HestiaCP Migration
Last updated
The HestiaCP ingest path. Status: partial, files, databases, DNS, and a subset of mail are supported. Complex Exim ACL rules require manual re-implementation.
Source archive
HestiaCP’s per-user backup produced by:
v-backup-user <user>The resulting archive lands under /backup/<user>.<timestamp>.tar.
What gets migrated
| Asset | Behavior |
|---|---|
| User account | Recreated. |
| Home directory | Copied. |
| Web domains | Created as Domain rows. The vhost is rendered fresh from the panel template, Apache/nginx fragments from the source are not preserved. |
| DNS zones | BIND zones translated to PowerDNS rows. |
| MySQL / PostgreSQL databases | Restored with password hashes. |
| Email accounts | Created in Stalwart with generated passwords. |
| Forwarders / autoresponders | Translated to Stalwart. |
| Cron jobs | Translated to systemd-user timers via the allowlist filter. |
What requires manual work
- Exim ACL rules: HestiaCP often carries non-trivial Exim acl_smtp_data / acl_check_recipient rules. These do not translate directly to Stalwart’s expression filter syntax; rewrite under Server Settings → Mail → Stalwart expressions.
- Per-domain Roundcube identities: Roundcube installations on the source are not migrated; the destination ships its own Roundcube.
- Spamassassin / rspamd thresholds: Stalwart spam scoring is independent; recalibrate if your Hestia setup had custom thresholds.
Operator workflow
- Produce a per-user backup on the Hestia host.
- Upload to
/jabali-admin/migrations. - Analyze → review the report for any Exim ACL warnings.
- Restore.
- For each Exim ACL warning, manually re-author the equivalent Stalwart expression filter.
- Communicate generated mail passwords to mailbox owners.
- Issue SSL via the per-domain SSL toggle.
Limitations
- Hestia Apache+nginx fronted setups: Hestia frequently runs nginx in front of Apache. Jabali serves nginx directly with PHP-FPM. Apache-specific directives in
.htaccessfiles that depend onmod_rewritetranslate; directives that depend onmod_phpormod_setenvifdo not and must be rewritten. - Hestia firewall (iptables) rules: not migrated. Use UFW plus CrowdSec for the equivalent surface.
Audit
Standard per-phase audit rows.