From cad7c2429522d9396923d67e6ad1c80e83cb2745 Mon Sep 17 00:00:00 2001 From: MatMoul Date: Sat, 1 Nov 2025 22:06:02 +0100 Subject: [PATCH] Refactor docker and clean old apps --- alpine/apps/docker/docker.sh | 20 ++ .../stacks}/portainer/compose.yaml | 0 .../stacks}/portainer/portainer.sh | 2 - alpine/apps/rancher/rancher.sh | 4 - alpine/apps/traefik/traefik.sh | 266 ------------------ alpine/init.sh | 7 +- 6 files changed, 22 insertions(+), 277 deletions(-) rename alpine/apps/{ => docker/stacks}/portainer/compose.yaml (100%) rename alpine/apps/{ => docker/stacks}/portainer/portainer.sh (50%) delete mode 100644 alpine/apps/rancher/rancher.sh delete mode 100644 alpine/apps/traefik/traefik.sh diff --git a/alpine/apps/docker/docker.sh b/alpine/apps/docker/docker.sh index 8447f8a..0beeb77 100644 --- a/alpine/apps/docker/docker.sh +++ b/alpine/apps/docker/docker.sh @@ -1,5 +1,7 @@ #!/bin/dash +BASE_URL=${1} + mkdir /srv/stacks mkdir /srv/data @@ -13,3 +15,21 @@ apk add docker docker-cli-compose rc-update add docker boot service docker start +InstStacks() { + SEL=$(whiptail --title "More Apps" --checklist "" 0 0 0 \ + "portainer" "" off \ + "traefik" "" off \ + "gitea" "" off 3>&1 1>&2 2>&3) + # shellcheck disable=SC2181 + if [ "${?}" = "0" ]; then + for ITM in ${SEL}; do + cd /tmp || exit + # shellcheck disable=SC3000-SC4000 + wget "${BASE_URL}"/alpine/apps/docker/stacks/"${ITM//\"/}"/"${ITM//\"/}".sh + # shellcheck disable=SC3000-SC4000 + sh ./"${ITM//\"/}".sh "${BASE_URL}" + done + fi +} + +InstStacks diff --git a/alpine/apps/portainer/compose.yaml b/alpine/apps/docker/stacks/portainer/compose.yaml similarity index 100% rename from alpine/apps/portainer/compose.yaml rename to alpine/apps/docker/stacks/portainer/compose.yaml diff --git a/alpine/apps/portainer/portainer.sh b/alpine/apps/docker/stacks/portainer/portainer.sh similarity index 50% rename from alpine/apps/portainer/portainer.sh rename to alpine/apps/docker/stacks/portainer/portainer.sh index ba8230e..a54d877 100644 --- a/alpine/apps/portainer/portainer.sh +++ b/alpine/apps/docker/stacks/portainer/portainer.sh @@ -1,7 +1,5 @@ #!/bin/dash -# docker run -d --name="portainer" --restart=unless-stopped -p 8000:8000 -p 9000:9000 -p 9443:9443 -v /var/run/docker.sock:/var/run/docker.sock -v /srv/portainer/data:/data portainer/portainer-ce - BASE_URL=https://git.netm.ch/m/os-init/raw/branch/main mkdir /srv/stacks/portainer diff --git a/alpine/apps/rancher/rancher.sh b/alpine/apps/rancher/rancher.sh deleted file mode 100644 index e91f74d..0000000 --- a/alpine/apps/rancher/rancher.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/dash - -mount --make-rshared / -docker run -d --name="rancher" --restart=unless-stopped -p 4080:80 -p 4443:443 --privileged rancher/rancher:latest diff --git a/alpine/apps/traefik/traefik.sh b/alpine/apps/traefik/traefik.sh deleted file mode 100644 index 705d02e..0000000 --- a/alpine/apps/traefik/traefik.sh +++ /dev/null @@ -1,266 +0,0 @@ -#!/bin/dash - -RELEASE=2.6.3 -ACMEACCOUNT=@gmail.com - -main() { - TraefikConfig - TraefikEtcCertsSelfsigned - TraefikEtcServices - TraefikEtcConfig - TraefikEtcIptable - TraefikBinUpdateTraefik - TraefikService -} - - -TraefikConfig() { - RELEASE=$(whiptail --title "Release" --inputbox "" 0 30 "${RELEASE}" 3>&1 1>&2 2>&3) - ACMEACCOUNT=$(whiptail --title "ACME Account" --inputbox "" 0 30 "${ACMEACCOUNT}" 3>&1 1>&2 2>&3) - if [ "$?" = "0" ]; then - if [ "${proxy}" != "" ]; then - echo "Acquire::http { Proxy \"${proxy}\"; };" > /etc/apt/apt.conf.d/02proxy - fi - fi -} - -TraefikEtcCertsSelfsigned() { - mkdir -p /etc/traefik/certs - openssl ecparam -name secp256r1 -genkey -out /etc/traefik/certs/self.key - openssl req -new -x509 -key /etc/traefik/certs/self.key -sha256 -nodes -out /etc/traefik/certs/self.crt -days 3650 -} - -TraefikEtcServices() { - mkdir -p /etc/traefik/services - TraefikEtcServicesShared - TraefikEtcServicesDefault -} - -TraefikEtcServicesShared() { - cat >> /etc/traefik/services/_shared.yaml << "EOF" -tls: - stores: - default: - defaultCertificate: - certFile: "/etc/traefik/certs/self.crt" - keyFile: "/etc/traefik/certs/self.key" - - options: - default: - minVersion: "VersionTLS12" - # sniStrict: true - cipherSuites: - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - - mintls13: - minVersion: "VersionTLS13" - -http: - middlewares: - to-https: - redirectScheme: - scheme: "https" - permanent: true - to-no-www: - redirectRegex: - regex: "^https://www.(.*)" - replacement: "https://${1}" - permanent: true - - hsts-min: - headers: - sslRedirect: true - stsIncludeSubdomains: false - stsPreload: true - stsSeconds: 63072000 - contentTypeNosniff: true - accessControlMaxAge: 100 - addVaryheader: true - hsts_light: - headers: - sslRedirect: true - frameDeny: true - stsIncludeSubdomains: false - stsPreload: true - stsSeconds: 63072000 - contentTypeNosniff: true - accessControlMaxAge: 100 - addVaryheader: true - hsts: - headers: - sslRedirect: true - frameDeny: true - stsIncludeSubdomains: false - stsPreload: true - stsSeconds: 63072000 - contentTypeNosniff: true - accessControlMaxAge: 100 - addVaryheader: true - referrerPolicy: "origin-when-cross-origin" - hsts-strict: - headers: - sslRedirect: true - frameDeny: true - stsIncludeSubdomains: false - stsPreload: true - stsSeconds: 63072000 - contentTypeNosniff: true - accessControlMaxAge: 100 - addVaryheader: true - contentSecurityPolicy: "script-src 'self'" - referrerPolicy: "origin-when-cross-origin" - - services: - dummy: - loadBalancer: - servers: - - url: "https://127.0.0.1:2" - - # matomo: - # loadBalancer: - # servers: - # - url: "https://x.x.x.x:xxx" -EOF -} - -TraefikEtcServicesDefault() { - cat >> /etc/traefik/services/_default.yaml << "EOF" -http: - routers: - _default: - entryPoints: - - http - rule: "PathPrefix(`/`)" - # priority: 100 - # service: _default-matomo - service: _default - - _default-secure: - entryPoints: - - https - rule: "PathPrefix(`/`)" - # priority: 100 - # service: _default-matomo - service: _default - tls: {} - - services: - # _default-matomo: - # mirroring: - # service: _default - # maxBodySize: 1024 - # mirrors: - # - name: matomo - # percent: 100 - - _default: - loadBalancer: - servers: - - url: https://127.0.0.1:2 -EOF -} - -TraefikEtcConfig() { - cat >> /etc/traefik/traefik.yaml << "EOF" -entryPoints: - http: - address: ":80" - https: - address: ":443" - traefik: - address: ":8099" - -api: - dashboard: true - insecure: true - -serversTransport: - insecureSkipVerify: true - -providers: - file: - directory: "/etc/traefik/services/" - watch: true - -certificatesResolvers: - acmev2: - acme: - email: "X{ACMEACCOUNT}" - caserver: "https://acme-v02.api.letsencrypt.org/directory" - storage: "/etc/traefik/certs/acmev2.json" - keyType: "EC384" - tlsChallenge: {} - acmev2-staging: - acme: - email: "X{ACMEACCOUNT}" - caserver: "https://acme-staging-v02.api.letsencrypt.org/directory" - storage: "/etc/traefik/certs/acmev2-staging.json" - keyType: "EC384" - tlsChallenge: {} -EOF - -# sed -i /X{ACMEACCOUNT}/${ACMEACCOUNT}/g /etc/traefik/traefik.yaml - -} - -TraefikEtcIptable() { - if [ -f "/etc/iptables/rules-save" ]; then - sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8099 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save - sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save - sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save - sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Traefik' /etc/iptables/rules-save - iptables-restore /etc/iptables/rules-save - fi -} - -TraefikBinUpdateTraefik() { - cat >> /usr/local/bin/update-traefik << "EOF" -#!/bin/ash - -if [[ -z ${1} ]]; then - echo "update-traefik version" - echo "version : x.x.x" - exit 1 -fi -version=${1} -mkdir -p /tmp/traefik -cd /tmp/traefik -wget https://github.com/traefik/traefik/releases/download/v${version}/traefik_v${version}_linux_amd64.tar.gz -tar -xf traefik_v${version}_linux_amd64.tar.gz -systemctl stop traefik -cp traefik /usr/local/bin -systemctl start traefik -cd -rm -R /tmp/traefik -EOF - chmod 755 /usr/local/bin/update-traefik - update-traefik "${RELEASE}" -} - -TraefikService() { - cat >> /etc/init.d/traefik << "EOF" -#!/sbin/openrc-run - -name="traefik" -command="/usr/local/bin/traefik" -command_args="-configFile /etc/traefik/traefik.yaml" -command_background=true -pidfile=/run/traefik.pid - -depend() { - need net -} -EOF - chmod 755 /etc/init.d/traefik - - rc-update add traefik boot - service traefik start -} - - -main diff --git a/alpine/init.sh b/alpine/init.sh index 7c0d708..605fc92 100644 --- a/alpine/init.sh +++ b/alpine/init.sh @@ -1,6 +1,6 @@ #!/bin/dash -BASE_URL=https://git.netm.ch/m/os-init/raw/branch/main +BASE_URL=${1} showHelp() { echo "alpine.sh" @@ -133,12 +133,9 @@ IssueSetContent() { InstApps() { SEL=$(whiptail --title "More Apps" --checklist "" 0 0 0 \ - "traefik" "" off \ "gitea" "" off \ "gitea-act_runner" "" off\ - "docker" "" off \ - "portainer" "" off \ - "rancher" "" off 3>&1 1>&2 2>&3) + "docker" "" off 3>&1 1>&2 2>&3) # shellcheck disable=SC2181 if [ "${?}" = "0" ]; then for ITM in ${SEL}; do