n- Uses a **cumulative inheritance system** where higher profiles include all lower levels\n- You choose ONE apps profile, but it includes all the packages from levels below it\n\n### `--apps-profile \u003cprofile\u003e` - Cumulative Inheritance System\n\n```\nLevel 1: minimal (5)\n    ↓\nLevel 2: default (29) = minimal + comfort tools  \n    ↓\nLevel 3: server (36) = default + server management tools\n    ↓\nLevel 4A: minimal-development (32) = server + light dev tools\nLevel 4B: security (39) = server + security tools\n    ↓                         ↓\nLevel 5A: development (43)    Level 5B: defense (47) = security + blue team\n         ↓                    Level 5C: offsec (40) = security + red team  \nLevel 6: full (57) = development + defense + offsec\n    ↓\nLevel 7: enterprise (60) = full + compliance + backup-manager\n```\n\n### Package Inheritance Table\n\n| Profile | Total | Includes ALL Packages From | Adds to Previous Level |\n|---------|-------|----------------------------|------------------------|\n| **minimal** | 5 | - | git, vim, curl, fail2ban, tmux |\n| **default** | 29 | minimal | wget, zsh, htop, python3, build-essential, jq |\n| **server** | 36 | minimal + default | logrotate, screen, cron, rsyslog, vnstat |\n| **minimal-development** | 32 | minimal + default + server | python3-dev, make, cmake, golang-go |\n| **development** | 43 | minimal + default + server + minimal-dev | nodejs, docker, ansible, postgresql-client |\n| **security** | 39 | minimal + default + server | nmap, tcpdump |\n| **defense** | 47 | minimal + default + server + security | lynis, wireshark, aide, rkhunter |\n| **offsec** | 40 | minimal + default + server + security | netcat-openbsd |\n| **full** | 57 | development + defense + offsec | Everything from dev + security branches |\n| **enterprise** | 60 | full + backup-manager | auditd, backup-manager, logwatch, compliance tools |\n\n### Key Changes: backup-manager Location\n\n**Previously:** backup-manager was in server profile (37 packages)  \n**Now:** backup-manager moved to enterprise profile (60 packages)\n\n**Rationale:** Modern servers often use external backup solutions (cloud, containers, infrastructure-as-code). backup-manager fits better with enterprise compliance requirements.\n\n### How to Get backup-manager\n\n```bash\n# Option 1: Enterprise profile (full stack + compliance + backup)\n./script.sh --apps-profile enterprise\n\n# Option 2: Add to any profile  \n./script.sh --apps-profile server --extra-packages backup-manager\n\n# Option 3: Remove from any profile that includes it\n./script.sh --apps-profile enterprise --skip-apt-packages backup-manager\n```\n\n### Package Details by Layer\n\n#### Level 1: minimal (5 packages)\n```bash\ngit curl vim fail2ban tmux\n```\nEssential packages for remote server management.\n\n#### Level 2: default (+24 packages)\n```bash\n# Essential tools\nwget zsh htop net-tools unzip tree ncdu ss lsof\n# Archive tools\nlsd zip unrar p7zip-full\n# Infrastructure tools\nbuild-essential software-properties-common\napt-transport-https ca-certificates gnupg lsb-release\npython3 python3-pip python3-venv jq rsync\n```\n\n#### Level 3: server (+7 packages)\n```bash\nlogrotate psmisc dstat iotop nethogs\nsudo screen openssl ca-certificates-utils\ncron anacron at rsyslog vnstat\n```\n**Note:** backup-manager was moved to enterprise profile for modern deployment scenarios.\n\n#### Level 4A: minimal-development (+5 packages)\n```bash\npython3-dev make cmake pkg-config\nsqlite3 golang-go\n```\n\n#### Level 5A: development (+11 packages)\n```bash\n# Development stack\nnodejs npm golang postgresql-client mysql-client\nansible-core fzf yq ripgrep autotools-dev\n# Docker (conditional on --docker-type)\ndocker.io docker-compose  # if --docker-type io\n# HashiCorp tools (via specialized function)\nterraform packer vault   # via _install_hashicorp_from_profile\n```\n\n#### Level 4B: security (+2 packages)\n```bash\nnmap tcpdump\n```\n\n#### Level 5B: defense (+8 packages)\n```bash\nlynis rkhunter chkrootkit\nwireshark-common tshark\naide debsecan debsums\n```\n\n#### Level 5C: offsec (+1 package)\n```bash\nnetcat-openbsd\n```\n\n#### Level 7: enterprise (+3 packages)\n```bash\nbackup-manager          # Traditional backup management system\nauditd sysstat acct     # System auditing and accounting\nlogwatch logcheck       # Advanced log monitoring\nrng-tools haveged       # Entropy generation for cryptography\n```\n**Note:** enterprise includes all previous levels (57 packages) + these compliance tools.\n\n### Installation Methods\n\n#### APT Standard Packages\nMost packages are installed via standard APT repositories in step 5.\n\n#### Specialized Functions\nSome tools require external repositories and use specialized functions:\n\n**HashiCorp Tools** (terraform, packer, vault):\n- Adds HashiCorp repository\n- Called by `_install_hashicorp_from_profile()` for development/full/enterprise profiles\n\n**Docker Engine**:\n- `--docker-type io`: docker.io from APT (default, stable)\n- `--docker-type ce`: docker-ce from official Docker repository\n\n## Network Hardening\n\nThe script provides 9 modular network security components with individual flags. Each component can be enabled or disabled independently.\n\n### Network Security Components\n\n#### Safe by Default (Enabled)\nThese protections target obsolete or dangerous protocols with minimal compatibility risk:\n```bash\n+ ICMP Redirects Protection     # Prevents redirection attacks  \n+ Source Routing Protection     # Prevents source routing attacks\n+ ICMP Security Protection      # Prevents smurf attacks and bogus errors\n+ TCP SYN Flood Protection      # Enables SYN cookies\n```\n\n#### Conservative by Default (Disabled)\nThese features may impact complex network configurations:\n```bash\n- IPv6 Configuration           # Safe for Proxmox/Docker\n- Martians Packet Logging      # Reduces log verbosity\n- Anti-spoofing (rp_filter)    # Safe for VLANs/complex routing\n- Connection Limits Tuning     # Safe for high-performance applications\n- Modern Security Features     # Safe for forwarding-dependent services\n```\n\n### Network Hardening Flags\n\n#### **IPv6 Configuration**\n```bash\n--disable-ipv6                  # Disable IPv6 completely (default, Proxmox safe)\n--no-disable-ipv6              # Enable IPv6 with security hardening\n```\n\n#### **ICMP Redirects Protection** \n```bash\n--disable-icmp-redirects        # Disable ICMP redirect protection  \n--no-disable-icmp-redirects    # Enable ICMP redirect protection (default)\n```\n\n#### **Source Routing Protection**\n```bash\n--disable-source-routing        # Disable source routing protection\n--no-disable-source-routing    # Enable source routing protection (default)\n```\n\n#### **Martians Packet Logging**\n```bash\n--disable-martians-logging      # Disable martians packet logging (default)\n--no-disable-martians-logging  # Enable martians packet logging\n```\n\n#### **ICMP Security Protection**\n```bash\n--disable-icmp-protection       # Disable ICMP security protection\n--no-disable-icmp-protection   # Enable ICMP security protection (default)\n```\n\n#### **TCP SYN Flood Protection**\n```bash\n--disable-tcp-protection        # Disable TCP security protection\n--no-disable-tcp-protection    # Enable TCP security protection (default)\n```\n\n#### **Anti-spoofing Protection**\n```bash\n--disable-antispoofing          # Disable anti-spoofing protection (default)\n--no-disable-antispoofing      # Enable anti-spoofing protection (rp_filter=1)\n```\n\n#### **Connection Limits Tuning**\n```bash\n--disable-connection-limits     # Disable connection limits tuning (default)\n--no-disable-connection-limits # Enable TCP connection limits tuning\n```\n\n#### **Modern Security Features**\n```bash\n--disable-modern-security       # Disable modern security features (default)\n--no-disable-modern-security   # Enable modern security features\n```\n\n#### **Kexec System Call**\n```bash\n--disable-kexec                # Allow kexec system call (specialized environments)\n--no-disable-kexec             # Disable kexec system call (default, security hardening)\n```\n\n## SSH Configuration\n\n### Default SSH Security\n```bash\n# VPS-SAFE defaults everywhere\nSSH_KEY_ONLY=false        # Passwords allowed (no lockout)\nDISABLE_ROOT_SSH=false    # Root SSH enabled (remote access safe)\nALLOW_SSH=true           # SSH enabled by default\nSSH_PORT=22              # Standard port\n```\n\n### SSH Hardening Flags\n```bash\n# Basic SSH Configuration\n--allow-ssh                  # Open SSH port (default: enabled for servers)\n--ssh-port \u003cport\u003e            # SSH port number (default: 22)\n--no-ssh-hardening           # Disable SSH hardening completely\n\n# Authentication Control\n--ssh-key-only               # Disable password authentication, keys only\n--disable-root-ssh           # Disable root SSH login\n--no-disable-root-ssh        # Allow root SSH login (default: enabled for remote access safety)\n\n# IPv4/IPv6 Protocol Control\n--ssh-enable-ipv6            # Explicitly enable IPv6 (default: enabled)\n--ssh-disable-ipv6           # Force SSH to IPv4 only (AddressFamily inet)\n--ssh-enable-ipv4            # Explicitly enable IPv4 (default: enabled)  \n--ssh-disable-ipv4           # Force SSH to IPv6 only (AddressFamily inet6)\n--ssh-listen-address \u003cip\u003e    # Bind SSH to specific IP address (can be used multiple times)\n\n# Legacy/Modern Compatibility\n--ssh-modern-only            # Remove legacy SSH options (Protocol 2, etc.)\n--no-ssh-modern-only         # Keep legacy SSH compatibility (default: enabled)\n--ssh-rsa                    # Enable RSA host key for legacy compatibility (default: enabled)\n--no-ssh-rsa                 # Disable RSA host key for modern clients only\n```\n\n## Firewall Configuration\n\n### Firewall Engines\n```bash\n--firewall \u003cengine\u003e\n  ufw        # Simple, recommended for most servers\n  nftables   # Modern, high-performance\n  iptables   # Legacy but widely supported\n```\n\n### Firewall Profiles\n```bash\n--firewall-profile \u003cprofile\u003e\n  hardened    # Drop all incoming, allow outgoing + established\n  transparent # Allow all traffic (development/testing)\n```\n\n## Docker Configuration\n\n### Docker Installation\n```bash\n--install-docker         # Force Docker installation (docker.io by default)\n--docker-type \u003ctype\u003e     # Docker type (auto-enables installation)\n  io  # docker.io (Debian/Ubuntu repos, stable)\n  ce  # docker-ce (Docker official repos, latest features)\n--no-docker              # Skip Docker installation\n```\n\n**Installation Logic:**\n- **default/minimal/hardened**: No Docker by default\n- **prod/dev**: Docker installed automatically  \n- **Any profile**: Use `--install-docker`, `--extras docker`, or `--docker-type` to force installation\n- **--docker-type**: Automatically enables Docker installation with specified type\n- **--extras docker**: Works with `--docker-type` to specify engine type\n\n**Examples:**\n```bash\n# Default profile + Docker CE\n./script.sh --server-profile default --docker-type ce\n./script.sh --server-profile default --extras docker --docker-type ce\n\n# Default profile + Docker IO  \n./script.sh --server-profile default --install-docker\n./script.sh --server-profile default --extras docker\n```\n- Both types get identical security configuration\n\n## Editor Configuration\n\n### Editor Modes\n```bash\n--editor \u003cmode\u003e\n  both     # Vim + Neovim/LazyVim (default most profiles)\n  vim      # Vim only (minimal/hardened)\n  neovim   # LazyVim only\n  none     # Skip editor installation\n```\n\n### Vim Presets\n```bash\n--vim-preset \u003cpreset\u003e\n  full     # vim-plug + plugins (dev profile)\n  minimal  # gruvbox + basic config (default/prod/minimal)\n  bare     # basic settings only (hardened)\n```\n\n## Kernel Security Hardening\n\n### Standards and Sources\n\nThe kernel hardening parameters are based on industry-standard security frameworks:\n\n**Primary Sources:**\n- **CIS Benchmarks** - Center for Internet Security Linux hardening guidelines\n- **ANSSI** - French National Agency for Information Systems Security\n- **NIST SP 800-53** - National Institute of Standards and Technology controls\n- **KSPP** - Linux Kernel Self-Protection Project recommendations\n\n**Applied Protections:**\n```bash\n# Information Disclosure Prevention (CIS 1.6.1 + ANSSI R12)\nkernel.dmesg_restrict = 1              # Prevent unprivileged kernel log access\nkernel.kptr_restrict = 2               # Hide kernel pointers (anti-KASLR bypass)\nkernel.yama.ptrace_scope = 1           # Restrict process debugging\n\n# Kernel Exploit Mitigation (KSPP + CIS)\nkernel.kexec_load_disabled = 1         # Disable kexec (anti-rootkit)\nkernel.unprivileged_bpf_disabled = 1   # Disable unprivileged eBPF\nnet.core.bpf_jit_harden = 2           # Harden BPF JIT compiler\n\n# File System Security (CIS 1.6.4 + NIST)\nfs.suid_dumpable = 0                   # Disable SUID core dumps\nfs.protected_hardlinks = 1             # Prevent hardlink attacks\nfs.protected_symlinks = 1              # Prevent symlink attacks\nfs.protected_fifos = 2                 # Prevent FIFO attacks\nfs.protected_regular = 2               # Prevent file attacks\n\n# ASLR Enhancement (CIS 1.6.2 + KSPP)\nkernel.randomize_va_space = 2          # Full address space randomization\nvm.mmap_rnd_bits = 32                  # Maximum mmap entropy (64-bit)\nvm.mmap_rnd_compat_bits = 16          # Maximum mmap entropy (32-bit)\n```\n\n## Hardening Profiles\n\n### `--hardening-profile \u003cprofile\u003e`\n\n| Profile | Root Lock | USB Guard | Services Removed | Packages Removed |\n|---------|-----------|-----------|------------------|------------------|\n| **server** | - No | - No | 9 services | 9 packages |\n| **workstation** | - No | + Yes | 7 services | 9 packages |\n| **enterprise** | - No | + Yes | 5 services | 9 packages |\n\n### Service Hardening by Profile\n```bash\n# server (default for all server profiles)\nRemoves: avahi-daemon, cups, bluetooth, whoopsie, apport, \n         speech-dispatcher, telnet, rsh-server, tftp\n\n# workstation\nRemoves: avahi-daemon, cups, whoopsie, apport, \n         telnet, rsh-server, tftp\n\n# enterprise (preserves corporate services)\nRemoves: whoopsie, apport, telnet, rsh-server, tftp\nKeeps: avahi-daemon, cups, bluetooth (corporate compatibility)\n```\n\n### Packages Hardening by Profile\n```bash\n# server/workstation/enterprise (aggressive cleanup)\nRemoves: xinetd, nis, rsh-client, talk, telnet, tftp,\n         rsh-server, telnet-server, tftp-server\n```\n\n## Hardening Control\n\n### Service Hardening\n```bash\n--harden-services              # Enable service hardening (default)\n--no-harden-services           # Skip service hardening\n--harden-services-list \"a,b,c\" # Custom service list (overrides profile)\n--skip-services \"x,y\"          # Remove services from profile list\n```\n\n### Package Hardening\n```bash\n--harden-packages              # Enable package hardening (default)\n--no-harden-packages           # Skip package removal\n--harden-packages-list \"a,b,c\" # Custom package list (overrides profile)\n--skip-packages \"x,y\"          # Remove packages from profile list\n```\n\n## Complete Examples\n\n### VPS Production Server (Safe + Secure)\n```bash\n./debian-server-post-install.sh --server-profile prod --ssh-port 2222\n# → Safe network hardening enabled, IPv6/anti-spoofing disabled for compatibility\n```\n\n### High Security Server (Expert)\n```bash\n./debian-server-post-install.sh \\\n  --server-profile hardened \\\n  --no-disable-ipv6 \\\n  --no-disable-antispoofing \\\n  --no-disable-martians-logging \\\n  --ssh-key-only --disable-root-ssh\n# → Maximum network and SSH hardening\n```\n\n### Development Server with Docker CE\n```bash\n./debian-server-post-install.sh \\\n  --server-profile dev \\\n  --docker-type ce \\\n  --install-nerd-fonts \\\n  --no-disable-ipv6\n# → Full development stack with Docker CE\n```\n\n### Enterprise Compliance Server\n```bash\n./debian-server-post-install.sh \\\n  --server-profile default \\\n  --apps-profile enterprise \\\n  --hardening-profile enterprise \\\n  --install-usbguard \\\n  --no-disable-antispoofing\n# → Enterprise compliance tooling with USB security\n```\n\n## Compatibility Notes\n\n### Proxmox/Virtualization\n- **IPv6**: Disabled by default (safe for clustering/VMs)\n- **Anti-spoofing**: Disabled by default (safe for VLANs/bridges)  \n- **Modern Security**: Disabled by default (forwarding=0 breaks VMs)\n- **All other hardening**: Enabled and safe\n\n### Docker/Containers\n- **Modern Security**: NEVER enable (forwarding=0 breaks containers)\n- **Anti-spoofing**: May break complex networking\n- **docker.io vs docker-ce**: Both supported via --docker-type\n- **All other hardening**: Safe and recommended\n\n### VLANs/Complex Networking\n- **Anti-spoofing**: Disabled by default (rp_filter=1 breaks inter-VLAN routing)\n- **Connection Limits**: Disabled by default (may limit high-performance routing)\n\n## Configuration Matrix\n\n### All Server Profiles Configuration\n\n| Setting | default | prod | dev | minimal | hardened |\n|---------|---------|------|-----|---------|----------|\n| **EDITOR_MODE** | both | both | both | vim | vim |\n| **VIM_PRESET** | minimal | minimal | full | minimal | bare |\n| **FIREWALL** | ufw | nftables | ufw | ufw | nftables |\n| **FIREWALL_PROFILE** | hardened | hardened | transparent | hardened | hardened |\n| **APPS_PROFILE** | server | server | full | minimal | defense |\n| **DOCKER_TYPE** | io | io | io | io | io |\n| **HARDENING_PROFILE** | server | server | server | server | server |\n| **HARDEN_NETWORK** | true | true | false | true | true |\n| **SSH_KEY_ONLY** | false | false | false | false | false |\n| **DISABLE_ROOT_SSH** | false | false | false | false | false |\n| **LOCK_ROOT** | false | false | false | false | false |\n| **INSTALL_USBGUARD** | false | false | false | false | true |\n\n## Advanced Features\n\n### Extra Software\n```bash\n--extras \u003clist\u003e            # Comma-separated extras to install\n  docker                   # Enable Docker installation (use with --docker-type)\n  gh                       # GitHub CLI with official repository\n  hashicorp                # Redirects to apps-profile development+\n  monitoring               # Handled by existing monitoring steps\n  mullvad                  # Use --install-mullvad flag instead\n\n--extra-packages \u003clist\u003e    # Comma-separated APT packages to add\n  htop,bat,exa,fd-find     # Example: modern CLI tools\n\n--install-mullvad          # Mullvad VPN client\n--mullvad-source \u003cmethod\u003e  # Installation method (apt|direct|github)\n```\n\n**Examples:**\n```bash\n# Docker via extras (docker.io by default)\n./script.sh --server-profile default --extras docker\n\n# Docker CE via extras + type specification\n./script.sh --server-profile default --extras docker --docker-type ce\n\n# GitHub CLI + custom packages\n./script.sh --server-profile default --extras gh --extra-packages kubectl,helm\n\n# Development with Docker CE + GitHub CLI\n./script.sh --server-profile dev --docker-type ce --extras gh\n```\n\n### Nerd Fonts\n```bash\n--install-nerd-fonts       # Install Nerd Fonts for terminal\n--nerd-fonts-profile \u003cp\u003e   # Font selection profile\n  minimal                  # FiraCode only\n  default                  # FiraCode + JetBrains\n  full                     # FiraCode + JetBrains + Hack + SourceCode\n```\n\n### Step Control\n```bash\n--steps \u003cselection\u003e        # Run specific steps only\n  --steps 1-5              # Run steps 1 through 5\n  --steps 1,3,5            # Run steps 1, 3, and 5\n  --steps 2-8              # Run steps 2 through 8\n```\n\n## Support\n\n- **GitHub Issues**: Report bugs and feature requests\n- **Security**: All defaults are VPS-safe and tested\n- **Primary**: Debian 11/12 Server  \n- **Compatible**: Ubuntu Server 20.04/22.04/24.04  \n- **Ubuntu Desktop**: Use [ubuntu-post-install](https://github.com/franckferman/ubuntu-post-install) instead\n\n---\n\n**Author**: Franck FERMAN  \n**Version**: 2.1.0  \n**License**: MIT","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffranckferman%2Fdebian-server-post-install","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffranckferman%2Fdebian-server-post-install","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffranckferman%2Fdebian-server-post-install/lists"}