DomainMOD 4.23 Domain and SSL Asset Manager on Ubuntu 24.04 on Azure User Guide
Overview
DomainMOD is the open source domain and internet asset manager. It gives you one authoritative place to record every domain you own together with its registrar, expiry date, renewal fee, owner, category and stakeholder, so renewals stop being a surprise and nobody has to maintain a spreadsheet that is stale the moment it is saved. Alongside domains it tracks SSL and TLS certificates, hosting accounts, IP addresses and DNS providers, and its domain queue can pull live data straight from registrar APIs including Cloudflare, Porkbun, NameBright and Internet.bs. It adds expiration email alerts, renewal cost reporting across multiple currencies with automatic conversion rate updates, a data warehouse and a task scheduler.
The cloudimg image ships DomainMOD 4.23 served by Apache and PHP 8.3 on a hardened, fully patched Ubuntu 24.04 LTS base, together with a bundled local MariaDB server so the appliance is complete and useful on its own. The installation wizard is pre completed and then deleted, so the application is ready the moment the instance boots and no installer is left sitting in the web root. The bundled MariaDB listens only on the loopback interface (127.0.0.1:3306) and keeps its data on a dedicated Azure data disk. No administrator password exists anywhere in the image: a unique one is generated on the first boot of every VM. Backed by 24/7 cloudimg support.
What is included:
- DomainMOD 4.23.0, the latest stable release, installed from the official upstream source and verified by checksum at build time
- Apache 2.4 with PHP 8.3 and OPcache, plus every PHP extension DomainMOD requires
- MariaDB bound to
127.0.0.1:3306, with its data directory on a dedicated 20 GiB data disk - A first boot service that generates a unique administrator password and a unique database password for every VM
- The task scheduler running as a managed systemd timer every ten minutes, rather than as an internet reachable web endpoint
- An unauthenticated
/healthzendpoint for Azure Load Balancer health probes
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point for most domain portfolios; move up to Standard_D2s_v3 if you run large registrar API syncs or the data warehouse frequently. NSG inbound: allow 22/tcp from your management network, 80/tcp for the application and 443/tcp if you terminate TLS on the VM. The bundled MariaDB is never exposed: it listens on 127.0.0.1 only, so port 3306 stays off the network.
Step 1 - Deploy from the Azure Marketplace
In the Azure portal choose Create a resource, search for DomainMOD 4.23 Domain and SSL Asset Manager on Ubuntu 24.04 LTS by cloudimg, and select Create. Pick your subscription, resource group and region, choose the Standard_B2s size, select SSH public key authentication with the username azureuser, and allow inbound 22, 80 and 443. The image attaches its own 20 GiB data disk for your asset database, so you do not need to add one.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name domainmod \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Then open ports 80 and 443:
az vm open-port --resource-group <your-rg> --name domainmod --port 80,443
Step 3 - Confirm the services are running
SSH to the VM as azureuser and confirm Apache, MariaDB and the first boot service are all active, and that the task scheduler timer is enabled. Note that MariaDB is bound to 127.0.0.1:3306 only, while Apache serves on port 80.
systemctl is-active apache2 mariadb domainmod-firstboot; systemctl is-enabled domainmod-scheduler.timer
ss -tlnp | grep -E ':80 |:3306 ' | sed 's/ */ /g'

Step 4 - Retrieve the per VM administrator password
The first boot service generates an administrator password unique to your VM and writes it to a root only file. Read it over SSH:
sudo cat /root/domainmod-credentials.txt

DOMAINMOD_URL is the VM's own address as seen from inside the VM. Azure does not expose the public IP to the instance, so this is usually the private address. Browsing the public IP shown in the Azure portal works identically, because DomainMOD stores no base URL at all and builds every in application link relative to the address you reach it on.
Step 5 - Sign in
Browse to http://<vm-ip>/ and sign in with the username admin and the password from the credentials file.

Step 6 - Choose your own password
The password generated on first boot is a bootstrap credential, so DomainMOD prompts you to replace it with your own the first time you sign in. Enter and confirm a new password, then select Change Password. This is DomainMOD's own behaviour, driven by the new password flag that the first boot service sets for you.

You then land on the Dashboard, which shows your system totals for domains and SSL certificates, with the full navigation down the left: Domains, SSL Certificates, Assets, Segments, Bulk Updater, Reporting, Data Warehouse, Settings, Maintenance and Administration.

Step 7 - Add your first registrar
DomainMOD organises domains under the registrar they are registered with, so a registrar and a registrar account are the first things to create. Open Domains and DomainMOD tells you exactly this: before you can add domains you need at least one domain registrar and a domain registrar account.

Select Click here to add a Domain Registrar, choose your registrar and save it, then add a registrar account under that registrar. Once an account exists you can add domains individually, import them in bulk with the CSV importer linked from the same page, or, for the registrars DomainMOD supports, save your API credentials against the account and let the Domain Queue pull your domain list and expiry dates directly from the registrar.
Step 8 - Track domains, certificates and the rest of your estate
With a registrar account in place, Domains records each domain with its registrar, expiry date, renewal fee, owner, category, stakeholder, DNS provider, IP address and hosting account. SSL Certificates does the same for your certificates, with their own providers, accounts, types and expiry dates. Assets holds the supporting records those point at, and Segments lets you slice the estate by the fields that matter to you. Reporting turns the fee data into renewal cost reports across multiple currencies, using conversion rates the scheduler refreshes for you, and Bulk Updater applies a change across many records at once.
To receive expiration alerts by email, set your SMTP server details under Settings, then enable the Send Expiration Email job. Set your installation URL there too, under the same Settings area: DomainMOD uses it to build the links inside those emails, including the password reset link, so it is worth pointing at your real hostname once you have DNS in front of the VM.
Step 9 - The task scheduler
DomainMOD's scheduler runs the domain queue processing, the expiration emails, the currency conversion rate updates, the system cleanup, the version check and the data warehouse build. Upstream expects you to configure a cron job that calls its cron.php over HTTP. This image does that for you as a systemd timer instead, running the same jobs on upstream's documented ten minute cadence while keeping the entrypoint off the network, so no anonymous visitor can trigger your registrar API jobs.
systemctl list-timers domainmod-scheduler.timer --all --no-legend
You can enable, disable and schedule the individual jobs from Maintenance > Task Scheduler inside DomainMOD.
Step 10 - No known or default credentials
DomainMOD's own installer creates its administrator with the password hardcoded to the literal string admin, and its install wizard offers no way to choose a different one. Shipping that would mean every instance of this image booted with a published, guessable credential on a public port. This image never does.
The administrator password is generated uniquely on the first boot of your VM, and nothing usable exists in the image before that: the build replaces the hardcoded credential immediately after the installer runs, and the captured image carries only a random hash that was discarded at build time and that nobody has ever seen. You can confirm on your own instance that admin is the only account, that the hardcoded credential is gone, and that a blank or weak password is rejected:
sudo mariadb --protocol=socket -uroot -N -e "SELECT CONCAT(username,' (the only account that can sign in)') FROM domainmod.users"; sudo mariadb --protocol=socket -uroot -N -e "SELECT CONCAT('upstream hardcoded admin/admin hashes present: ', COUNT(*)) FROM domainmod.users WHERE password = CONCAT('*', UPPER(SHA1(UNHEX(SHA1('admin')))))"
sudo bash /usr/local/sbin/domainmod-cred-roundtrip.sh

The image also closes the gaps upstream leaves open on a public host. The installation wizard is deleted from the web root after the build completes rather than left in place for you to remember to remove. The configuration file that holds the database password, the class library and the vendored dependencies are all denied from the web, because upstream ships no .htaccess of its own. The scheduler entrypoint is not web reachable. And no record of the build is carried into your instance: DomainMOD's installer logs the installing client's IP address and browser for its upstream analytics, and this image removes that record so nothing about the build is ever transmitted from your VM.
Step 11 - Verify the stack and where your data lives
Confirm the installed release, the health endpoint and the data disk. The entire asset inventory lives in MariaDB, whose data directory is bind mounted onto the dedicated ext4 data disk at /data, so your records are kept off the OS disk.
sudo mariadb --protocol=socket -uroot -N -e "SELECT CONCAT('DomainMOD ',db_version) FROM domainmod.settings"
curl -sI http://127.0.0.1/healthz | sed -n '1p'
findmnt -no SOURCE,TARGET,FSTYPE,SIZE /data; findmnt -no SOURCE,TARGET /var/lib/mysql

Adding your own domain and TLS
DomainMOD answers on whatever address you reach it on, so pointing a DNS name at the VM needs no application change. To terminate TLS on the VM itself, install Certbot and let it configure Apache:
sudo apt-get update && sudo apt-get install -y certbot python3-certbot-apache
sudo certbot --apache -d domainmod.your-domain.com --redirect --agree-tos -m you@your-domain.com
Certbot rewrites the cloudimg Apache site for HTTPS and installs a renewal timer. DomainMOD detects the HTTPS request and generates its links accordingly. Once TLS is in front, set your installation URL under Settings so the links inside expiration and password reset emails use your real hostname, and consider restricting port 80 and 443 at the NSG to the networks that need them: upstream's own security guidance is to keep a DomainMOD installation off the open internet where you can, because it can hold registrar API credentials.
Backing up
Your entire estate lives in the MariaDB database on the data disk. Take a logical dump over the loopback socket:
sudo mariadb-dump --protocol=socket -uroot --single-transaction --routines domainmod > /root/domainmod-backup.sql
Copy the dump off the VM, and snapshot the data disk from the Azure portal or CLI for a point in time copy of the whole volume. To restore, load the dump back with sudo mariadb --protocol=socket -uroot domainmod < /root/domainmod-backup.sql.
Security notes
- No default credentials. The administrator password is unique to your VM, generated on first boot, written to
/root/domainmod-credentials.txtwith0600 root:rootpermissions, and replaced by one you choose at first sign in. Upstream's hardcodedadminpassword does not exist on the shipped image. - The database is not reachable from the network. MariaDB listens on
127.0.0.1:3306only. The application connects over the loopback socket with its own per VM password held in a configuration file that is denied from the web and readable only by the web user. - The installer is gone, not hidden. The install wizard directory is deleted from the web root after the build, and the path is denied by Apache as well.
- The scheduler is not a public endpoint.
cron.phpis denied from the web and driven by a systemd timer instead. - Registrar API credentials. DomainMOD can store registrar API keys so the domain queue can sync your portfolio. Upstream recommends storing them only while you need them. Put TLS in front of the VM and restrict inbound access before saving any.
- Keep it patched. The image ships fully patched and leaves Ubuntu's unattended upgrades enabled, so security updates continue to apply on your VM.
Trademark
DomainMOD is open source software released under the GNU General Public License version 3 or later, created by Greg Chetcuti. All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
Support
cloudimg provides 24/7 technical support for this image by email (support@cloudimg.co.uk) and live chat, with a one hour average response time for critical issues. We help with deployment and initial configuration, registrar API and domain queue setup, expiration alert and email configuration, currency and conversion rate options, version upgrades, backup and restore, MariaDB administration, and troubleshooting.