Installation

Last updated

Supported platforms

  • Debian 13 (Trixie): primary, fully tested.
  • Earlier Debian / Ubuntu, installer detects and warns; not supported.

Requirements

ResourceMinimumRecommended
RAM2 GB4 GB+
Disk20 GB40 GB+ SSD
CPU1 vCPU2 vCPU+
NetworkPublic IPv4, ports 22/25/53/80/443/465/587/993/995 open+ outbound 53/udp+tcp
OSDebian 13 fresh install,

If outbound :53/udp is blocked (some labs), set JABALI_DNS_FORWARDER=<a-reachable-resolver> so the recursor forwards over TCP.

Install

curl -fsSL https://get.jabali-panel.com | bash

The installer is idempotent, safe to re-run. It writes drop-ins, never overwrites manual edits to host configs outside of the files it owns.

Environment variables

VariableEffect
JABALI_DNS_FORWARDER=<ip>Force pdns-recursor to forward . to this resolver (use when outbound :53/udp is blocked). Installer also rewrites /etc/resolv.conf to point at the same IP and masks systemd-resolved.
JABALI_PANEL_HOSTNAME=<fqdn>Pre-seed Server Settings → Panel Hostname so the Let’s Encrypt cert and Stalwart primary mail domain land on the right FQDN from first boot.
JABALI_SKIP_* (various)Skip individual install steps. Generally avoid, supported only for debugging.

What the installer does

  1. Verifies Debian 13, root, no conflicting cPanel/Plesk/CyberPanel install.
  2. Adds Sury PHP repository (PHP 8.1–8.5+) and PackageCloud for CrowdSec.
  3. Purges sury-nginx if present, Jabali uses Debian-native nginx (Sury dropped nginx in 2026; this is defensive).
  4. Installs system packages: nginx, mariadb, postgresql, php-fpm (all current Sury versions), pdns-server, pdns-recursor, redis, stalwart-mail, crowdsec, ufw, fail2ban-substitute (CrowdSec), nftables, certbot, restic, clamav, lmd, yara, tetragon.
  5. Installs Kratos and Bulwark (Node SPA bridge) on Unix sockets, no TCP :4433/:4434/:3000 exposure.
  6. Builds jabali-panel-api (Go) and jabali-agent (Go), writes systemd units, starts services.
  7. Runs DB migrations.
  8. Emits a one-time Kratos recovery URL for the bootstrap admin account.

Post-install

jabali repair --diagnose   # 7-detector self-heal report
jabali update              # pulls latest code, rebuilds, migrates, reloads

Diagnostics:

journalctl -u jabali-panel.service -f
journalctl -u jabali-agent.service -f
jabali admin diag bundle   # encrypted support tarball

Uninstall

There is no --uninstall flag. The intended teardown is to redeploy the VM. If you must keep the host, the manual path is documented in troubleshooting.md.

Known good install paths

  • KVM / QEMU on a clean Debian 13 cloud image, works.
  • LXC unprivileged, not supported (cgroup v2 host requirements + systemd-user timers fail in unprivileged containers).
  • LXD privileged on a recent host, works.
  • Docker / nspawn, not supported as the panel host (the panel itself uses systemd-machined for some operations).