#!/bin/dash RELEASE=2.6.3 ACMEACCOUNT=@gmail.com main() { TraefikConfig TraefikEtcCertsSelfsigned TraefikEtcServices TraefikEtcConfig TraefikEtcIptable TraefikBinUpdateTraefik TraefikService } TraefikConfig() { RELEASE=$(whiptail --title "Release" --inputbox "" 0 30 "${RELEASE}" 3>&1 1>&2 2>&3) ACMEACCOUNT=$(whiptail --title "ACME Account" --inputbox "" 0 30 "${ACMEACCOUNT}" 3>&1 1>&2 2>&3) if [ "$?" = "0" ]; then if [ "${proxy}" != "" ]; then echo "Acquire::http { Proxy \"${proxy}\"; };" > /etc/apt/apt.conf.d/02proxy fi fi } TraefikEtcCertsSelfsigned() { mkdir -p /etc/traefik/certs openssl ecparam -name secp256r1 -genkey -out /etc/traefik/certs/self.key openssl req -new -x509 -key /etc/traefik/certs/self.key -sha256 -nodes -out /etc/traefik/certs/self.crt -days 3650 } TraefikEtcServices() { mkdir -p /etc/traefik/services TraefikEtcServicesShared TraefikEtcServicesDefault } TraefikEtcServicesShared() { cat >> /etc/traefik/services/_shared.yaml << "EOF" tls: stores: default: defaultCertificate: certFile: "/etc/traefik/certs/self.crt" keyFile: "/etc/traefik/certs/self.key" options: default: minVersion: "VersionTLS12" # sniStrict: true cipherSuites: - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 mintls13: minVersion: "VersionTLS13" http: middlewares: to-https: redirectScheme: scheme: "https" permanent: true to-no-www: redirectRegex: regex: "^https://www.(.*)" replacement: "https://${1}" permanent: true hsts-min: headers: sslRedirect: true stsIncludeSubdomains: false stsPreload: true stsSeconds: 63072000 contentTypeNosniff: true accessControlMaxAge: 100 addVaryheader: true hsts_light: headers: sslRedirect: true frameDeny: true stsIncludeSubdomains: false stsPreload: true stsSeconds: 63072000 contentTypeNosniff: true accessControlMaxAge: 100 addVaryheader: true hsts: headers: sslRedirect: true frameDeny: true stsIncludeSubdomains: false stsPreload: true stsSeconds: 63072000 contentTypeNosniff: true accessControlMaxAge: 100 addVaryheader: true referrerPolicy: "origin-when-cross-origin" hsts-strict: headers: sslRedirect: true frameDeny: true stsIncludeSubdomains: false stsPreload: true stsSeconds: 63072000 contentTypeNosniff: true accessControlMaxAge: 100 addVaryheader: true contentSecurityPolicy: "script-src 'self'" referrerPolicy: "origin-when-cross-origin" services: dummy: loadBalancer: servers: - url: "https://127.0.0.1:2" # matomo: # loadBalancer: # servers: # - url: "https://x.x.x.x:xxx" EOF } TraefikEtcServicesDefault() { cat >> /etc/traefik/services/_default.yaml << "EOF" http: routers: _default: entryPoints: - http rule: "PathPrefix(`/`)" # priority: 100 # service: _default-matomo service: _default _default-secure: entryPoints: - https rule: "PathPrefix(`/`)" # priority: 100 # service: _default-matomo service: _default tls: {} services: # _default-matomo: # mirroring: # service: _default # maxBodySize: 1024 # mirrors: # - name: matomo # percent: 100 _default: loadBalancer: servers: - url: https://127.0.0.1:2 EOF } TraefikEtcConfig() { cat >> /etc/traefik/traefik.yaml << "EOF" entryPoints: http: address: ":80" https: address: ":443" traefik: address: ":8099" api: dashboard: true insecure: true serversTransport: insecureSkipVerify: true providers: file: directory: "/etc/traefik/services/" watch: true certificatesResolvers: acmev2: acme: email: "X{ACMEACCOUNT}" caserver: "https://acme-v02.api.letsencrypt.org/directory" storage: "/etc/traefik/certs/acmev2.json" keyType: "EC384" tlsChallenge: {} acmev2-staging: acme: email: "X{ACMEACCOUNT}" caserver: "https://acme-staging-v02.api.letsencrypt.org/directory" storage: "/etc/traefik/certs/acmev2-staging.json" keyType: "EC384" tlsChallenge: {} EOF # sed -i /X{ACMEACCOUNT}/${ACMEACCOUNT}/g /etc/traefik/traefik.yaml } TraefikEtcIptable() { if [ -f "/etc/iptables/rules-save" ]; then sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8099 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Traefik' /etc/iptables/rules-save iptables-restore /etc/iptables/rules-save fi } TraefikBinUpdateTraefik() { cat >> /usr/local/bin/update-traefik << "EOF" #!/bin/ash if [[ -z ${1} ]]; then echo "update-traefik version" echo "version : x.x.x" exit 1 fi version=${1} mkdir -p /tmp/traefik cd /tmp/traefik wget https://github.com/traefik/traefik/releases/download/v${version}/traefik_v${version}_linux_amd64.tar.gz tar -xf traefik_v${version}_linux_amd64.tar.gz systemctl stop traefik cp traefik /usr/local/bin systemctl start traefik cd rm -R /tmp/traefik EOF chmod 755 /usr/local/bin/update-traefik update-traefik "${RELEASE}" } TraefikService() { cat >> /etc/init.d/traefik << "EOF" #!/sbin/openrc-run name="traefik" command="/usr/local/bin/traefik" command_args="-configFile /etc/traefik/traefik.yaml" command_background=true pidfile=/run/traefik.pid depend() { need net } EOF chmod 755 /etc/init.d/traefik rc-update add traefik boot service traefik start } main