Add Debian 12 scripts

2023-11-19 22:25:32 +01:00
parent 8126537ad6
commit b38afbe55a
30 changed files with 1513 additions and 0 deletions
--- a/debian-12/apps/traefik/traefik.sh
+++ b/debian-12/apps/traefik/traefik.sh
@@ -0,0 +1,288 @@
+#!/bin/bash
+
+RELEASE=$(whiptail --title "Traefik" --inputbox "Release :" 0 30 "2.7.1" 3>&1 1>&2 2>&3)
+ACCOUNT=$(whiptail --title "Traefik" --inputbox "ACME E-Mail :" 0 30 "" 3>&1 1>&2 2>&3)
+
+main() {
+	Traefik-etc-certs-selfsigned
+	Traefik-etc-services
+	Traefik-etc-config
+	Traefik-etc-iptable
+	Traefik-bin-update-traefik
+	Traefik-service
+}
+
+
+Traefik-etc-certs-selfsigned() {
+	mkdir -p /etc/traefik/certs
+	openssl ecparam -name secp256r1 -genkey -out /etc/traefik/certs/self.key
+	openssl req -new -x509 -key /etc/traefik/certs/self.key -sha256 -nodes -out /etc/traefik/certs/self.crt -days 3650
+}
+
+Traefik-etc-services() {
+	mkdir -p /etc/traefik/services
+	Traefik-etc-services-shared
+	Traefik-etc-services-default
+}
+
+Traefik-etc-services-shared() {
+	cat >> /etc/traefik/services/_shared.yaml << "EOF"
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: "/etc/traefik/certs/self.crt"
+        keyFile: "/etc/traefik/certs/self.key"
+
+  options:
+    default:
+      minVersion: "VersionTLS12"
+      # sniStrict: true
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+
+    mintls13:
+      minVersion: "VersionTLS13"
+
+http:
+  middlewares:
+    to-https:
+      redirectScheme:
+        scheme: "https"
+        permanent: true
+    to-no-www:
+      redirectRegex:
+        regex: "^https://www.(.*)"
+        replacement: "https://${1}"
+        permanent: true
+
+    hsts-min:
+      headers:
+        sslRedirect: true
+        stsIncludeSubdomains: false
+        stsPreload: true
+        stsSeconds: 63072000
+        contentTypeNosniff: true
+        accessControlMaxAge: 100
+        addVaryheader: true
+    hsts_light:
+      headers:
+        sslRedirect: true
+        frameDeny: true
+        stsIncludeSubdomains: false
+        stsPreload: true
+        stsSeconds: 63072000
+        contentTypeNosniff: true
+        accessControlMaxAge: 100
+        addVaryheader: true
+    hsts:
+      headers:
+        sslRedirect: true
+        frameDeny: true
+        stsIncludeSubdomains: false
+        stsPreload: true
+        stsSeconds: 63072000
+        contentTypeNosniff: true
+        accessControlMaxAge: 100
+        addVaryheader: true
+        referrerPolicy: "origin-when-cross-origin"
+    hsts-strict:
+      headers:
+        sslRedirect: true
+        frameDeny: true
+        stsIncludeSubdomains: false
+        stsPreload: true
+        stsSeconds: 63072000
+        contentTypeNosniff: true
+        accessControlMaxAge: 100
+        addVaryheader: true
+        contentSecurityPolicy: "script-src 'self'"
+        referrerPolicy: "origin-when-cross-origin"
+
+  services:
+    dummy:
+      loadBalancer:
+        servers:
+          - url: "https://127.0.0.1:2"
+ 
+    # matomo:
+    #  loadBalancer:
+    #    servers:
+    #      - url: "https://x.x.x.x:xxx"
+EOF
+}
+
+Traefik-etc-services-default() {
+	cat >> /etc/traefik/services/_default.yaml << "EOF"
+http:
+  routers:
+    _default:
+      entryPoints:
+        - http
+      rule: "PathPrefix(`/`)"
+      # priority: 100
+      # service: _default-matomo
+      service: _default
+
+    _default-secure:
+      entryPoints:
+        - https
+      rule: "PathPrefix(`/`)"
+      # priority: 100
+      # service: _default-matomo
+      service: _default
+      tls:
+        acmev2-staging
+
+  services:
+    # _default-matomo:
+    #  mirroring:
+    #    service: _default
+    #    maxBodySize: 1024
+    #    mirrors:
+    #      - name: matomo
+    #        percent: 100
+
+    _default:
+      loadBalancer:
+        servers:
+          - url: https://127.0.0.1:2
+EOF
+}
+
+Traefik-etc-config() {
+	cat >> /etc/traefik/traefik.yaml << "EOF"
+entryPoints:
+  http:
+   address: ":80"
+  https:
+   address: ":443"
+  traefik:
+   address: ":8099"
+
+api:
+  dashboard: true
+  insecure: true
+
+serversTransport:
+  insecureSkipVerify: true
+
+providers:
+  file:
+    directory: "/etc/traefik/services/"
+    watch: true
+
+certificatesResolvers:
+  acmev2:
+    acme:
+      email: "X{ACCOUNT}"
+      caserver: "https://acme-v02.api.letsencrypt.org/directory"
+      storage: "/etc/traefik/certs/acmev2.json"
+      keyType: "EC384"
+      tlsChallenge: {}
+  acmev2-staging:
+    acme:
+      email: "X{ACCOUNT}"
+      caserver: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      storage: "/etc/traefik/certs/acmev2-staging.json"
+      keyType: "EC384"
+      tlsChallenge: {}
+EOF
+
+sed -i "s/X{ACCOUNT}/${ACCOUNT}/g" /etc/traefik/traefik.yaml
+
+}
+
+Traefik-etc-iptable() {
+  if [ -f "/etc/iptables/rules.v4" ]; then
+    sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8099 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+    sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+    sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4
+    sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Traefik' /etc/iptables/rules.v4
+    iptables-restore /etc/iptables/rules.v4
+  fi
+}
+
+Traefik-bin-update-traefik() {
+	cat >> /usr/local/bin/update-traefik << "EOF"
+#/bin/bash
+
+getcurrentversion() {
+  if [ -f /var/opt/traefik/version ]; then
+    cat /var/opt/traefik/version
+  else
+    echo "0"
+  fi
+}
+getlatestversion() {
+  if ! GITHUBTAGNAME=$(curl -sL "https://api.github.com/repos/traefik/traefik/releases/latest" | jq -r ".tag_name"); then
+    echo "Error in Github API"
+    return 1
+  fi
+  if [ "${GITHUBTAGNAME}" == "" ]; then
+    echo "Error in Github API"
+    return 1
+  fi
+  local -r GITHUBVERSION=${GITHUBTAGNAME//[[:alpha:]-]/}
+  if [ "${GITHUBVERSION}" == "" ]; then
+    echo "Error in Github API"
+    return 1
+  fi
+  echo "${GITHUBVERSION}"
+}
+update() {
+  VERSION=${1}
+  mkdir -p /tmp/traefik
+  cd /tmp/traefik
+  wget https://github.com/traefik/traefik/releases/download/v${VERSION}/traefik_v${VERSION}_linux_amd64.tar.gz
+  tar -xf traefik_v${VERSION}_linux_amd64.tar.gz
+  systemctl stop traefik
+  cp traefik /usr/local/bin
+  systemctl start traefik
+  if [ ! -d /var/opt/traefik ]; then
+    mkdir -p /var/opt/traefik
+  fi
+  echo "${VERSION}" > /var/opt/traefik/version
+  rm -R /tmp/traefik
+}
+
+CURVER=$(getcurrentversion)
+LATESTVER=$(getlatestversion)
+
+if [ "${CURVER}" != "${LATESTVER}" ]; then
+  echo "${CURVER} -> ${LATESTVER}"
+  update "${LATESTVER}"
+fi
+EOF
+	chmod 755 /usr/local/bin/update-traefik
+	update-traefik ${RELEASE}
+}
+
+Traefik-service() {
+	cat >> /etc/systemd/system/traefik.service << "EOF"
+[Unit]
+Description=Traefik
+After=network.target auditd.service
+
+[Service]
+ExecStart=/usr/local/bin/traefik -configFile /etc/traefik/traefik.yaml
+ExecReload=/bin/killall traefik
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+EOF
+	
+	systemctl daemon-reload
+	systemctl enable traefik
+	systemctl restart traefik
+}
+
+
+main