1. Introduction

by Double Bastion - Updated February 6, 2023

We define a complete Linux server as ‘the server equipped with all the software needed for the common digital activities of a small business’. A complete guide to installing such a server would be a guide that doesn’t leave the reader with a half usable server, with the suggestion to search for further documentation. This server could also provide the digital infrastructure for all the common digital activities of a nonprofit organization or private individual, but to be considered complete, at the very least, a Linux server has to be equipped with everything that is needed for the common task of running the day-to-day digital activities of a small company.

The setup explained in this guide is intended to be used on a VPS or dedicated server. All the applications described here are free and open source software (FOSS) and anyone can download them from their respective official websites/repositories; in addition, they are all gratis.

This is a detailed, command-by-command guide that we will keep up-to-date. If you intend to apply its instructions, please read all the details carefully. A single overlooked detail can cause serious problems: you may waste time trying to find why things don’t work as expected, or worse, you may create security vulnerabilities that can compromise the whole system.

This guide is meant to be read and followed in its entirety because the settings described in one chapter generally depend upon those presented in previous chapters. If you decide to apply only a part of this guide, you take on a risk. This guide wasn’t designed as a sum of independent parts, but as a whole, in which the installation of an individual application is often connected to that of others.

You can install the whole suite of programs described in this guide on a $10/month VPS (Eg: Linode’s 1 CPU core, 2 GB RAM, 50 GB SSD VPS).

1.1. Purpose

The purpose is digital freedom. Digital freedom includes to be able to use web services as freely as possible; this entails to be able to offer yourself, either as a small business owner, a nonprofit organization leader or a private individual, all the web services that different companies would offer you in exchange for money or for your personal data, or both; these services are: website hosting services (this includes an e-commerce platform and a forum CMS), web traffic monitoring services, Enterprise Resource Planning (ERP) and Customer Relationship Management (CRM) services, email hosting services, mailing list management services, file sync and share services, web-based collaborative document editing servicies, web video/audio/text communication services, PBX services, web SMS and fax services, decentralized social network services, system security services, VPN services, data backup services and a few other related services. To offer yourself all these services you have to install a set of programs on a server that you control. These programs should be free and open source software (FOSS), otherwise you will be bound by the license terms of proprietary software and you won’t be free to use them as you wish. ‘Free and open source software’ means software that qualifies as both ‘free software’ and ‘open source software’. In broad lines this means software that you can do anything you want with, except to change the software’s author. The term ‘free’ in ‘free and open source software’ refers to the freedom that these programs allow you to have when using them, not to the fact that they are free of charge. The fact that many ‘free and open source software’ applications (but not all) are free of charge, has nothing to do with the word ‘free’ in ‘free and open source software’. When you download a FOSS program you can see its source code, you can modify it, you can install it on as many computers as you like, you can give it to your friends etc., so you are free to do basically anything you want. With proprietary software you can’t legally do these things because the license forbids it.

1.2. Target reader

This guide is dedicated to any small business owner, nonprofit organization leader or private individual who cares about freedom and is familiar with Linux. To install and maintain your own server takes some effort, but if you have the right documentation it’s not as difficult as most people think. If you are a beginner, you can take a look at this list of Linux commands which are, in broad lines, all you need to know in order to start maintaining a Debian server.

If you are a small business owner, nonprofit organization leader or private individual and you don’t have the Linux knowledge or the time to install and maintain the applications described in this guide, you can still benefit from it by having a company specialized in remote system administration do the installation and maintenance for you at very reasonable monthly prices. There are even companies that offer software installation, maintenance and hosting; therefore, they can install and maintain the suite for you and also host it. You can even use the services of a freelance system administrator for installation and maintenance, at even lower prices. The key point is that all the companies and freelancers that we recommend on www.doublebastion.com, will sign a contract that will give you the guarantee of real control over the server, in the form of root access and the permission to modify or delete anything at any moment, after sending a formal request to the maintainer.

1.3. Control and privacy

Having servers that you fully control and thus having total control over your server-side computing, would involve to buy servers and place them inside your physical office or house. Having servers at your location and maintaining them may seem very hard but in reality, if you have general Linux administration knowledge, if you have the time and you know the optimal way to do it, it’s not very difficult. In a future article we’ll explain how to install your own server cluster and host it in your own office/house, so that you can have the maximum control possible over your server-side computing, but in this guide we’ll describe the simplest acceptable alternative: to rent a VPS, cloud server or dedicated server from a trustworthy hosting company (a company that is likely to respect your privacy), and then install and maintain all the needed applications. After all, even if you want to manage your own servers at your location, if you don’t have the financial means for the investment in hardware, or you don’t have 2 good quality Internet connections, or you don’t have the physical space to host the servers, or you travel frequently, you will still have to look for an alternative way to host your applications. As mentioned, the best acceptable alternative is to rent a VPS, cloud server or dedicated server from a trustworthy hosting company and install and maintain all the applications by yourself, or have a company/freelancer install and maintain them, while giving you real control over the server in the form of root access at your request and the permission to modify or delete anything.

One might ask what kind of privacy and control over your data you can have if you rent a VPS on a physical server located in the data center of a hosting company. The truth is that if you rent such a VPS or cloud server or dedicated server from a hosting company that is not one of the giants of the tech industry a company that only offers hosting services and not other services such as search engines, interactive maps, email accounts, video hosting, online file storage, social media applications, etc. you have all the chances to do your computing in privacy, on the condition that you configure and secure your server properly. If, on the contrary, you rent a server from one of the big tech companies, even if they won’t copy your data or spy on your data traffic, you will be helping them with your money to implement all their other services that do spy on their users.

When choosing the hosting company you want to work with, always keep in mind that the giant tech companies are by definition not trustworthy as hosting providers (and in all other respects). If you entrust all your sensitive data and digital life to the giants of the tech industry, you ought to remember that they have well known interactions with the government and secret services, they have a much higher number of employees (some of which can misuse clients’ data) and they are the target of cyber attacks much more often than small hosting companies (it is a known fact that many of these attacks actually succeeded and the private details of thousands of companies and individuals were compromised).

Excellent hosting in terms of uptime, reliability, connection speed and very low prices, is offered by linode.com . The quality of their services is the only reason for mentioning them. Double Bastion has no affiliation with Linode LLC. We should add that there are indeed other companies with similar services and prices.

Here we explain in detail what is free and open source software (FOSS) and why this is the only type of software that can offer you real control over your computing and real digital privacy.

1.4. Completeness

This guide was written as a reaction against all the guides that describe how to install just a small part of a usable system. For example: there are many guides explaining how to install and configure a web server stack, such as the LEMP stack (Linux, Nginx, MySQL/MariaDB, PHP). And that’s it. As if, after installing a LEMP stack you have everything you need, to go on with your digital life. But what about a web traffic monitoring tool ? What about an intrusion prevention application ? What about a backup system ? How should I go about installing them ? Can you really use a web server without a backup system ? Or without an intrusion prevention application, or blindly, without a traffic monitoring tool ? Should I just install a LEMP stack and for the rest search for paid proprietary applications, or ‘software as a service’ ?

So, if you described how to install a LEMP stack, then also please explain how to install a web traffic monitoring tool and an intrusion prevention application and a backup system, etc., because I also need those. Don’t leave me half way to the destination. Indeed, in general it’s better to find something on a topic rather than nothing, but you soon become tired of finding only incomplete information, on any topic. There is also another problem: can you really run a business without sending and receiving emails ? So, I should also know how to install a robust and secure mail server. Can you run a business without an ERP/CRM application ? Even if at the beginning you may think that you can do without it, when the business will gain momentum you will find that an ERP/CRM application is really necessary. This reasoning can be applied for all the applications described in this guide: even if when you start a business they may not seem necessary, after a while, you realize that in fact they are.

We already know the objections to this way of thinking: every business conducts specific activities and has specific needs, therefore you can’t determine a list of ‘common digital activities’, and you can’t cover all the needs of real small businesses with some set of applications. This is completely false. Today, all small companies, in all economic sectors, perform some specific, predictable digital activities and therefore, you can say that they have some ‘common digital needs/requirements’, namely: the need to operate a few websites, including at least one online store, the need to send and receive emails, the need to manage mailing lists and send periodic mass emails to subscribers, the need to issue invoices and keep the inventory of products, the need to manage business contacts and do elementary accounting, the need to share files between team members, the need to symultaneously edit shared online files, the need to have text, audio or video conversations (including video conferences) with their team members or with customers, the need to have cheap VoIP phone conversations and professional voice menus (IVR), the need to send and receive SMS messages and faxes, the need to see web traffic statistics, the need to regularly backup all the important data, the need to secure the server and all the applications running on it, and a few other related needs, such as the need to have an email anti-virus, an anti-spam solution, etc. A nonprofit organization or a private individual will have almost the same needs, so, the setup described in this guide will apply equally to small businesses, nonprofit organizations and individuals. The only difference when it comes to nonprofits or private individuals can be the fact that they may not need an ERP/CRM application used for invoicing, elementary accounting and stock management, and they may not need mailing list and mass email management software, or a fax and SMS application.

1.5. The ‘FOSS CRIMS’ business model

All software companies should earn their money by selling free and open source software and not by selling programs burdened with restrictions, while keeping their source code secret. To be more specific, the only beneficial to society and ethically acceptable means to earn money as a software company would be:

  • to create FOSS programs (either as software for the mass market or as custom-made software).
  • to modify already existing FOSS programs (this can be considered a type of software ‘re-creation‘).
  • to install FOSS programs (this includes program configuration).
  • to maintain FOSS programs (by providing periodic updates, upgrades and/or performing any activities necessary for the correct functioning of those programs, such as running scripts to clean directories, doing security checks etc.).
  • to offer technical support for FOSS programs (by solving errors or unexpected behavior, optimizing resource usage, instructing the users on how to use the programs, etc. Consulting services, training courses and seminars/webinars can also be assimilated to technical support).

Donations and sponsorships, which can be an important source of funding for free and open source software projects, can be considered a type of voluntary payment for software ‘creation’ or ‘re-creation’.

We’ll call this model the ‘FOSS CRIMSbusiness model (which stands for free and open source software creation, re-creation (modification), installation, maintenance and support). Indeed, we consider this to be the only ethically acceptable business model for software companies.

1.6. Remote Free Software Under Your Control (RFSUYC)

Please note that ‘software as a service’ (SAAS) was left out of the list of ethically acceptable means to earn money as a software company. Software as a service, in the common meaning of the term, where the client doesn’t have access to the underlying server(s) and can only use the services offered by the software company that controls all the software installed on their server(s), is not an acceptable business model. This model gives total control over the client’s data to the software company offering the service. If a company offers a sort of ‘software as a service’ in which all the programs installed on the server(s) are free and open source software, in which the client can obtain root access to the underlying server(s) after asking for it, at any moment, and can install or uninstall the programs that run on the server(s), can upgrade them, replace them, or even delete them entirely together with all the stored data, that is acceptable, but in that case it should bear a different name, because it’s not typical ‘software as a service’ (SAAS). That should be called ‘remote free software under your control‘ (RFSUYC).

To clarify: a company/freelancer offers RFSUYC services if:

  • it maintains all the applications installed on the server(s).

  • all the applications that run on the server(s) are free and open source software.

  • the company/freelancer signs a contract by which they give their client (legal person or natural person) at the client’s express request which can be made at any moment, root access to the server(s) and the permission to modify or delete anything on the server(s).

  • the company/freelancer hosts all the applications on their own server(s), or on the server(s) of a third party.

To clarify things even further: if a client signs a RFSUYC contract with a company and after a period of time he decides that he wants to see what is really going on on the server and delete some sensitive information stored on the server, or replace an application, or modify or delete anyting on the server, he can send a written formal request to the company, in the form of an email or in other form, and then, in compliance with the contract, the company has to send the client the root password and the SSH connection details, so that the client can connect to the server with full root privileges and perform any actions he sees fit. Obviously, at that moment, since the company offering the RFSUYC services can realize that the server has become too difficult or impossible to maintain, or open to security threats because of the changes introduced by the client, the company has the right to terminate the contract and let the client maintain the server by himself or entrust the maintenance to a different company. Thus, the contract must contain a clause in which the company that offers RFSUYC services reserves the right to terminate the contract if, after passing control over the server to the client, it detects that the client performed, knowingly or unknowingly, some modifications that created security vulnerabilities or rendered the server too difficult or impossible to maintain.

If on the contrary, when the client finishes making modifications and attempts to pass control over the server to the company, the company reviews the software installed on the server and decides that the client didn’t make any modifications that would render the server unmaintainable, too difficult to maintain, or open to security threats, the company can resume maintaining the server, (after changing the root password, to make sure they are the only entity with root access to the server), complying to the terms of the same contract as before.

It’s important to note that although the installation and technical support services for the applications installed on the server are typically offered by the same company (or freelancer) that maintains the server, there may be exceptional cases, in which the installation and technical support are offered by one company and the maintenance is done by another company. This makes the RFSUYC scenario very flexible and gives the client even more freedom. If after the installation of all the applications, he has any reasons for discontent, he can terminate the contract with the company or freelancer that installed the software (after paying for the services he received) and sign another contract with a different company, for server maintenance. Also, if the client has special technical support requirements, he can sign another contract for technical support regarding one specific application or for multiple applications, with a different company than the one performing the server maintanance. This is why, in addition to the contract, a company or freelancer offering RFSUYC services, has to also sign a Service Level Agreement (SLA) with the client, in order to clearly define what services they will be offering.

Please note that when a company offers RFSUYC services to their clients, these are different from the so-called ‘Infrastructure as a Service’ (IAAS) services, because the company offering the IAAS services gives you access to the operating system running on the server but it doesn’t install and maintain the applications for you: you have to install and maintain them by yourself, whereas a company offering RFSUYC services offers installation and maintenance services for all the applications running on the server, from the operating system up to each and every application. Sometimes this company is different from the hosting company, sometimes it is one and the same. The key point is that with RFSUYC services you maintain real control over your server-side computing by being able to obtain root access to the server at any moment and being allowed to modify or delete anything that is installed or stored on the server.

A company offering RFSUYC services also does something different from the so-called ‘Platform as a Service’ (PAAS). In a PAAS situation, the company offering such services installs and maintains only the software layer necessary to run your applications, such as the operating system, the programming language interpreter, the database management system, the web server, etc., but it doesn’t install and maintain your actual web applications: you have to install and maintain them by yourself, whereas a company offering RFSUYC services, as mentioned, does the installation and maintenance for all the applications running on the server while giving you real control over your computing and data, in the form of root access and the permission to modify or delete anything, at your request.

The type of control that the RFSUYC services give clients is fundamentally different from what the ‘software as a service’ (SAAS) scenario involves. Not to mention that when you use RFSUYC services, you can always encrypt all the sensitive information that you keep on the remote server.

1.7. Earning money using the FOSS CRIMS business model

It has been argued again and again that developing and selling free and open source software and associated services is not a viable business model because once bought, the programs can be freely distributed to other users who will not become buyers, etc.

Indeed, selling programs under free and open source software licenses which give buyers the right to distribute the software, will not make as much money as when the programs are sold under proprietary software licenses, at least on the short term. But to say that free and open source programs cannot be sold, is totally false and it has been proven false by facts.

Programs are becoming more and more capable. This has a good side and a bad side. The good side is that they are becoming more and more capable. The bad side is that they are becoming more and more complex. Since they are increasingly complex, the need for technical support associated with them gets higher and higher. If proprietary software companies make a lot of money by selling technical support, then so can FOSS companies. This is also a proven fact. There are companies that made large profits selling technical support associated with FOSS programs. Please remember that in ‘technical support’ we included all the activities related to the problems that can arise when using the software (solving errors or unexpected behavior, optimizing resource usage, etc.), and also all the activities related to instructing the customers on how to use the programs (consulting services, training courses, seminars/webinars, etc.)

There are many companies who are willing to pay for custom made FOSS programs or for technical support related to FOSS programs. This is true for companies in the financial, legal or health sector, where business or personal data protection has a high priority (here FOSS programs whose source code is available, can be trusted much more than proprietary programs with secret source code, since you don’t know if proprietary programs are really secure, or if they are sending sensitive data to some central server over the Internet) but also in other areas such as engineering, real estate, etc. Thus, developing and selling FOSS programs or related installation, maintenance and technical support services is a valid business model for any company who wants to earn money while respecting the user’s freedom.

Therefore, although a company selling proprietary software can earn more money, while doing harm to society by depriving the end users of essential freedoms, a company selling good FOSS programs and associated services can also earn money, while respecting the end users and contributing to the community. The demand for FOSS programs gets higher and higher every year. Many companies involved in developing FOSS programs or related services succeeded and much more will follow.

1.8. Dispersed, Incomplete and Incorrect Documentation Hell (DIIDH)


When you search for online information on installing different applications on a Linux server, you soon realize that it’s quite difficult to find a website with complete and correct instructions. The big problem is that technical information on a particular topic is not only scattered on many websites, but that it is almost always incomplete and even incorrect or outdated. One can say that the Internet of technical articles has become a Dispersed, Incomplete and Incorrect Documentation Hell (DIIDH).

You can also say that the Internet as a whole has become the homeland of misleading information. This is the by-product of the universal access to Internet publishing, which is in itself a very good thing. It just means that when you want to find correct information on a topic, you should take with a bit of salt advices such as “Just search for it on the Internet !”.

On the Internet there is as much misguidance as it is guidance, on any topic. It’s hard to find elsewhere so much misleading information intermingled with correct advice. Anyone who tried to achieve something useful by reading articles on various websites will understand this. This guide was written as a reaction against DIIDH.

It’s also true that a few free and open source software applications have extensive and correct documentation which can be found in one place, on their official website. Yet, in these rare cases we have another problem: the documentation takes into considereation so many possible scenarios, it’s so detailed, that it becomes almost unreadable. Indeed, such extensive documentation is necessary and we think that every FOSS project should have it, but since the vast majority of users only need a fraction of the information presented in such documentation, there should be two types of documentation: one extensive documentation, with all the details one might ever need, and one abridged documentation of only a few pages, for all those who just want a solid starting point, which means a simple configuration that would work in a common scenario, for common tasks. And once the users have a simple working configuration, they can start to improve and refine it, if they need, by reading the more detailed documentation. Why should a user read 500 pages about intricate configurations, if he only needs to install a program with the default settings, to perform common simple tasks ? Too much is as bad as too little.The proof that a project can publish both an extensive documentation and an abridged one treating a simple general case, is Dovecot’s documentation. The quick configuration page is here.

1.9. Minimal Solid Starting Point (MSSP)


This guide is designed to provide a Minimal Solid Starting Point (MSSP) to any small business, nonprofit organization or private individual.

  • a ‘starting point’ means that anyone using the software suite described in this guide will have the digital infrastructure to start doing all the common digital activities of a small business, nonprofit organization or private individual. This guide will not present a theoretical setup for a theoretical use case, that will end up being useless in real life. A ‘starting point’ also means that the suite can be further extended and enriched, by adding other optimal FOSS applications, if needed.
  • ‘solid’ means that the setup described in this guide is really robust, efficient and secure.
  • ‘minimal’ means that this setup has the least number of programs possible, to be a complete and effective setup.

1.10. The best software solution


In general, when they hear about ‘the best application’ in a computing field, people get irritated. ‘What is the best for you may not be the best for me’ they say, or “the best” is a subjective concept, you can’t base it on objective factors’.

The definition of the best application in a specific computing field would be the following: the best application is the one that offers the most while asking for the least. For example, if two office suits offer the same general functionality and performance but one requires you to pay in order to use it and restricts you from installing it on as many computers as you like or giving it to other users, while the other is gratis and doesn’t restrict you from installing it on multiple computers or giving it to whomever you want, this means that the second office suite is better, since it offers the same functionality but asks for much less. And if this second one is the reachest in features, has the largest developer community, offers the best performance, etc., among all similar free and open source software alternatives, this means it’s the best office suite available. This way of thinking is objective enough. It may seem that the concept of ‘the same general functionality’ is not that clear, but if you take a closer look you will find that even the general functionality of an office suite, can be objectively assessed by making a list of features that the applications that make up the suits must have and deciding if both suits offer them. Also, comparing the performance of the two sets of applications is not as difficult and subjective as it seems. If two corresponding components of the two office suites are tested for the same computing task, using the same type of hardware, it’s quite easy to see how they use the CPU, the RAM, how fast they finish the task, if there are errors, etc.

This reasoning can be also applied when comparing two applications that are both free and open source software: if Apache is as free as Nginx and does all that Nginx does, but it uses much more RAM (even around 100 times more RAM in certain situations), this simply means that Nginx is better (let alone the fact that as tests prooved, Nginx is much better in dealing with large numbers of simultaneous requests). So, when a program in a certain computing field gives you good performance but asks you for more memory than other program with equally good performance, this means it asks for more in order to offer you the same thing, therefore, the one that asks for less is better. And if it’s better than all similar programs, it means it’s the best application.

Obviously, when comparing programs, you shouldn’t consider only the general performance and the RAM or CPU usage. There are other factors that have to be taken into account, to make a valid, objective comparison. The main factors that determine the quality of a program and that you will have to consider when comparing programs in the same computing field are:

  1. respect for user freedom
  2. performance
  3. security
  4. functional features
  5. hardware resource usage
  6. ease of use
  7. large developer community and large user community (this determines the availability of companies or independant developers that can be hired to develop custom features, plugins, etc. and the availability of ‘community support’ on forums, mailing lists, etc.)
  8. large number of plugins/modules/apps (such as WordPress plugins, Nextcloud apps, etc.), if it’s the case
  9. robust, efficient, time-tested, easy to use and popular programming language
  10. clear and complete documentation

It’s important to note that the respect for user freedom is the first quality that a good program should have. It’s the sine qua non quality. Without it, no program should be considered good, no matter what technical qualities it may have. In other words, if a program is free and open source software and has decent technical qualities, it is by far better than a proprietary program with outstanding technical qualities that takes away your freedom when using it. This is not to say that programs are good just because they are free and open source. The other 9 qualities listed above are also very important, but the first quality that should be considered when analyzing a program to see if it’s the best in a computing field, is the respect for your freedom.

So, taking into account all the factors mentioned above, we can say that there is truly an objective way to establish which is the best application in a particular computing field: the best application is the one that offers the most while asking for the least.

Please note that the 10 factors listed above have also a direct impact on the degree of freedom a user has when using an application. For example: if an application offers a collection of 100 plugins that the user can choose from, while a different similar application has a collection of 10,000 plugins, it’s clear that the second application offers a higher degree of freedom, since users can choose from a much higher number of available plugins. Also, if an application has a developer community of about 50 developers and a similar application has a developer community of 5,000 developers, it’s quite clear that while using the second application, a user has a higer degree of freedom when (s)he searches for developers to hire to implement some custom features, etc. Similarly, a popular programming language offers users a higher degree of freedom when they search for companies or independent developers to hire.

From a financial point of view, it’s quite obvious that between a program that is good and costs $20, and another program that is equally good and costs $10, the latter is better, since it offers the same quality while asking for less.

Also, if an application has high technical qualities but is difficult to install, configure and use and has incomplete and unclear documentation and thus it offers good functionality in exchange for a substantial effort to read the poor documentation, install the application and experiment with different settings to discover the proper configuration, while other similar application has also high technical qualities but is simpler to install, configure and use and has complete and clear documentation, it becomes quite clear that the second one is better.

Please note the following nuance: even if in a particular exceptional situation, the application that is objectively ‘the best’ may not be the most proper choice, for certain concrete reasons, it will still retain its objective quality of ‘the best’. Although in certain rare situations, from a subjective point of view the best application may not be the best, it will still remain the best from an objective point of view because when you analyze what it offers and what it asks for, you understand that from all the possible alternatives, it’s the one that offers the most while asking for the least, in the majority of use cases. For example: let’s suppose you get hired as a system administrator by a company that offers remote system administration services and you are assigned a project where you have to solve some urgent web server errors for a client involved in web hosting. Let’s suppose that the client has some financial difficulties, that they are on a tight schedule to deliver some services to their own clients, that they use Apache as their only web server, and that they have been using it for a long time and they have no experience with Nginx. In this specific situation, although you know that Nginx is much better than Apache, you won’t try to convince the client to replace Apache with Nginx, because this would involve an expertise that they don’t have, time resources that they don’t have and additional expenditure that they can’t make at that moment. So, although Nginx is much better than Apache, and indeed it’s the best web server available, in that particular situation, the client should continue to use Apache, therefore, subjectively Apache is better. In that particular situation, Apache is subjectively ‘the best solution’, while Nginx maintains its objective quality of ‘the best solution’, because in the majority of use cases it offers the most while asking for the least.

The essence of this guide is that it was conceived to offer not just a solution among others, but the best solution to the common digital needs of a small business, nonprofit organization or private individual.

1.10.1. Software choice

We won’t discuss in detail the reasons behind the software choices that we made because we don’t have the space here. We will just point out that we chose from a wide variety of FOSS options basing our decisions on the following principles that we consider of utmost importance: a program is not good just because it’s free and open source software; it also has to be very efficient, stable, secure, flexible, easy to use, with an extensive set of features, with numerous plugins/modules (if it’s the case), with good documentation, written in a robust, efficient, popular programming language, it has to have a wide community of users and most importantly, a wide community of developers constantly working on improving it and strictly adhering to the ethical imperative of user freedom.

If you tend to think that all FOSS projects are inherently good and once they are started, they keep following the right track regardless of the developers working on them and regardless of their principles, please look for the reasons why these three big projects were forked: OpenOffice > LibreOffice, ownCloud > Nextcloud, Piwik > Matomo.

It costed us a lot of time to research or test many applications having the reputation of ‘the best’ only to find that there were other options by far much better. So, we chose Debian instead of Ubuntu or CentOS, Nginx instead of Apache, WordPress instead of Drupal or Joomla, Postfix instead of Exim, Dovecot instead of Courier or Cyrus, SpamAssassin instead of Rspamd, Roundcube instead of Sogo or Horde, Dolibarr instead of Odoo, Nextcloud instead of ownCloud, Collabora Online instead of Only Office, MyBB instead of Discourse or phpBB, Asterisk instead of Freeswitch, Friendica instead of Mastodon or diaspora, etc.

It’s also important to note that all the applications that make up the software suite presented in this guide were chosen so that they are backed by companies dedicated to the free software philosophy or by strong communities of independent developers. They were also chosen in such a way that they make up the leanest and most efficient set possible. For example, if we had chosen Apache instead of Nginx, we probably couldn’t have hosted even half of the applications hosted with Nginx on a $10/month VPS, because of the drastically higher RAM usage of Apache and because of its inferior performance when dealing with large numbers of simultaneous requests. If we had chosen Odoo as an ERP and CRM application instead of Dolibarr, we would have had to install three additional components (PostgreSQL, PgBouncer, phpPgAdmin) thus complicating the setup, burdening the server and causing many difficulties on software upgrade, not to mention the painfully slow performance of Odoo (in spite of all the speed optimization measures), and the questionable FOSS principles followed by the Odoo development process. We successfully excluded Amavis and the cashing proxy Varnish from this setup, with the same goal of achieving the leanest and most efficient set of applications possible. FastCGI cache makes Varnish superfluous and Amavis can be successfully excluded by connecting SpamAssassin and ClamAV directly to the mail server. We also managed to keep Docker out of this software suite. Docker is always to be avoided when trying to achieve maximum performance while using the least amount of RAM and CPU power. Using Docker to simplify things, one can end up actually complicating them.

1.10.2. Debian – the foundation of reliable web services


First of all we should dismantle the notorious myth that Debian is a hard-to-install-just-for-experts-with-obsolete-packages-only-for-servers-Linux-distribution.

Debian is really easy to install, both on the server and on the laptop/desktop. If you rent a VPS or dedicated server, it will usually come with the latest version of Debian preinstalled.

If you want to install it on your laptop/desktop, you should know that it may have been difficult to install Debian in 1993, when it was first released, but now it’s not. If you use the graphical installer, it will be at least as easy as other popular Linux distributions.

Debian doesn’t have old or obsolete packages, it just has well tested software packages. Obviously, testing takes some time. Since stability is among the most important qualities of a reliable operating system, we don’t think that you would prefer an operating system with the newest software packages that would make the computer freeze frequently, so that it would need to be restarted. Also, if a newer version of a package is really needed, you can always install it from the backports repository or directly from source.

Even the release frequency of about 2 years for new Debian versions proves that the software version problem has been thought about carefully and that you will never risk to have too old packages if you update your server/laptop/desktop regularly.

Debian is an excellent operating system not only for any type of server but also for desktops and laptops, if you know what desktop environment to install (read Mate) and if you know how to configure it after installation. You’ll find that Debian can also be installed on small single-board computers (like PINE A64-LTS) and even on some tablets (like PineTab) and mobile phones (like PinePhone). So, Debian truly deserves to be called a ‘universal operating system’.

We chose Debian as the foundation for the software suite that we describe in this guide because it’s the best Linux distribution of all, due to its performance, stability, large number of software packages, well-thought package management system and developer community dedicated to the free software philosophy.

1.10.3. The mirage of new programming languages, frameworks and applications


It’s true that in many cases newer means better: a new coat is better than an old coat. Yet, people tend to extend this reasoning to all situations: a new year is better than the one that just ended just because it is a new year, a new movie is better than well-known movies just because it is new, a new fashion trend is better just because it is new, etc. In the software world the ‘newer means better’ principle is also applied indiscriminately. Much too often, programmers tend to think that new programming languages/frameworks/applications are better than the well-known ones just because they are new. Nothing can be further from the truth. Unfortunately, if they are enthusiastic enough, these programmers manage to attract in their illusion many of their colleagues. Once a few companies adopt the “better” new programming language/framework/application, the snowball starts rolling: hundreds or even thousands of other companies and programmers start to adopt the new thing for fear of being left behind and loosing a competitive edge. In a short time, no one dares to even question the efficiency of the new programming language/framework/application, the soundness of its structure, if it really brings more advantages than disadvantages, if it doesn’t complicate things more than it simplifies them, etc. People adopt it frenetically, without thinking for a second about the foundamental principles on which it was built.

Usually only after many years, the structural deficiencies, the inaccuracy of the core principles that gave birth to that programming language/framework/application, become obvious enough that the majority of programmers and companies start to acknowledge that it was not what they were expecting and therefore they begin to look for alternatives. This means a lot of wasted time and money.

So, after the hype of the new “revolutionary” technology passes and the structural defects of the new programming language/framework/application become obvious, programmers begin to understand that they have been misled and begin looking in other directions. Unfortunately, the majority of these programmers that ‘go with the flow’ never seem to find the way to the best programming language/framework/application for a specific task, because the idea of ‘newer is better’ is so deeply rooted in their minds that they can’t conceive that a 25 years old programming language is actually the best tool in a specific computing field. Thus, their next step is to follow the next “revolutionary” technology and embark on a new illusion, wasting even more years.

Just keep in mind: in the software world, newer doesn’t necessarily mean better. Even if a programming language/framework/application is adopted by numerous companies, it has to offer real advantages over the existing alternatives to deserve to be considered better. This is also true for Linux distributions.

1.11. Minimum system requirements

A VPS with 1 core CPU, 2 GB of RAM, 40 GB of SSD space, and a minimal Debian 11 64-bit installed, will be enough for the setup described in this guide. These resources would be sufficient for hosting about 5 https WordPress websites, having a few thousands visits per day, plus a mail server receiving and sending up to a few thousands emails per day, plus a mailing list manager with thousands of subscribers, plus a file sync and share application with web-based collaborative document editing and up to 50 simultaneously connected users, plus an ERP application connected to a Woocommerce shop, with around 10 simultaneously connected users, plus an FTP server, plus a VPN server, plus a web traffic monitoring application, plus an intrusion prevention application, plus a decentralized social network server with up to 50 simultaneously connected users, plus an Asterisk server, plus a browser phone, plus an admin panel, plus a backup manager, plus a few other things that are presented further down below in this introduction.

Of course these VPS specifications are intended for a small company where not all the 50 employees are simultaneously logged in to file sharing, to the ERP application, to the admin area of WordPress websites, editing content, etc. If you have a company with 50 employees and you think that all the employees will use all the applications simultaneously all the time, or if you plan to host about 5 websites with high traffic, such as tens of thousands of visits per day, then it’s better to consider a VPS with higher specifications, namely with a minimum of 2 CPU cores, 4 GB of RAM and 60 GB SSD.

For setups where one or more websites have very high traffic (such as hundreds of thousands or millions of visits per day), or where the other applications installed on the server are constantly accessed by a large number of users, you can consider renting a VPS with even higher specifications, a cloud server or even a dedicated server.

Please note that if you want to install the DNS server BIND, which is an optional component, you will need a second VPS, because a DNS server has to be installed on 2 or more different servers (although, in principle, you can install BIND on just one server).

We already mentioned that excellent hosting at very low prices is offered by linode.com. We also mentioned that Double Bastion has no affiliation with Linode LLC. There are also other companies that offer similar services at similar prices, but you should choose very carefully since each hosting company presents itself as ideal, but when you sign up for a hosting account with such a company you may find that they are impossible to work with and you will have to waste hours of work and money to move to a different hosting provider.

To apply the instructions in this guide, you’ll also need at least one domain name. The best place to buy a domain name (cheap and trustworthy) is namecheap.com. Double Bastion has no affiliation with Namecheap, Inc. either.

1.12. Possible objections

One can ask if using a server administration panel such as Vesta or Virtualmin, wouldn’t have been a good idea, so as to avoid doing all the configurations manually in command line. The answer is that for a small company, a nonprofit organization or for a private individual, it’s better to install, configure and maintain the server by using the command line only. A panel would consume a portion of the RAM and CPU power, would bring in an additional component to maintain, additional potential problems and bugs. It won’t allow total transparency and flexibility, as compared to manual configuration in command line. So, it’s simply not worth using one. Of course, in other scenarios, where you have to install and maintain hundreds of websites, etc., an administration panel may make sense, but for the scenario that this guide is written for, namely a small business, a nonprofit organization or a private individual trying to be as free and autonomous as possible, the command line is more than enough and it offers a lot of advantanges: it gives the user total control over all the aspects of the server and installed applications, it lets the user know exactly what they are doing, what files are placed where, it spares the server’s RAM and CPU, it doesn’t create any additional potential security vulnerabilities, it gives the user the opportunity to learn important file locations, etc.

Someone may also ask if a large script that automatically installs all the applications described in this guide wouldn’t be desirable. The answer is no. Apart from being almost impossible to write, such a script would be worse than the manual installation of programs because, unless you study it carefully line by line, once it runs and installs everything, you won’t be able to know what it did and how it did it. The key concept is control. You can’t have real control over a server if you don’t know precisely what was installed, and with what specific settings, so that you will be able to uninstall, reinstall and configure each of those applications again in the future, if necessary.

Reading about the various applications presented in this guide, some readers may think that a single large application that would cumulate the functions of all the individual applications, could be desirable and a potential future goal for capable developers. This again is a bad idea. One of the main features of a reliable and flexible software system is modularity. This is valid both at the level of individual applications and at the level of application suits. Modularity means that distinct functions of an application/application suite, are implemented by different modules, so that the admins can enable/disable the modules at will when they need/don’t need them, so that the inclusion/exclusion of one function can be done independant of the other functions, and in the situation when one module fails, the others will continue to work. Therefore, although modularity creates the challenge of communication between different applications, it offers overwelming advantages, and in the setup that we describe in this guide it becomes even more important, since we need to be able to easily replace an application, if its future versions are no longer aligned with the free software principles discussed above.

Some readers may have the idea that implementing load balancing can enahnce the overall efficiency of the system and create hardware redundancy. For the setup described in this guide, this is also a bad idea. Simplicity is of utmost importance. Instead of installing the software suite on multiple servers and installing and maintaining an additional load balancer, they can just take the shorter path of installing the whole suite on a more powerful VPS, a cloud server or a dedicated server. In this way, the time and effort required by the installation and maintenance of multiple servers will be spared, the potential synchronization problems between the load balanced servers will be removed and they will still benefit from reasonable hardware redundancy, since all the servers used by good hosting providers have SSDs grouped in RAID configurations and redundant power supplies. In addition to this, a good backup system, as the one described later in this guide, will prevent data loss if a hardware failure ever happens.

1.13. RED SCARF Suite

The main benefits offered by the software suite proposed and described in this guide are detailed below:

1.13.1. Security

In short, digital security means preventing unauthorised access to your system and data. Digital security is always closely connected to digital privacy. A secure system will protect your private data against unauthorised access and therefore, it will keep it private. Similarly, if you avoid disclosing private information when it’s not strictly necessary, you protect the security of a system consisting of one or multiple applications. Digital privacy and digial security depend upon each other and strenghten each other. You can’t have one without the other.

To protect your digital privacy means to avoid giving others any information about yourself or, in the worst case, to give them as little information as possible: that information that is strictly necessary, when it is strictly necessary.

The software suite described in this guide was specifically designed to allow its users (small business owners, nonprofit organization leaders, priviate individuals) to offer themselves all the digital services they would need for the day-to-day digital activities, so that they can avoid disclosing their personal and business data to other companies offering those services in exchange for money and/or private personal data. The applications described here were also chosen so that they can offer a high level of security. When you will read the list of components from below, you will notice that there are 4 circles of protection surrounding this software suite, apart from the security features implemented by each application: Debian’s native firewall, the intrusion prevention tool Fail2ban, the antivirus for automatic and on-demand scanning ClamAV and the system security monitoring tool System Health and Security Probe.

Some may find including WordPress in a software suite that has security as one of its main goals, a questionable decision. Try not to forget that there is no software application in use that could be considered 100% secure and that you have to measure the security of a program based on its intrinsic qualities and not on things such as careless users who misuse the program, forget to update it or install insecure plugins. For example, you’ll find that there are a lot less security incidents associated with Joomla than with WordPress. This is the direct result of the number of Joomla websites which is much smaller than that of WordPress websites, and not a result of its superior security features. If at this moment we build a new CMS from scratch, it will be 100% secure in the beginning. Only because nobody else uses it. Once we publish the CMS and the number of users increases, the security incidents will start to show up and the program will no longer be 100% secure, no matter how well it has been built.

1.13.2. Control

Control means that using this software suite, you will have real control over your digital activities. When using proprietary software you can’t control your computing because the license terms forbids you to modify the software, to share it with others, etc., and by doing this it gives control over your activities to the compny that developed the program and maintains the program. Therefore, you buy a program and you find yourself at the mercy of the company that developed it: for updates, for adding new features, for scaling up your infrastructure, etc. Due to their respect or lack of respect for the user’s freedom, the main difference between FOSS programs and proprietary programs is who controls the program: you or the entity that developed the program. Thus, control over your own computing is one of the main benefits offered by this software suite and one of the main benefits offered by honest FOSS programs in general.

1.13.3. Autonomy

Autonomy means that when you use this software suite, you can conduct your day-to-day digital activities very independantly, in an autonomous manner, without having your activities controlled from outside. Using this suite you will find that the only situation where your server will interact with the services offered by other companies will be when using the applications that need to communicate with the Public Switched Telephone Network (PSTN).

The high degree of autonomy that this software suite allows is a direct consequence of the degree of control that it offers and also the consequence of its completeness. We designed it in order to have all the common digital activities covered, so that you won’t need the services of third parties, with the exception that we mentioned, of the companies offering the gateway to the PSTN system, whose services are inevitable if you want to use applications that make/receive phone calls to/from real phone numbers, applications that send/receive SMS messages or faxes.

1.13.4. Reliability

Reliability means that this software suite was put together in such a way that all its components will function without failure, if properly configured and installed on a server with adequate hardware resources. The fact that the very foundation of the suite is Debian, a time-tested Linux distribution with the well-deserved reputation of one of the most stable operating systems, is an indicator of the way we chose all the applications for this suite. Also, the programming languages used by the different applications, the robustness of these applications, their maturity, were carefully considered in order to create a complete and robust software suite that you can rely on. Multiple monitoring applications were also included in the suite, so that you can easily find if there are any malfunctions and be able to correct them promptly.

1.13.5. Flexibility

Flexibility means that each application that is part of this suite can be configured in multiple ways, to adapt it to various use cases, to allow it to support high work loads, to connect it to other applications, etc. It also means that the whole software suite is conceived in a way that it allows the administrator to easily extend it by adding new applications or to reduce it, by excluding any application that is not part of the core of the suite and is not needed in a certain use case. Also, each application has such a structure and uses such a programming language that it allows the administrator to easily add new features, either by himself or by hiring companies/independant developers to write custom code. In fact, one of the most beautiful aspects of FOSS applications in general, is their flexibility, which gives users almost endless possibilities.

1.13.6. Definition

Since the software suite presented in this guide focuses on the benefits listed above, we can call this suite the “Radically Enhanced Digital Security, Control, Autonomy, Reliability and Flexibility Software Suite” or, in short, RED SCARF Suite. We can’t help associating a logo with this name:


And a slogan: “Digital freedom always suits you“.

Let’s be clear here: RED SCARF Suite is a collection of free and open source programs that we recommend. These programs can be downloaded freely from their respective official websites and can be installed, configured and used anyway anybody wants (while respecting their FOSS licenses). We just recommend this collection of programs and advice the readers on how to install and configure them, because we consider that using these applications on one’s own VPS or dedicated server, with the proper settings, is the best way to preserve digital freedom while running all the common digital activities as a small business, nonprofit organization or private individual.

Since it’s not a program made up of other programs, but a collection of different programs, each published under its own FOSS license, RED SCARF Suite doesn’t need a license of its own and doesn’t have a license. When installing and using RED SCAR Suite, you will have to respect the license terms of each application that you install, knowing that you can choose to install or not to install different components, according to the importance of the application within the suite and according to your needs. (Further down below we explain what components are considered the ‘core’ of the suite and have to be installed if you want to use the suite, and what components can be left out if you know you won’t need them.) All the components of RED SCARF Suite are published under free and open source software licenses. The majority of the components are GPL licensed.

Think of RED SCARF Suite as you think of the LEMP stack. Is the LEMP stack a distinct product with its own license? No, it’s an opportune collection or set, or suite of good quality FOSS programs used to serve websites and web applications, each component having its own license.

Since RED SCARF Suite includes the LEMP stack (in the sense of ‘Linux (Debian), Nginx (pronounced ‘engine x’), MariaDB and PHP’), you can also consider it an extension of the LEMP stack, one specifically built to allow a small company/nonprofit organization/private individual run all the day-to-day digital activities as freely as possible, with total control over their computing and their data.

This software suite was not conceived to offer just a solution that works, but the best solution that works. Given the clear principles that led to its birth, RED SCARF Suite has a precise, formal definition that follows:

“RED SCARF Suite is that collection of free and open source programs that can assist a small company/nonprofit organization/private individual in all the common, day-to-day digital activities, and fulfill the following three conditions:

  • they allow the greatest degree of autonomy possible for their users (this means that the users gain the highest degree of independence when using these programs, as opposed to when using other programs).
  • they are the best solution for the digital tasks that they are used for (this means that among all the competing applications, they offer the most, while asking for the least, in the majority of use cases).
  • as a set, they represent a minimal solid starting point (this means that they are the smallest set of applications that make up a complete and robust software suite capable to assist a small company/nonprofit organization/private individual in all the common, day-to-day digital activities. It also means that when used in concrete situations, this set can be further extended to include other programs, if the need to do so arises).”

Given the above definition, it’s obvious that the makeup of RED SCARF Suite is not fixed. RED SCARF Suite has a ‘fluid’ list of components. If one component gets somehow corrupted, in the sense that its future versions are no longer aligned with the digital freedom principles discussed above, or if at some point in time, a different program outperforms it at its specific task, it will be replaced with a better alternative, namely, with the best alternative. Nevertheless, we expect that the actual makeup of RED SCARF Suite will stay unchanged for a very long time, hopefully forever.

The one-sentence, all-encompassing description of the suite follows:

RED SCARF Suite – The only complete business software suite made up entirely of free and open source applications, unmatched in quality, yet gratis, that you can install on your own server, so that you can offer yourself all the services needed for all the common digital activities of a small business, nonprofit organization or private individual, so as to enjoy real control over your data, real freedom and real privacy, while using just a browser to access all the applications, thus benefiting from a completely paperless and completely mobile office that allows web-based collaboration and teamwork.

RED SCARF Suite is the ‘digital swiss army knife’ of self-hosted web services and it aims to become the golden standard for such services targeted at small businesses, nonprofit organizations and private individuals.

As we mentioned before, you can install the whole suite on a $10/month VPS (Eg: Linode’s 1CPU core, 2GB RAM, 50GB SSD VPS). If you install and maintain all the applications by yourself, your monthly ongoing costs will be:

  • $10 for hosting (from linode.com, etc.)
  • $1.10 for a domain name (.com domain renewal from namecheap.com)
  • $1.10 for a phone number for voice and SMS (from telnyx.com)
  • $2 for a fax enabled phone number (from phaxio.com)

Total = $14.20 / month

If you cannot or don’t want to install and maintain the suite by yourself, you can have a company specialized in remote system administration do the installation and maintenance for you at very reasonable monthly prices. There are even companies that offer both software maintenance and hosting, so, they can install and maintain the suite for you and also host it. You can even use the services of a freelance system administrator for installation and maintenance, at even lower prices. As already mentioned, all the companies and freelancers that we recommend on www.doublebastion.com will sign a contract that will give you the guarantee of real control over the server, in the form of root access and the permission to modify or delete anything at any moment, after sending a formal request to the maintainer.

1.13.7. Double Bastion’s contribution

Apart from analyzing and putting together the applications that make up the suite, Double Bastion also created 8 key applications which were the missing components of the suite. They are all gratis, free and open source applications:

  1. Sync WooCommerce with Dolibarr – a WordPress plugin that connects and synchronizes WooCommerce with Dolibarr ERP/CRM.
  2. Sync Dolibarr with WooCommerce – a Dolibarr module that synchronizes product stock and order status between Dolibarr and WooCommerce.
  3. SIP Trip Phone – a browser phone in the form of a Nextcloud application. It connects to SIP providers via Asterisk or directly.
  4. SMS Relentless – a Nextcloud application that enables users to send and receive SMS messages using their browser.
  5. Pax Fax – a Nextcloud application that allows sending faxes and viewing received faxes in the browser.
  6. Roundpin – a fully featured browser phone that implements audio/video calling, video conferencing and text messaging using SIP over WebSocket and WebRTC.
  7. System Health and Security Probe – a program that runs periodically to assess the general health and security of the system and to send email reports to the admin.
  8. RED SCARF Suite Panel – an admin panel that lists all the components of RED SCARF Suite installed on the server and offers information of vital importance about the general health and security status of the system.

1.13.8. Necessity and official source of information

RED SCARF Suite fulfils a real necessity and represents a great achievement of the FOSS community. Even an excellent operating system like Debian is almost entirely useless in itself. If you don’t install additional applications to make it usable for a particular purpose, there are not so many things that you can do with it. Only the additional programs that you install on a Debian server, truly give it usability and value. Even if you make the server a load balancer or a VPN server or a database server, you have to install certain programs on top of the operating system. The operating system is just a foundation on which you have to build something. If you don’t build anything, then the foundation becomes almost entirely useless. But what additional programs should you install for a particular purpose ? Here nobody tells you which is the best selection of programs that you should choose for a particular task and nobody tells you which is the complete set of programs that you should use. So, you are left to drawn in an ocean of alternatives. For example, if you want to install the applications necessary for the day-to-day operations of a small business, different guides will tell you how to install just one component, such as the web server, or the mail server, or the ERP application, as if you can carry on your business activities just by installing one such program. No guide will tell you how to install all the applications that are really necessary for that task.

Since it’s made up entirely of free and open source software, RED SCARF Suite belongs to the community of freedom loving digital technology users, who are encouraged to use it and contribute if possible to any of its components. Yet, since Double Bastion gave birth to this concept, since we tested, read about extensively and selected the best applications for each specific task and since we also built 8 applications that were the missing key components of the suite, we reserve the right to decide which applications are or will be included or excluded in/from the suite, while being permanently open to suggestions and discussions about the inclusion or exclusion of different applications. Therefore, the only official source of information about the makeup of RED SCARF Suite, at any given moment, will be www.doublebastion.com.

1.13.9. RED SCARF Suite structure

RED SCARF Suite is made up of 7 program categories:

1. Operating system: Debian Linux (+ UFW, ProFTPD, BIND, Memcached)

2. Website hosting related programs:

  • Webserver: Nginx (+ MariaDB, PHP 7.4, PHP-FPM)
  • Website and e-commerce platform: WordPress + WooCommerce
  • Database management tool: phpMyAdmin
  • Forum CMS: MyBB
  • Web monitoring tool: Matomo (former PIWIK)
  • Admin Panel: RED SCARF Suite Panel

3. Email related programs:

  • SMTP: Postfix
  • IMAP: Dovecot
  • Webmail: Roundcube
  • Email antivirus: ClamAV
  • Anti-spam: Spamassassin
  • Greylisting: Postgrey
  • Mass email sending application: phpList
  • Mailing list manager: Mailman
  • Email accounts management tool: Postfix Admin

4. Online collaboration programs:

  • File sync and share application: Nextcloud
  • Browser phone for video/audio/text conversations: Roundpin (with the underlying Asterisk server and Coturn as STUN server)
  • Web VoIP phone (SIP Trip Phone with the underlying Asterisk server and Coturn), SMS web application (SMS Relentless), fax web application (Pax Fax)
  • Web-based collaborative document editing: Libre Office Online
  • Decentralized social network platform: Friendica

5. Enterprise Resource Planning (ERP) with invoicing, accounting, stock management, etc. and Client Relationship Management (CRM) program: Dolibarr

6. Backup program: Backup Manager

7. Security applications:

  • Firewall: Debian’s native firewall
  • Intrusion prevention tool: Fail2ban
  • Antivirus for automatic and on-demand scanning: ClamAV
  • System security monitoring tool: System Health and Security Probe
  • VPN program: OpenVPN

The programs included in RED SCARF Suite are also grouped in three categories, following the structure of an almond:


Accoring to the importance of their role within the suite, RED SCARF Suite components can be classified into three categories:

  • kernel components
  • shell components
  • hull components

1.13.10. List of components

RED SCARF Suite is made up of the following components:

  1. Debian
  2.     Nginx
  3.     MariaDB
  4.     PHP
  5.     BIND
  6.     Fail2Ban
  7.     ClamAV
  8.     Postfix
  9.     Dovecot
  10.     SpamAssassin
  11.     Postgrey
  12.     Postfix Admin
  13.     Roundcube
  14.     Mailman
  15.     phpList
  16.     ProFTPD
  17.     phpMyAdmin
  18.     WordPress
  19.         WPS Hide Login
  20.         Nginx Cache
  21.         WooCommerce
  22.         Sync WooCommerce with Dolibarr
  23.     Dolibarr
  24.         Sync Dolibarr with WooCommerce
  25.     Coturn
  26.     Asterisk
  27.     Collabora Online Development Edition
  28.     Nextcloud
  29.         External Storage Support
  30.         Antivirus for Files
  31.         Calendar
  32.         Tasks
  33.         Forms
  34.         Polls
  35.         Office Online integration
  36.         Sip Trip Phone
  37.         SMS Relentless
  38.         Pax Fax
  39.     Roundpin
  40.     MyBB
  41.     Friendica
  42.     OpenVPN
  43.     Matomo
  44.     Backup-Manager
  45.     System Health and Security Probe
  46.     RED SCARF Suite Panel

This guide will explain how to install all the components listed above, except Debian which comes preinstalled on rented VPSs or dedicated servers. Please note that Debian is an important part of RED SCARF Suite. It’s the very foundation. In other words, RED SCARF Suite is not ‘platform independent’. This is due to one of its core principles: RED SCARF Suite is not a collection of good programs, it’s a collection of the best programs for their task. If you try to install all the applications described in this guide on a server running a different Linux distribution, the end result will not be RED SCARF Suite but a caricature of it.

To access all the applications installed on the server you will only need a browser. We recommend using Firefox both on laptop/desktop and on tablet/phone. When you want to connect to your remote server via FTP, you can use a locally installed FTP client like FileZilla. You can read/send emails using Roundcube in a web browser. Yet, if you use multiple email accounts and you want to connect to all of them simultaneously, we recommend installing Thunderbird on your local computer and connecting it to all your email accounts, including the email accounts configured on the remote server as described in this guide (the installation instructions for Thunderbird are presented in the Install Thunderbird and use it to encrypt/decrypt emails chapter. Also, if you want to synchronize your local files with Nextcloud, you will need to install Nextcloud Client, as we explain in the Installing the Nextcloud Desktop Synchronization Client chapter.

This guide will also describe how to upgrade all the installed applications and the maintenance steps that need to be taken with a specific frequency, in order to keep the server in good condition.

1.13.11. Acceptable and unacceptable variations

Conceptual clarity is very important when building software, when using software and when describing software. Therefore, we feel the need to clarify things even further: since one of the main goals of RED SCARF Suite is to provide flexibility, if you need to, you can add new applications to the ones that make up the suite. Taking into account the precise and strict definition of RED SCARF Suite, you can ask what it will become if you add other applications to it ? Will it become something else ? Can you call it by the same name ?

The answer is the following: if those applications are free and open source software, if they are optimal, which means that they are the best applications for their task and if they don’t negatively impact the functioning of the suite or the security of the system, after adding them, the suite will become ‘RED SCARF Suite E’ which stands for ‘RED SCARF Suite Extended’. If on the contrary, those applications are proprietary applications, or if they are free and open source software but they are not optimal or they negatively impact the functioning of the existing applications, or the security of the system, the end result will be ‘RED SCARF Suite C’ which stands for: ‘RED SCARF Suite Corrupted’. ‘RED SCARF Suite C’ will also be the result if you don’t add any new applications to the suite, but you replace any of the existing components with proprietary software or with suboptimal (less than optimal) FOSS applications.

Flexibility also means that you can modify any component of the suite to any degree. If you modify a component so that it performs well and doesn’t negatively impact the functioning of other applications or the security of the system, what you’ll have after the modification will still be called RED SCARF Suite. If you modify a component to the point where it becomes defective or it has negative impact on the functioning of other components or on the security of the whole system, your suite will become RED SCARF Suite C.

When used as the digital infrastructure of a nonprofit organization, or when used by a private individual, RED SCARF Suite can be installed and used in its entirety, or without any of the components in the ‘shell’ and ‘hull’ categories. This can also happen when it will be used by a small business, if they decide that they don’t need one or multiple applications in the ‘shell’ and ‘hull’ categories. Without any of these components, the suite will become RED SCARF Suite A, which stands for RED SCARF Suite Abridged. Please note that the term ‘abridged’ has a totally different meaning than ‘corrupted’ and doesn’t have any negative connotations in this context.

In conclusion, when considering structural integrity, there can be 4 variations of the suite:

RED SCARF Suite – this is the standard, complete suite as it is described in this guide, made up of ‘kernel’, ‘shell’ and ‘hull’ applications, having all the applications unmodified, or with applications that were modified in such a way that they don’t negatively impact the functioning of the suite or the security of the system.

RED SCARF Suite Abridged (shortened to ‘RED SCARF Suite A’) – the suite without one or multiple ‘shell’ or ‘hull’ applications, having all the applications unmodified, or with applications that were modified in such a way that they don’t negatively impact the functioning of the suite or the security of the system.

RED SCARF Suite Extended (shortened to ‘RED SCARF Suite E’) – the standard suite plus other optimal FOSS applications that don’t negatively impact the functioning of the suite or the security of the system, having all the applications unmodified, or with applications that were modified in such a way that they don’t negatively impact the functioning of the suite or the security of the system.

RED SCARF Suite Corrupted (shortened to ‘RED SCARF Suite C’) – the standard or abridged suite in which one or more applications were replaced with proprietary applications or with suboptimal (less than optimal) FOSS applications, or in which one or more applications were modified in a way that negatively impacts the functioning of the suite or the security of the system. It’s also the extended suite in which one or more proprietary applications or suboptimal FOSS applications were added to the standard suite, or where one or more of the optimal FOSS applications that are part of the standard suite or that were added to the standard suite, were modified in such a manner that they negatively impact the functioning of the suite or the security of the system.

Needless to say that we recommend installing and maintaining one of the first 3 variations of RED SCARF Suite and we strongly oppose and advice against corrupting the suite.

You can send your questions and comments to: