- New runInstallOp helper for manager install-dir/template ops (rooted: sudo; rootless: run as the current manager user, which owns the tree). - adguard.sh, traefik.sh: container-config sed -> runFileOp. - crowdsec.sh: host crowdsec systemctl/apt-get -> runSystem. - dashy_update_conf.sh: conf-file mkdir/chown/md5sum/tee -> runFileOp/ runFileWrite; docker ps/restart -> dockerCommandRun. Deferred (cross-owner copy / temp-file across /tmp<->/docker, need rootless env to bridge correctly): owncloud_setup_config.sh, adguard_auth.sh. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
223 lines
8.3 KiB
Bash
Executable File
223 lines
8.3 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Category : Networking
|
|
# Description : Traefik - Reverse Proxy & Load Balancer (c/u/s/r/i):
|
|
|
|
installTraefik()
|
|
{
|
|
local config_variables="$1"
|
|
|
|
if [[ "$traefik" == *[cCtTuUsSrRiI]* ]]; then
|
|
dockerConfigSetupToContainer silent traefik;
|
|
local app_name=$CFG_TRAEFIK_APP_NAME
|
|
initializeAppVariables $app_name;
|
|
fi
|
|
|
|
if [[ "$traefik" == *[cC]* ]]; then
|
|
editAppConfig $app_name;
|
|
fi
|
|
|
|
if [[ "$traefik" == *[uU]* ]]; then
|
|
dockerUninstallApp $app_name;
|
|
fi
|
|
|
|
if [[ "$traefik" == *[sS]* ]]; then
|
|
dockerComposeDown $app_name;
|
|
fi
|
|
|
|
if [[ "$traefik" == *[rR]* ]]; then
|
|
dockerComposeRestart $app_name;
|
|
fi
|
|
|
|
if [[ "$traefik" == *[iI]* ]]; then
|
|
isHeader "Install $app_name"
|
|
|
|
if [[ -z "$CFG_TRAEFIK_EMAIL" || "$CFG_TRAEFIK_EMAIL" == "changeme" || "$CFG_TRAEFIK_EMAIL" == "Change-Me" ]]; then
|
|
if [[ "$LIBREPORTAL_NONINTERACTIVE" == "1" ]]; then
|
|
isError "CFG_TRAEFIK_EMAIL not set. Run 'libreportal config update CFG_TRAEFIK_EMAIL=you@example.com' first."
|
|
return 1
|
|
fi
|
|
local traefik_email=""
|
|
while true; do
|
|
isQuestion "Administrator email for LetsEncrypt (cert-expiry notices) : "
|
|
read -p "" traefik_email
|
|
emailValidation "$traefik_email"
|
|
[[ $? -eq 0 ]] && break
|
|
isNotice "Please provide a valid email address."
|
|
done
|
|
updateConfigOption "CFG_TRAEFIK_EMAIL" "$traefik_email"
|
|
sourceScanFiles "libreportal_configs"
|
|
fi
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Setting up install folder and config file for $app_name."
|
|
echo ""
|
|
|
|
dockerConfigSetupToContainer "loud" "$app_name" "install" "$config_variables";
|
|
isSuccessful "Install folders and Config files have been setup for $app_name."
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Setting up the $app_name docker-compose.yml file."
|
|
echo ""
|
|
|
|
dockerComposeSetupFile $app_name;
|
|
|
|
# Create necessary directories and set permissions
|
|
local result=$(createFolders "loud" $docker_install_user "$containers_dir$app_name/etc" "$containers_dir$app_name/etc/certs" "$containers_dir$app_name/etc/dynamic" "$containers_dir$app_name/etc/dynamic/middlewears")
|
|
checkSuccess "Created etc and certs & dynamic Directories"
|
|
|
|
# Static traefik.yml File
|
|
# Copy the Traefik configuration file and customize it
|
|
local result=$(copyResource "$app_name" "traefik.yml" "etc")
|
|
checkSuccess "Copy Traefik configuration file for $app_name"
|
|
|
|
# Setup Debug Level
|
|
local result=$(runFileOp sed -i "s|DEBUGLEVEL|$CFG_TRAEFIK_LOGGING|g" "$containers_dir$app_name/etc/traefik.yml")
|
|
checkSuccess "Configured Traefik debug level with: $CFG_TRAEFIK_LOGGING for $app_name"
|
|
|
|
configSetupFileWithData $app_name "traefik.yml" "etc";
|
|
|
|
# Apply CFG_TRAEFIK_DASHBOARD_ACCESS: rewrites api.insecure + the
|
|
# `traefik:` entrypoint in traefik.yml, and (for local-only) prefixes
|
|
# the compose port mapping with 127.0.0.1: so :8080 binds to loopback.
|
|
local traefik_yml="$containers_dir$app_name/etc/traefik.yml"
|
|
local compose_yml="$containers_dir$app_name/docker-compose.yml"
|
|
local access="${CFG_TRAEFIK_DASHBOARD_ACCESS:-local-only}"
|
|
|
|
case "$access" in
|
|
local-only)
|
|
runFileOp sed -i 's|^\(\s*insecure:\s*\).*$|\1true|' "$traefik_yml"
|
|
# Bind PORT_1 mapping to 127.0.0.1 only. Idempotent — only
|
|
# adds the prefix if it isn't already there.
|
|
runFileOp sed -i '/#LIBREPORTAL|PORTS_TAG_1|/ {
|
|
/127\.0\.0\.1:/! s|"\([0-9]\+:[0-9]\+\)"|"127.0.0.1:\1"|
|
|
}' "$compose_yml"
|
|
checkSuccess "Dashboard access: local-only (loopback :8080 + auth-protected domain)"
|
|
;;
|
|
domain-only)
|
|
runFileOp sed -i 's|^\(\s*insecure:\s*\).*$|\1false|' "$traefik_yml"
|
|
# Drop the :8080 entrypoint entirely — nothing should listen
|
|
# there if the dashboard is domain-only.
|
|
runFileOp sed -i '/^\s*traefik:\s*$/,/^\s*address:\s*:8080\s*$/d' "$traefik_yml"
|
|
checkSuccess "Dashboard access: domain-only (auth-protected via Host route only)"
|
|
;;
|
|
public)
|
|
runFileOp sed -i 's|^\(\s*insecure:\s*\).*$|\1true|' "$traefik_yml"
|
|
# Strip any 127.0.0.1: prefix the compose port may have
|
|
# picked up from a previous local-only install.
|
|
runFileOp sed -i '/#LIBREPORTAL|PORTS_TAG_1|/ s|"127\.0\.0\.1:\([0-9]\+:[0-9]\+\)"|"\1"|' "$compose_yml"
|
|
checkSuccess "Dashboard access: public (unauthenticated :8080 on all interfaces — legacy)"
|
|
;;
|
|
*)
|
|
isNotice "Unknown CFG_TRAEFIK_DASHBOARD_ACCESS='$access'; leaving traefik.yml at defaults."
|
|
;;
|
|
esac
|
|
|
|
# Enable the Prometheus metrics endpoint + provider only when
|
|
# CFG_TRAEFIK_MONITORING=true (toggles the libreportal-monitoring
|
|
# marker blocks in traefik.yml). monitoringRefreshAll later in this
|
|
# install picks up the scrape fragment + dashboard.
|
|
monitoringToggleAppConfig "$app_name" "etc/traefik.yml";
|
|
|
|
# Dynamic config.yml File
|
|
# Copy the Traefik configuration file and customize it
|
|
local result=$(copyResource "$app_name" "config.yml" "etc/dynamic")
|
|
checkSuccess "Copy Traefik Dynamic config.yml configuration file for $app_name"
|
|
|
|
# Setup Error 404 Website
|
|
local result=$(runFileOp sed -i "s|ERRORWEBSITE|$CFG_TRAEFIK_404_SITE|g" "$containers_dir$app_name/etc/dynamic/config.yml")
|
|
checkSuccess "Configured Traefik error website with URL: $CFG_TRAEFIK_404_SITE for $app_name"
|
|
|
|
configSetupFileWithData $app_name "config.yml" "etc/dynamic";
|
|
|
|
# Dynamic whitelist.yml File
|
|
local result=$(copyResource "$app_name" "whitelist.yml" "etc/dynamic")
|
|
checkSuccess "Copy Traefik Dynamic whitelist.yml configuration file for $app_name"
|
|
|
|
# Middlewears
|
|
# Dynamic protectionauth.yml File
|
|
local result=$(copyResource "$app_name" "protectionauth.yml" "etc/dynamic/middlewears")
|
|
checkSuccess "Copy Traefik Dynamic protectionauth.yml configuration file for $app_name"
|
|
|
|
traefikUpdateWhitelist;
|
|
|
|
# Dynamic tls.yml File
|
|
local result=$(copyResource "$app_name" "tls.yml" "etc/dynamic")
|
|
checkSuccess "Copy Traefik Dynamic tls.yml configuration file for $app_name"
|
|
|
|
traefikSetupLoginCredentials;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Running the docker-compose.yml to install and start $app_name"
|
|
echo ""
|
|
|
|
dockerComposeUpdateAndStartApp $app_name install;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Updating file permissions before starting."
|
|
echo ""
|
|
|
|
fixPermissionsBeforeStart $app_name;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Running Application specific updates (if required)"
|
|
echo ""
|
|
|
|
appUpdateSpecifics $app_name;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Running Headscale setup (if required)"
|
|
echo ""
|
|
|
|
setupHeadscale $app_name;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Adding $app_name to the Apps Database table."
|
|
echo ""
|
|
|
|
databaseInstallApp $app_name;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Updating WebUI config file."
|
|
echo ""
|
|
|
|
webuiContainerSetup $app_name install;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Refreshing monitoring integration."
|
|
echo ""
|
|
|
|
# Self-correcting: adds Traefik's scrape target + dashboard to
|
|
# Prometheus/Grafana when CFG_TRAEFIK_MONITORING=true, removes them
|
|
# when it's off. No-ops with a notice if either app isn't installed.
|
|
monitoringRefreshAll;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. You can find $app_name files at $containers_dir$app_name"
|
|
echo ""
|
|
echo " You can now navigate to your $app_name service using any of the options below : "
|
|
echo ""
|
|
|
|
menuShowFinalMessages $app_name;
|
|
|
|
menu_number=0
|
|
#sleep 3s
|
|
cd
|
|
fi
|
|
traefik=n
|
|
}
|