m/os-init
2
0
Fork 0
Code Issues 1 Wiki Activity
main
os-init/alpine/apps/traefik/traefik.sh
MatMoul c523441c41 Add Alpine Linux scripts
2023-11-19 17:20:23 +01:00

267 lines
6.2 KiB
Bash
Raw Permalink Blame History

#!/bin/dash
RELEASE=2.6.3
ACMEACCOUNT=@gmail.com
main() {
TraefikConfig
TraefikEtcCertsSelfsigned
TraefikEtcServices
TraefikEtcConfig
TraefikEtcIptable
TraefikBinUpdateTraefik
TraefikService
}
TraefikConfig() {
RELEASE=$(whiptail --title "Release" --inputbox "" 0 30 "${RELEASE}" 3>&1 1>&2 2>&3)
ACMEACCOUNT=$(whiptail --title "ACME Account" --inputbox "" 0 30 "${ACMEACCOUNT}" 3>&1 1>&2 2>&3)
if [ "$?" = "0" ]; then
if [ "${proxy}" != "" ]; then
echo "Acquire::http { Proxy \"${proxy}\"; };" > /etc/apt/apt.conf.d/02proxy
fi
fi
}
TraefikEtcCertsSelfsigned() {
mkdir -p /etc/traefik/certs
openssl ecparam -name secp256r1 -genkey -out /etc/traefik/certs/self.key
openssl req -new -x509 -key /etc/traefik/certs/self.key -sha256 -nodes -out /etc/traefik/certs/self.crt -days 3650
}
TraefikEtcServices() {
mkdir -p /etc/traefik/services
TraefikEtcServicesShared
TraefikEtcServicesDefault
}
TraefikEtcServicesShared() {
cat >> /etc/traefik/services/_shared.yaml << "EOF"
tls:
stores:
default:
defaultCertificate:
certFile: "/etc/traefik/certs/self.crt"
keyFile: "/etc/traefik/certs/self.key"
options:
default:
minVersion: "VersionTLS12"
# sniStrict: true
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
mintls13:
minVersion: "VersionTLS13"
http:
middlewares:
to-https:
redirectScheme:
scheme: "https"
permanent: true
to-no-www:
redirectRegex:
regex: "^https://www.(.*)"
replacement: "https://${1}"
permanent: true
hsts-min:
headers:
sslRedirect: true
stsIncludeSubdomains: false
stsPreload: true
stsSeconds: 63072000
contentTypeNosniff: true
accessControlMaxAge: 100
addVaryheader: true
hsts_light:
headers:
sslRedirect: true
frameDeny: true
stsIncludeSubdomains: false
stsPreload: true
stsSeconds: 63072000
contentTypeNosniff: true
accessControlMaxAge: 100
addVaryheader: true
hsts:
headers:
sslRedirect: true
frameDeny: true
stsIncludeSubdomains: false
stsPreload: true
stsSeconds: 63072000
contentTypeNosniff: true
accessControlMaxAge: 100
addVaryheader: true
referrerPolicy: "origin-when-cross-origin"
hsts-strict:
headers:
sslRedirect: true
frameDeny: true
stsIncludeSubdomains: false
stsPreload: true
stsSeconds: 63072000
contentTypeNosniff: true
accessControlMaxAge: 100
addVaryheader: true
contentSecurityPolicy: "script-src 'self'"
referrerPolicy: "origin-when-cross-origin"
services:
dummy:
loadBalancer:
servers:
- url: "https://127.0.0.1:2"
# matomo:
# loadBalancer:
# servers:
# - url: "https://x.x.x.x:xxx"
EOF
}
TraefikEtcServicesDefault() {
cat >> /etc/traefik/services/_default.yaml << "EOF"
http:
routers:
_default:
entryPoints:
- http
rule: "PathPrefix(`/`)"
# priority: 100
# service: _default-matomo
service: _default
_default-secure:
entryPoints:
- https
rule: "PathPrefix(`/`)"
# priority: 100
# service: _default-matomo
service: _default
tls: {}
services:
# _default-matomo:
# mirroring:
# service: _default
# maxBodySize: 1024
# mirrors:
# - name: matomo
# percent: 100
_default:
loadBalancer:
servers:
- url: https://127.0.0.1:2
EOF
}
TraefikEtcConfig() {
cat >> /etc/traefik/traefik.yaml << "EOF"
entryPoints:
http:
address: ":80"
https:
address: ":443"
traefik:
address: ":8099"
api:
dashboard: true
insecure: true
serversTransport:
insecureSkipVerify: true
providers:
file:
directory: "/etc/traefik/services/"
watch: true
certificatesResolvers:
acmev2:
acme:
email: "X{ACMEACCOUNT}"
caserver: "https://acme-v02.api.letsencrypt.org/directory"
storage: "/etc/traefik/certs/acmev2.json"
keyType: "EC384"
tlsChallenge: {}
acmev2-staging:
acme:
email: "X{ACMEACCOUNT}"
caserver: "https://acme-staging-v02.api.letsencrypt.org/directory"
storage: "/etc/traefik/certs/acmev2-staging.json"
keyType: "EC384"
tlsChallenge: {}
EOF
# sed -i /X{ACMEACCOUNT}/${ACMEACCOUNT}/g /etc/traefik/traefik.yaml
}
TraefikEtcIptable() {
if [ -f "/etc/iptables/rules-save" ]; then
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8099 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules-save
sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Traefik' /etc/iptables/rules-save
iptables-restore /etc/iptables/rules-save
fi
}
TraefikBinUpdateTraefik() {
cat >> /usr/local/bin/update-traefik << "EOF"
#!/bin/ash
if [[ -z ${1} ]]; then
echo "update-traefik version"
echo "version : x.x.x"
exit 1
fi
version=${1}
mkdir -p /tmp/traefik
cd /tmp/traefik
wget https://github.com/traefik/traefik/releases/download/v${version}/traefik_v${version}_linux_amd64.tar.gz
tar -xf traefik_v${version}_linux_amd64.tar.gz
systemctl stop traefik
cp traefik /usr/local/bin
systemctl start traefik
cd
rm -R /tmp/traefik
EOF
chmod 755 /usr/local/bin/update-traefik
update-traefik "${RELEASE}"
}
TraefikService() {
cat >> /etc/init.d/traefik << "EOF"
#!/sbin/openrc-run
name="traefik"
command="/usr/local/bin/traefik"
command_args="-configFile /etc/traefik/traefik.yaml"
command_background=true
pidfile=/run/traefik.pid
depend() {
need net
}
EOF
chmod 755 /etc/init.d/traefik
rc-update add traefik boot
service traefik start
}
main
Reference in New Issue View Git Blame Copy Permalink