The Old Way Was Backwards
Other platforms ask for your SSH credentials first. You hand over root access to a third party — before anything is installed, before you know what they will run, before your server is hardened. They connect to your machine and start installing packages with full root privileges on an unsecured server.
OEC.sh flips this model. You run a single command on your server. It hardens the system, installs everything needed, generates its own SSH keypair, and only then calls home to register. You never share credentials. The platform never touches your server until the server invites it.
The Command
Two options depending on your workflow:
Option A — API token (for automation)
curl -sSL https://api.oec.sh/setup.sh | bash -s -- --token=oecsh_tok_your_tokenThe API token is persistent. Generate one in Settings → API Keys. Use the same token to provision multiple servers without returning to the dashboard.
Option B — Claim code (one-time manual)
curl -sSL https://api.oec.sh/setup.sh | bash -s -- --code=ABC123The claim code is a 6-character one-time code that expires in 10 minutes. Get it by clicking Servers → Add Server → "Add BYOS Server" in the dashboard. Best for adding a single server manually.
What Gets Installed
The setup script runs through 15 phases. Each phase is idempotent — if you re-run the script, completed phases are skipped.
| Phase | What | Details |
|---|---|---|
| 1 | System update | apt update && apt upgrade with automatic yes |
| 2 | Docker CE + Compose plugin | Official Docker repository, latest stable release, compose v2 plugin |
| 3 | UFW firewall | Deny all incoming, allow 22 (SSH), 80 (HTTP), 443 (HTTPS) only |
| 4 | Fail2ban | 3 failed SSH attempts = 1 hour ban, protects against brute force |
| 5 | SSH hardening | Disable password authentication, key-only access, disable root login with password |
| 6 | Unattended security upgrades | Automatic security patches applied daily, no manual intervention needed |
| 7 | Traefik reverse proxy | Automatic SSL via Let’s Encrypt, HTTP-to-HTTPS redirect, per-project routing |
| 8 | Netdata monitoring | Real-time CPU, RAM, disk, network metrics, accessible from OEC.sh dashboard |
| 9 | ed25519 SSH keypair | Generated on the server, public key sent to OEC.sh, private key stays on server |
| 10 | 2 GB swap file | Created only if server RAM is less than 2 GB, prevents OOM kills on small instances |
| 11 | Log rotation | Configured for Docker and system logs, prevents disk from filling up |
| 12 | Timezone set to UTC | Consistent timestamps across all servers and log files |
| 13 | Docker network creation | Isolated bridge network for Traefik and project containers to communicate |
| 14 | Non-root container user | All services run as non-root inside containers for isolation |
| 15 | Server registration | Calls OEC.sh API with server metadata, SSH public key, and health status |
Total setup time: approximately 2–3 minutes on a standard VPS with decent connectivity.
Supported Servers
| Requirement | Supported |
|---|---|
| Operating system | Ubuntu 22.04 LTS or later |
| Operating system | Ubuntu 24.04 LTS or later |
| Operating system | Debian 12 or later |
| Architecture | x86_64 (AMD64) and ARM64 (aarch64) |
| Minimum RAM | 1 GB |
| Minimum disk | 10 GB |
| Cloud providers | Hetzner, DigitalOcean, AWS, Google Cloud, Azure, Vultr, OVH, Linode, bare metal |
Any server that meets these requirements works — cloud VPS, dedicated server, or bare metal in your own data center.
What Happens After
Once the script finishes, your server appears in the OEC.sh dashboard within 30 seconds. Status: Healthy. All project environments can deploy to it immediately.
The platform connects to your server via the SSH key generated during setup. You never shared credentials — the server invited OEC.sh on its own terms. From here you can:
- Deploy Odoo environments with git-based deployments
- Assign custom domains with automatic SSL via Traefik
- Monitor CPU, RAM, disk, and network from the dashboard
- Run automated backups to S3, R2, MinIO, or FTP
- Clone databases with PII sanitization for staging
- Scale by adding more servers with the same command
Security Model
The setup script hardens your server before it ever connects to the platform. Every security measure is applied during the initial run:
ed25519 SSH keypair generated on the server
The private key never leaves your server. OEC.sh only receives the public key for authentication.
Fail2ban: 3 failed SSH attempts = 1 hour ban
Brute-force protection is active immediately after setup. Persistent offenders are banned for progressively longer periods.
UFW: deny all incoming, allow only 22/80/443
Every other port is blocked by default. Only SSH, HTTP, and HTTPS traffic reaches your server.
SSH password authentication disabled
Key-only authentication. Even if someone knows a valid username, they cannot log in without the matching private key.
Unattended security patches
Critical security updates are applied automatically every day. No manual apt upgrade needed.
Non-root containers for all services
Docker containers run as non-root users. A compromised container cannot escalate to host-level privileges.
Script is idempotent
Safe to re-run at any time. It detects what is already installed and skips completed phases. No duplicate firewall rules, no duplicate Docker installs.
Getting Your Token or Claim Code
You need one of these before running the setup command:
API Token
Settings → API Keys → Generate. Persistent token, reusable across multiple servers. Best for scripted or automated provisioning.
Claim Code
Servers → Add Server → "Add BYOS Server". Copy the 6-character code. Expires in 10 minutes. Single-use, one server per code.
Frequently Asked Questions
Is it safe to curl | bash?
The script is served over HTTPS from api.oec.sh. You can download it first with curl -sSL https://api.oec.sh/setup.sh -o setup.sh, inspect the contents, then run bash setup.sh --token=your_token. The script is idempotent and open for inspection. It only installs well-known packages (Docker CE, UFW, Fail2ban, Traefik, Netdata) from their official repositories.
Can I run the setup script again if something fails?
Yes. The script is idempotent. It checks what is already installed and skips completed phases. If it fails midway due to a network timeout or package conflict, re-run the same command. It will pick up where it left off without duplicating configurations or breaking existing services.
What if my server is behind a firewall?
The setup script needs outbound HTTPS access (port 443) to download packages and register with the OEC.sh platform. It also needs outbound access to Docker Hub and official OS package repositories. If your firewall blocks outbound traffic, you will need to whitelist api.oec.sh, registry.docker.com, download.docker.com, and your OS package mirror.
Does OEC.sh have root access to my server?
No. During setup, an ed25519 SSH keypair is generated on your server. The public key is sent to OEC.sh for authentication. The private key never leaves your server. OEC.sh connects via SSH using this keypair to run deployment commands, but does not store or have access to the root password. You can revoke access at any time by removing the public key from authorized_keys.
Add Your First Server
Sign up for a free account, grab your token, and run one command. Your server will be ready to deploy Odoo in under 5 minutes.
Related guides
Deploy Odoo on Hetzner
Step-by-step guide to deploying Odoo on Hetzner Cloud with OEC.sh.
Server Requirements Calculator
Calculate the right CPU, RAM, and disk for your Odoo workload.
Pricing
Compare Free, Starter, Pro, and Agency plans. See what is included in each tier.
Odoo Cloudflare Tunnel
Connect servers without public IPs through Cloudflare Tunnel for zero-trust access.