How do I add the deb.myguard.nl repository?

wget https://deb.myguard.nl/pool/myguard.deb&&dpkg -i myguard.deb&&apt-get update

Which Linux distributions are supported?

Debian 11 (Bullseye), 12 (Bookworm), 13 (Trixie), Ubuntu 22.04 LTS (Jammy), 24.04 LTS (Noble), 26.04 (Resolute).

Is this repository free to use?

Yes, completely free with no registration required. Donations via PayPal help cover server costs.

Free APT repository · 50+ packages · No registration

Debian & Ubuntu APT Repository — NGINX, Angie, HTTP/3

Q: Can I run ModSecurity and the OWASP CRS in front of WordPress and webmail?

Yes. We ship libmodsecurity3, the NGINX/Angie connector and the modsecurity-crs package, plus app-specific CRS plugins so you can put the WAF in front of WordPress, Vaultwarden and ViMbAdmin without drowning in false positives.

The myguard Debian/Ubuntu APT repository gives you the latest versions of NGINX, Angie, OpenSSL, Postfix, Dovecot, ModSecurity and 50+ other packages — built with security and performance in mind, with features the official repositories simply don’t ship.

# Installs GPG key, APT source and pinning in one step

$ wget https://raw.githubusercontent.com/eilandert/deb.myguard.nl/main/myguard.deb

$ dpkg -i myguard.deb

$ apt-get update && apt-get install nginx

Works on Debian 12/13 and Ubuntu 22.04/24.04/26.04 · amd64 + arm64 · Manual setup →

Browse packages Full setup guide

200+

NGINX & Angie modules

Supported distros

2019

Active since

Why use this APT repository?

The official Debian and Ubuntu repositories prioritize stability over features. This repository fills the gap for production servers that need both.

// performance

Compiler-optimized binaries

All packages are compiled with the right flags and linked against the right libraries — including an updated jemalloc where it makes a difference.

// features

Modules not in official repos

HTTP/3 and QUIC for NGINX and Angie, Brotli compression, ModSecurity WAF, OpenSSL+QUIC — features that require custom compilation are included out of the box.

// freshness

Latest upstream versions

Packages track upstream releases rather than Debian stable freezes. Get NGINX mainline, the newest Dovecot, and current Rspamd without backport delays.

// security

Security-first defaults

Packages include php-snuffleupagus, ModSecurity with the OWASP Core Rule Set, and modern TLS configurations enabled by default for production hardening.

// containers

Docker & Kubernetes ready

Daily-rebuilt Docker images for NGINX and Angie with all modules included. Designed for containerized and Kubernetes deployments.

// trust

GPG-signed packages

All packages are GPG-signed. The repository uses modern signed-by APT configuration for verified, tamper-proof delivery.

Why we actually build these packages

A quick story, because nobody maintains a 50-package APT repository for fun. (Okay — maybe a little bit for fun.)

Here’s the honest truth: this whole thing started because the packages we needed simply didn’t exist. We run real production servers — mail servers, web servers, WordPress sites, the works — and we kept hitting the same wall. We wanted NGINX with HTTP/3, but Debian shipped it without QUIC. We wanted Angie with native ACME, but it wasn’t in any official repository at all. We wanted ModSecurity with the OWASP Core Rule Set wired up properly, Postfix with modern TLS, Dovecot with the latest Sieve plugin, php-snuffleupagus hardening PHP-FPM, and a dozen other things. Every single one needed a custom build.

So we built them. And then we figured: if we’re already compiling all of this for our own infrastructure, why not share? That’s how deb.myguard.nl was born — a free, public, GPG-signed APT repository for Debian and Ubuntu that ships the packages we actually run in production. No telemetry, no registration, no “enterprise tier.” You just add the repository and apt-get install the things you need.

The four pillars we build for

Every package decision comes back to one of these four.

01 · performance

Compiled, not just packaged

LTO where it helps, hardened defaults that don’t cripple throughput, and modern allocators (jemalloc, mimalloc) linked in where they make a measurable difference. NGINX and Angie are built against a dedicated OpenSSL with QUIC patches — so HTTP/3 actually works instead of being a checkbox.

02 · security

Defaults you can sleep on

ModSecurity ships with the OWASP CRS pre-wired. PHP gets snuffleupagus for runtime hardening. TLS configs default to modern cipher suites. Packages are GPG-signed and delivered via the modern signed-by APT mechanism — a compromised mirror can’t feed you a tampered binary.

03 · freshness

Days, not release cycles

Debian stable is wonderful for stability and terrible for anyone who needs the latest Dovecot fix, a new Rspamd module, or NGINX mainline. We track upstream releases and rebuild quickly — usually within days, often within hours. Docker images rebuild every single night.

04 · features

What the official repos won’t ship

HTTP/3, QUIC, Brotli, ModSecurity, OpenResty Lua modules, the full NGINX module zoo — everything that requires a custom compile lives here. You shouldn’t have to maintain your own build pipeline just to enable HTTP/3 in 2026.

If any of that resonates, jump to the quick start below. If you’d rather poke around first, the blog has deep-dives on most of these packages — how HTTP/3 actually works, why Angie matters, the dedicated OpenSSL build, and a lot more.

Who actually uses this?

Honestly, all sorts — but most people land here for one of four reasons.

// sysadmins

Production web stacks

Running real NGINX or Angie in front of real traffic and don’t want to babysit a build server just to get HTTP/3, Brotli and ModSecurity. Install, pin, ship.

// homelab

Homelab & self-hosters

Want HTTP/3 on a Raspberry Pi or a closet server without spending three hours waiting for ./configure. Same packages, same defaults, no compile — and arm64 builds for the Pi.

// containers

Docker & Kubernetes

Pulling the daily-rebuilt NGINX and Angie images with every module already compiled in — perfect for ingress, edge proxies and ephemeral pods.

// mail ops

Mail server operators

Postfix with modern TLS, Dovecot with the latest Sieve, and Rspamd already wired together — the way they should ship out of the box.

One repository, every current distro: Debian 12 Debian 13 Ubuntu 22.04 Ubuntu 24.04 Ubuntu 26.04

Featured packages

A selection of the most-used packages in this repository. The full list covers 50+ packages across web, mail, security, and system utilities.

nginx

Mainline release with HTTP/3, QUIC, Brotli, ModSecurity, and all standard modules

HTTP/3

angie

Drop-in NGINX replacement with native ACME support (no Certbot needed) and extended metrics

HTTP/3 ACME

apache2

Latest Apache HTTP Server compiled with OpenSSL 3

openssl

OpenSSL with QUIC patches applied for HTTP/3 support in NGINX and other tools

QUIC

postfix

Latest Postfix release with modern TLS and SRS support for production mail servers

Mail

dovecot

Latest Dovecot IMAP/POP3 server with Sieve plugin included

Mail

rspamd

Fast spam filtering system for Postfix and Dovecot deployments

Mail

libmodsecurity3

ModSecurity WAF library with the OWASP Core Rule Set for NGINX and Apache

WAF

libbrotli

Google Brotli compression library, required for NGINX Brotli module

Compression

valkey

BSD-licensed Redis fork with hardened systemd sandbox and AppArmor profile

Cache

libfido2

FIDO2 library for hardware key support (YubiKey) in OpenSSH and other tools

Security

ccache

Compiler cache to speed up repeated builds

Dev

→ NGINX modules overview · Angie modules overview · Full packages page · Source on GitHub

NGINX & Angie modules we wrote ourselves

Not just repackaged upstream — these are dynamic modules we develop and maintain ourselves, shipped as first-class .deb packages for both NGINX and Angie.

// compression

zstd-nginx-module

Our maintained fork of the Zstandard compression module — several upstream bugs fixed, builds cleanly against current NGINX and Angie. What we fixed · GitHub

// abuse

error-abuse

Auto-bans clients that flood 403/404/5xx — fail2ban-style, in-process, sliding-window shared-memory counters, optional Redis/Valkey cluster-wide bans. Guide · GitHub

// cache

cache-turbo

A page cache that lives inside NGINX — no Varnish, no Lua, no second daemon. stale-while-revalidate, L1/L2 tiers, single-flight refresh. Guide · GitHub

→ All 101 NGINX modules · All 100 Angie modules · Every repo on GitHub

ModSecurity & the OWASP Core Rule Set

A complete WAF stack for NGINX, Angie and Apache — the ModSecurity v3 engine, the OWASP CRS, and our own CRS plugins for the apps we self-host.

// wordpress

WordPress hardening CRS plugin

40+ rules tuned for WordPress: typed-parameter SQLi blocking, rate limiting, GeoIP, XML-RPC lockdown — before PHP ever boots. Guide · GitHub

// vaultwarden

vaultwarden-crs-plugin

Drop-in CRS rules and exclusions that let you run the WAF in front of self-hosted Vaultwarden without drowning in false positives. GitHub

// vimbadmin

vimbadmin-crs-plugin

CRS rules and exclusions for the ViMbAdmin mail admin panel, so the WAF protects it without breaking the JSON-RPC API. GitHub

→ All our CRS plugins · Defense in depth against AI scanners · BREACH attack & mitigation

Supported distributions

Packages are available for all current Debian and Ubuntu releases, on amd64 and arm64.

Debian

Bookworm (12) Trixie (13)

Ubuntu

Jammy (22.04 LTS) Noble (24.04 LTS) Resolute (26.04)

Green = current/recommended. Every package is built for both amd64 (x86-64) and arm64 (aarch64).

Quick start

Add the myguard Debian/Ubuntu APT repository and install your first package in under a minute.

$ wget https://raw.githubusercontent.com/eilandert/deb.myguard.nl/main/myguard.deb

$ dpkg -i myguard.deb

$ apt-get update

# Web server with HTTP/3

$ apt-get install nginx

# NGINX alternative with built-in ACME/Let’s Encrypt

$ apt-get install angie

# Mail stack

$ apt-get install postfix dovecot-core rspamd

# WAF for NGINX

$ apt-get install libnginx-mod-http-modsecurity libmodsecurity3 modsecurity-crs

Need manual setup or APT pinning? → Full setup guide

Frequently asked questions

Common questions about this Debian and Ubuntu APT repository.

Why do you build your own packages instead of using the official ones?

Because the official Debian and Ubuntu repositories prioritise stability over features. They freeze versions for the lifetime of a release, and they don’t ship anything that requires a custom compile — no HTTP/3 in NGINX, no Angie at all, no ModSecurity with the OWASP CRS pre-wired, no php-snuffleupagus. We build packages because the things we run in production need those features today, not in two years when the next stable release lands.

What makes these packages different from official Debian/Ubuntu packages?

The official Debian and Ubuntu repositories freeze package versions for stability. This APT repository builds from the latest upstream releases, applies the right compile-time flags, includes extra modules such as HTTP/3 QUIC for NGINX, and ships features the official repos simply don’t carry. See the full packages list.

Is NGINX compiled with HTTP/3 and QUIC support?

Yes. The NGINX packages in this Debian/Ubuntu APT repository are compiled against openssl-nginx, enabling full HTTP/3 support — something the official packages don’t include. The Angie packages ship HTTP/3 as well. See the NGINX modules page for the full list.

What is Angie and how does it compare to NGINX?

Angie is a fork of NGINX maintained by former NGINX core developers. It is a drop-in replacement with native ACME (Let’s Encrypt) support built in — no Certbot needed — plus extended Prometheus metrics and other improvements. Read the Angie 2026 review or the NGINX to Angie migration guide. Both are available in this repository.

Do you write your own NGINX modules, or just repackage upstream ones?

Both. Alongside the 100+ upstream modules we package, we develop and maintain our own: the zstd-nginx-module fork (Zstandard compression with upstream bugs fixed), error-abuse (fail2ban-style auto-banning inside NGINX), and cache-turbo (a built-in page cache with stale-while-revalidate, no Varnish needed). All three work on NGINX and Angie. See the NGINX modules page.

Can I run ModSecurity and the OWASP CRS in front of WordPress and webmail?

Yes. We ship libmodsecurity3, the NGINX/Angie connector and the modsecurity-crs package, plus app-specific CRS plugins so you can put the WAF in front of WordPress, Vaultwarden and ViMbAdmin without drowning in false positives. Start with the ModSecurity + CRS install guide.

Will installing packages from this repo break my system?

No. APT pinning is configured automatically when you install myguard.deb, so packages from this repository take priority only where you intentionally install them. Your standard Debian or Ubuntu packages are not touched. See the full setup guide for details on how pinning works.

Is this APT repository free to use?

Yes, completely free with no registration required. If you find it useful, a donation via PayPal (nomad @ paranoid.nl) helps cover server costs. Bug reports and contributions are always welcome on GitHub.

How often are packages updated?

Packages are updated shortly after upstream releases. Docker images for NGINX and Angie are rebuilt daily. Check the changelog for recent updates, or follow new releases on the blog or watch the GitHub repository.

Does this repository support ARM / aarch64?

Yes. Every package is built for both amd64 (x86-64) and arm64 (aarch64), so the same NGINX, Angie and mail stack runs on a Raspberry Pi, an Ampere or AWS Graviton VM, or a regular x86 server. The setup guide covers all supported architectures.