#!/bin/bash # Category : Networking # Description : Traefik - Reverse Proxy & Load Balancer (c/u/s/r/i): installTraefik() { local config_variables="$1" if [[ "$traefik" == *[cCtTuUsSrRiI]* ]]; then dockerConfigSetupToContainer silent traefik; local app_name=$CFG_TRAEFIK_APP_NAME initializeAppVariables $app_name; fi if [[ "$traefik" == *[cC]* ]]; then editAppConfig $app_name; fi if [[ "$traefik" == *[uU]* ]]; then dockerUninstallApp $app_name; fi if [[ "$traefik" == *[sS]* ]]; then dockerComposeDown $app_name; fi if [[ "$traefik" == *[rR]* ]]; then dockerComposeRestart $app_name; fi if [[ "$traefik" == *[iI]* ]]; then isHeader "Install $app_name" if [[ -z "$CFG_TRAEFIK_EMAIL" || "$CFG_TRAEFIK_EMAIL" == "changeme" || "$CFG_TRAEFIK_EMAIL" == "Change-Me" ]]; then if [[ "$LIBREPORTAL_NONINTERACTIVE" == "1" ]]; then isError "CFG_TRAEFIK_EMAIL not set. Run 'libreportal config update CFG_TRAEFIK_EMAIL=you@example.com' first." return 1 fi local traefik_email="" while true; do isQuestion "Administrator email for LetsEncrypt (cert-expiry notices) : " read -p "" traefik_email emailValidation "$traefik_email" [[ $? -eq 0 ]] && break isNotice "Please provide a valid email address." done updateConfigOption "CFG_TRAEFIK_EMAIL" "$traefik_email" sourceScanFiles "libreportal_configs" fi ((menu_number++)) echo "" echo "---- $menu_number. Setting up install folder and config file for $app_name." echo "" dockerConfigSetupToContainer "loud" "$app_name" "install" "$config_variables"; isSuccessful "Install folders and Config files have been setup for $app_name." ((menu_number++)) echo "" ((menu_number++)) echo "" echo "---- $menu_number. Setting up the $app_name docker-compose.yml file." echo "" dockerComposeSetupFile $app_name; # Create necessary directories and set permissions local result=$(createFolders "loud" $docker_install_user "$containers_dir$app_name/etc" "$containers_dir$app_name/etc/certs" "$containers_dir$app_name/etc/dynamic" "$containers_dir$app_name/etc/dynamic/middlewears") checkSuccess "Created etc and certs & dynamic Directories" # Static traefik.yml File # Copy the Traefik configuration file and customize it local result=$(copyResource "$app_name" "traefik.yml" "etc") checkSuccess "Copy Traefik configuration file for $app_name" # Setup Debug Level local result=$(runFileOp sed -i "s|DEBUGLEVEL|$CFG_TRAEFIK_LOGGING|g" "$containers_dir$app_name/etc/traefik.yml") checkSuccess "Configured Traefik debug level with: $CFG_TRAEFIK_LOGGING for $app_name" configSetupFileWithData $app_name "traefik.yml" "etc"; # Apply CFG_TRAEFIK_DASHBOARD_ACCESS: rewrites api.insecure + the # `traefik:` entrypoint in traefik.yml, and (for local-only) prefixes # the compose port mapping with 127.0.0.1: so :8080 binds to loopback. local traefik_yml="$containers_dir$app_name/etc/traefik.yml" local compose_yml="$containers_dir$app_name/docker-compose.yml" local access="${CFG_TRAEFIK_DASHBOARD_ACCESS:-local-only}" case "$access" in local-only) runFileOp sed -i 's|^\(\s*insecure:\s*\).*$|\1true|' "$traefik_yml" # Bind PORT_1 mapping to 127.0.0.1 only. Idempotent — only # adds the prefix if it isn't already there. runFileOp sed -i '/#LIBREPORTAL|PORTS_TAG_1|/ { /127\.0\.0\.1:/! s|"\([0-9]\+:[0-9]\+\)"|"127.0.0.1:\1"| }' "$compose_yml" checkSuccess "Dashboard access: local-only (loopback :8080 + auth-protected domain)" ;; domain-only) runFileOp sed -i 's|^\(\s*insecure:\s*\).*$|\1false|' "$traefik_yml" # Drop the :8080 entrypoint entirely — nothing should listen # there if the dashboard is domain-only. runFileOp sed -i '/^\s*traefik:\s*$/,/^\s*address:\s*:8080\s*$/d' "$traefik_yml" checkSuccess "Dashboard access: domain-only (auth-protected via Host route only)" ;; public) runFileOp sed -i 's|^\(\s*insecure:\s*\).*$|\1true|' "$traefik_yml" # Strip any 127.0.0.1: prefix the compose port may have # picked up from a previous local-only install. runFileOp sed -i '/#LIBREPORTAL|PORTS_TAG_1|/ s|"127\.0\.0\.1:\([0-9]\+:[0-9]\+\)"|"\1"|' "$compose_yml" checkSuccess "Dashboard access: public (unauthenticated :8080 on all interfaces — legacy)" ;; *) isNotice "Unknown CFG_TRAEFIK_DASHBOARD_ACCESS='$access'; leaving traefik.yml at defaults." ;; esac # Enable the Prometheus metrics endpoint + provider only when # CFG_TRAEFIK_MONITORING=true (toggles the libreportal-monitoring # marker blocks in traefik.yml). monitoringRefreshAll later in this # install picks up the scrape fragment + dashboard. monitoringToggleAppConfig "$app_name" "etc/traefik.yml"; # Dynamic config.yml File # Copy the Traefik configuration file and customize it local result=$(copyResource "$app_name" "config.yml" "etc/dynamic") checkSuccess "Copy Traefik Dynamic config.yml configuration file for $app_name" # Setup Error 404 Website local result=$(runFileOp sed -i "s|ERRORWEBSITE|$CFG_TRAEFIK_404_SITE|g" "$containers_dir$app_name/etc/dynamic/config.yml") checkSuccess "Configured Traefik error website with URL: $CFG_TRAEFIK_404_SITE for $app_name" configSetupFileWithData $app_name "config.yml" "etc/dynamic"; # Dynamic whitelist.yml File local result=$(copyResource "$app_name" "whitelist.yml" "etc/dynamic") checkSuccess "Copy Traefik Dynamic whitelist.yml configuration file for $app_name" # Middlewears # Dynamic protectionauth.yml File local result=$(copyResource "$app_name" "protectionauth.yml" "etc/dynamic/middlewears") checkSuccess "Copy Traefik Dynamic protectionauth.yml configuration file for $app_name" traefikUpdateWhitelist; # Dynamic tls.yml File local result=$(copyResource "$app_name" "tls.yml" "etc/dynamic") checkSuccess "Copy Traefik Dynamic tls.yml configuration file for $app_name" traefikSetupLoginCredentials; ((menu_number++)) echo "" echo "---- $menu_number. Running the docker-compose.yml to install and start $app_name" echo "" dockerComposeUpdateAndStartApp $app_name install; ((menu_number++)) echo "" echo "---- $menu_number. Updating file permissions before starting." echo "" fixPermissionsBeforeStart $app_name; ((menu_number++)) echo "" echo "---- $menu_number. Running Application specific updates (if required)" echo "" appUpdateSpecifics $app_name; ((menu_number++)) echo "" echo "---- $menu_number. Running Headscale setup (if required)" echo "" setupHeadscale $app_name; ((menu_number++)) echo "" echo "---- $menu_number. Adding $app_name to the Apps Database table." echo "" databaseInstallApp $app_name; ((menu_number++)) echo "" echo "---- $menu_number. Updating WebUI config file." echo "" webuiContainerSetup $app_name install; ((menu_number++)) echo "" echo "---- $menu_number. Refreshing monitoring integration." echo "" # Self-correcting: adds Traefik's scrape target + dashboard to # Prometheus/Grafana when CFG_TRAEFIK_MONITORING=true, removes them # when it's off. No-ops with a notice if either app isn't installed. monitoringRefreshAll; ((menu_number++)) echo "" echo "---- $menu_number. You can find $app_name files at $containers_dir$app_name" echo "" echo " You can now navigate to your $app_name service using any of the options below : " echo "" menuShowFinalMessages $app_name; menu_number=0 #sleep 3s cd fi traefik=n }