I'll enumerate below a suite of guides I've followed to setup a Ubuntu server:

* https://www.informaticar.net/security-hardening-ubuntu-20-04
* https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-ubuntu-20-04/
* https://www.linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu
* https://www.linuxbabe.com/ubuntu/automatic-security-update-unattended-upgrades-ubuntu
* https://www.linuxbabe.com/security/harden-ssh-server
* https://www.linuxbabe.com/mail-server/host-multiple-mail-domains-in-postfixadmin
* https://www.linuxbabe.com/mail-server/block-email-spam-postfix
* https://www.linuxbabe.com/mail-server/block-email-spam-check-header-body-with-postfix-spamassassin
* https://www.linuxbabe.com/mail-server/opendmarc-postfix-ubuntu
* https://www.linuxbabe.com/mail-server/microsoft-outlook-ip-blacklist
* https://www.linuxbabe.com/security/10-steps-in-application-security-assessment

Optional:

* https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
* https://www.linuxbabe.com/ubuntu/set-up-local-dns-resolver-ubuntu-20-04-bind9
* https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04

Notes:

* For https://www.linuxbabe.com/mail-server/postfixadmin-create-virtual-mailboxes-ubuntu-20-04 I had to use part of https://linuxize.com/post/set-up-an-email-server-with-postfixadmin/ because I'm using PHP 8.0.
* I also had to download and install the latest version of `postfixadmin` from https://packages.ubuntu.com/impish/all/postfixadmin/download
* This command **might** need to be run every 3 months to renew and merge certificates for multiple mail domains:
```bash
sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp -d mail.domain1.com,mail.domain2.com --cert-name mail.domain1.com --email you@example.com
```

# Upgrade tasks

* compile the ModSecurity module for Nginx on a new version using https://www.linuxbabe.com/security/modsecurity-nginx-debian-ubuntu#upgrading-nginx
* download https://github.com/coreruleset/coreruleset/releases and update Nginx rules

Commands to upgrade Nginx and the ModSecurity module:

```sh
sudo apt-mark unhold nginx
sudo apt upgrade nginx

# The install process will fail because your ModSecurity module version doesn't match with the new version of Nginx
# So, let's update ModSecurity to the latest nginx version

# check nginx version
nginx -v

cd /usr/local/src/nginx
sudo apt install dpkg-dev
# download nginx sources
apt source nginx

cd nginx-1.23.1/ # or the version previously queried
./configure --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx
make modules
sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/

# resume upgrade process
sudo apt upgrade
sudo apt-mark hold nginx
apt-mark showhold
```