diff --git a/server/server-init.sh b/server/server-init.sh
new file mode 100644
index 0000000..375d6e0
--- /dev/null
+++ b/server/server-init.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+MARKER="/var/lib/first-boot-init.done"
+LOG="/var/log/first-boot-init.log"
+
+# Запускать только от root
+if [[ "${EUID}" -ne 0 ]]; then
+  echo "Run as root (sudo)." >&2
+  exit 1
+fi
+
+# Одноразовый запуск
+if [[ -f "$MARKER" ]]; then
+  echo "Already initialized. Marker exists: $MARKER"
+  exit 0
+fi
+
+exec > >(tee -a "$LOG") 2>&1
+
+echo "=== First boot init started at $(date -Is) ==="
+
+# 1) Обновление системы
+export DEBIAN_FRONTEND=noninteractive
+apt-get update
+apt-get -y upgrade
+apt-get -y autoremove --purge
+
+# 2) Установка UFW и Fail2ban
+apt-get -y install ufw fail2ban
+
+# 3) Настройка UFW (важно: не отрезать себе доступ по SSH)
+SSH_PORT="${SSH_PORT:-22}"
+
+ufw --force reset
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow "${SSH_PORT}/tcp" comment "Allow SSH"
+ufw --force enable
+
+# 4) Fail2ban: включить и запустить
+systemctl enable fail2ban
+systemctl restart fail2ban
+
+# (Опционально) показать статус
+ufw status verbose || true
+systemctl --no-pager --full status fail2ban || true
+
+# 5) Маркер выполнения
+mkdir -p "$(dirname "$MARKER")"
+touch "$MARKER"
+
+echo "=== First boot init finished at $(date -Is) ==="
+echo "Marker created: $MARKER"
+echo "Log: $LOG"
\ No newline at end of file