Overview of Deploying Hestiacp on Server¶

The deployment process installs the Hestiacp control panel and configures an Nginx‑Certbot proxy container that automatically obtains and renews TLS certificates.
Below is a concise reference of what the server contains after the installation is finished and how to manage the components.

Prerequisites and Basic Requirements¶

• Operating System – Ubuntu or Debian (any recent release).
• Root access – The installation scripts and Docker commands are run as root.
• Networking – The server must be reachable on the public internet for Let’s Encrypt to validate the domain.
• Hardware – Minimal: 1 CPU, 1 GB RAM, 10 GB disk for the control panel, plus additional space for volumes.

The setup automatically: 1. Enables BBR congestion control (fq qdisc, bbr TCP). 2. Updates the package index and upgrades installed packages. 3. Installs utilities such as curl, wget, gnupg, apt-transport-https, ca-certificates, dnsutils, gawk, xterm, systemd-timesyncd, and software-properties-common on Debian 12.

File and Directory Structure¶

/root
│
├── hst-install-ubuntu.sh          # Hestiacp installer for Ubuntu
├── hst-install-debian.sh          # Hestiacp installer for Debian
└── nginx
    ├── compose.yml                # Docker Compose configuration
    └── (empty, created as needed)

/data/nginx
│
├── nginx-certbot.env              # Environment file for the proxy
└── user_conf.d
    └── <server_id>.hostkey.in.conf   # Custom Nginx configuration files

/usr/local/hestia
└── bin
    └── cron.php                   # Hestiacp cron script

Permissions¶

• /root/nginx and /root/nginx/compose.yml are owned by root:root with modes 0755 and 0644 respectively.
• Docker volumes (nginx_secrets) are managed by Docker and contain Let’s Encrypt data in /etc/letsencrypt.
• The Hestiacp binaries in /usr/local/hestia are owned by root but are executed under the admin user created during installation.

Access Rights and Security¶

• The admin system account is created by the Hestiacp installer. The password is the SSH password supplied to the installer script.
• The Hestiacp web interface is exposed on port 8083 of the host. Access requires the admin credentials.
• The Nginx‑Certbot container runs with network_mode: host, meaning it listens on the host’s network stack. It is restricted to internal traffic and is secured by TLS certificates issued by Let’s Encrypt.
• Firewall rules and fail2ban are enabled by the Hestiacp installer.

Databases¶

Hestiacp installs and configures a MySQL (MariaDB) instance. The database server listens on the default port 3306 and is protected by a root password set during installation. No external database is required.

Docker Containers and Deployment¶

The deployment uses a single Docker container that serves as a reverse proxy and TLS terminator.

# /root/nginx/compose.yml
volumes:
  nginx_secrets:
    external: true

services:
  nginx:
    image: jonasal/nginx-certbot:latest
    restart: unless-stopped
    environment:
      - [email protected]
    env_file:
      - /data/nginx/nginx-certbot.env
    network_mode: host
    volumes:
      - nginx_secrets:/etc/letsencrypt
      - /data/nginx/user_conf.d:/etc/nginx/user_conf.d

• Image – jonsanal/nginx-certbot:latest provides Nginx with Certbot.
• Environment – The email address for Let’s Encrypt registration is set to [email protected]. Additional environment variables may be supplied via /data/nginx/nginx-certbot.env.
• Volumes – Certificates are stored in the external Docker volume nginx_secrets. User‑specific Nginx configuration files are mounted from /data/nginx/user_conf.d.
• Network – host mode allows the container to bind directly to host ports, simplifying access to the web interface.

Starting the Container¶

cd /root/nginx
docker compose up -d

The command is retried up to five times if the container fails to start.

Stopping the Container¶

cd /root/nginx
docker compose down

Updating the Container¶

1. Pull the newest image:

docker compose pull

1. Restart the services:

docker compose up -d

The container’s restart: unless-stopped policy ensures it restarts automatically after a reboot unless explicitly stopped.

Proxy Server (Nginx‑Certbot)¶

The Nginx‑Certbot container automatically:

1. Requests TLS certificates for the domain hestiacp<server_id>.hostkey.in.
2. Configures Nginx to forward HTTP/HTTPS traffic to the Hestiacp web interface on port 8083.
3. Handles automatic renewal of certificates.

Custom Nginx settings can be placed in /data/nginx/user_conf.d/<server_id>.hostkey.in.conf. For example, adding a custom location block or rewriting rules.

Starting, Stopping, and Updating Hestiacp¶

The Hestiacp control panel itself runs as a set of services (Apache, MySQL, Postfix, Dovecot, etc.) installed directly on the host. The installer script sets up systemd units for each component. These services are managed with standard systemd commands:

# Reload systemd daemon after installing
systemctl daemon-reload

# Start Hestiacp services
systemctl start hestiacp

# Stop Hestiacp services
systemctl stop hestiacp

# Enable at boot
systemctl enable hestiacp

If you need to upgrade Hestiacp, rerun the appropriate installer script (hst-install-ubuntu.sh or hst-install-debian.sh) with the --force flag. The installer will replace binaries, update configuration files, and restart the affected services.

The deployment process leaves the server ready to accept secure HTTP connections on the configured domain, with a fully functional Hestiacp control panel and an automated TLS renewal workflow.