librelad 875a60f90f LibrePortal v0.1.0 — initial release
A free, open, self-hosted app platform (GNU AGPLv3): one-click app deploys,
Traefik reverse proxy with automatic SSL, rootless Docker support, gluetun
VPN routing, and a web dashboard to manage it all.

Free & open forever to self-host; optional paid hosted services fund it.
See PROMISE.md.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-21 20:37:54 +01:00

223 lines
8.3 KiB
Bash
Executable File

#!/bin/bash
# Category : Networking
# Description : Traefik - Reverse Proxy & Load Balancer (c/u/s/r/i):
installTraefik()
{
local config_variables="$1"
if [[ "$traefik" == *[cCtTuUsSrRiI]* ]]; then
dockerConfigSetupToContainer silent traefik;
local app_name=$CFG_TRAEFIK_APP_NAME
initializeAppVariables $app_name;
fi
if [[ "$traefik" == *[cC]* ]]; then
editAppConfig $app_name;
fi
if [[ "$traefik" == *[uU]* ]]; then
dockerUninstallApp $app_name;
fi
if [[ "$traefik" == *[sS]* ]]; then
dockerComposeDown $app_name;
fi
if [[ "$traefik" == *[rR]* ]]; then
dockerComposeRestart $app_name;
fi
if [[ "$traefik" == *[iI]* ]]; then
isHeader "Install $app_name"
if [[ -z "$CFG_TRAEFIK_EMAIL" || "$CFG_TRAEFIK_EMAIL" == "changeme" || "$CFG_TRAEFIK_EMAIL" == "Change-Me" ]]; then
if [[ "$LIBREPORTAL_NONINTERACTIVE" == "1" ]]; then
isError "CFG_TRAEFIK_EMAIL not set. Run 'libreportal config update CFG_TRAEFIK_EMAIL=you@example.com' first."
return 1
fi
local traefik_email=""
while true; do
isQuestion "Administrator email for LetsEncrypt (cert-expiry notices) : "
read -p "" traefik_email
emailValidation "$traefik_email"
[[ $? -eq 0 ]] && break
isNotice "Please provide a valid email address."
done
updateConfigOption "CFG_TRAEFIK_EMAIL" "$traefik_email"
sourceScanFiles "libreportal_configs"
fi
((menu_number++))
echo ""
echo "---- $menu_number. Setting up install folder and config file for $app_name."
echo ""
dockerConfigSetupToContainer "loud" "$app_name" "install" "$config_variables";
isSuccessful "Install folders and Config files have been setup for $app_name."
((menu_number++))
echo ""
((menu_number++))
echo ""
echo "---- $menu_number. Setting up the $app_name docker-compose.yml file."
echo ""
dockerComposeSetupFile $app_name;
# Create necessary directories and set permissions
local result=$(createFolders "loud" $docker_install_user "$containers_dir$app_name/etc" "$containers_dir$app_name/etc/certs" "$containers_dir$app_name/etc/dynamic" "$containers_dir$app_name/etc/dynamic/middlewears")
checkSuccess "Created etc and certs & dynamic Directories"
# Static traefik.yml File
# Copy the Traefik configuration file and customize it
local result=$(copyResource "$app_name" "traefik.yml" "etc")
checkSuccess "Copy Traefik configuration file for $app_name"
# Setup Debug Level
local result=$(sudo sed -i "s|DEBUGLEVEL|$CFG_TRAEFIK_LOGGING|g" "$containers_dir$app_name/etc/traefik.yml")
checkSuccess "Configured Traefik debug level with: $CFG_TRAEFIK_LOGGING for $app_name"
configSetupFileWithData $app_name "traefik.yml" "etc";
# Apply CFG_TRAEFIK_DASHBOARD_ACCESS: rewrites api.insecure + the
# `traefik:` entrypoint in traefik.yml, and (for local-only) prefixes
# the compose port mapping with 127.0.0.1: so :8080 binds to loopback.
local traefik_yml="$containers_dir$app_name/etc/traefik.yml"
local compose_yml="$containers_dir$app_name/docker-compose.yml"
local access="${CFG_TRAEFIK_DASHBOARD_ACCESS:-local-only}"
case "$access" in
local-only)
sudo sed -i 's|^\(\s*insecure:\s*\).*$|\1true|' "$traefik_yml"
# Bind PORT_1 mapping to 127.0.0.1 only. Idempotent — only
# adds the prefix if it isn't already there.
sudo sed -i '/#LIBREPORTAL|PORTS_TAG_1|/ {
/127\.0\.0\.1:/! s|"\([0-9]\+:[0-9]\+\)"|"127.0.0.1:\1"|
}' "$compose_yml"
checkSuccess "Dashboard access: local-only (loopback :8080 + auth-protected domain)"
;;
domain-only)
sudo sed -i 's|^\(\s*insecure:\s*\).*$|\1false|' "$traefik_yml"
# Drop the :8080 entrypoint entirely — nothing should listen
# there if the dashboard is domain-only.
sudo sed -i '/^\s*traefik:\s*$/,/^\s*address:\s*:8080\s*$/d' "$traefik_yml"
checkSuccess "Dashboard access: domain-only (auth-protected via Host route only)"
;;
public)
sudo sed -i 's|^\(\s*insecure:\s*\).*$|\1true|' "$traefik_yml"
# Strip any 127.0.0.1: prefix the compose port may have
# picked up from a previous local-only install.
sudo sed -i '/#LIBREPORTAL|PORTS_TAG_1|/ s|"127\.0\.0\.1:\([0-9]\+:[0-9]\+\)"|"\1"|' "$compose_yml"
checkSuccess "Dashboard access: public (unauthenticated :8080 on all interfaces — legacy)"
;;
*)
isNotice "Unknown CFG_TRAEFIK_DASHBOARD_ACCESS='$access'; leaving traefik.yml at defaults."
;;
esac
# Enable the Prometheus metrics endpoint + provider only when
# CFG_TRAEFIK_MONITORING=true (toggles the libreportal-monitoring
# marker blocks in traefik.yml). monitoringRefreshAll later in this
# install picks up the scrape fragment + dashboard.
monitoringToggleAppConfig "$app_name" "etc/traefik.yml";
# Dynamic config.yml File
# Copy the Traefik configuration file and customize it
local result=$(copyResource "$app_name" "config.yml" "etc/dynamic")
checkSuccess "Copy Traefik Dynamic config.yml configuration file for $app_name"
# Setup Error 404 Website
local result=$(sudo sed -i "s|ERRORWEBSITE|$CFG_TRAEFIK_404_SITE|g" "$containers_dir$app_name/etc/dynamic/config.yml")
checkSuccess "Configured Traefik error website with URL: $CFG_TRAEFIK_404_SITE for $app_name"
configSetupFileWithData $app_name "config.yml" "etc/dynamic";
# Dynamic whitelist.yml File
local result=$(copyResource "$app_name" "whitelist.yml" "etc/dynamic")
checkSuccess "Copy Traefik Dynamic whitelist.yml configuration file for $app_name"
# Middlewears
# Dynamic protectionauth.yml File
local result=$(copyResource "$app_name" "protectionauth.yml" "etc/dynamic/middlewears")
checkSuccess "Copy Traefik Dynamic protectionauth.yml configuration file for $app_name"
traefikUpdateWhitelist;
# Dynamic tls.yml File
local result=$(copyResource "$app_name" "tls.yml" "etc/dynamic")
checkSuccess "Copy Traefik Dynamic tls.yml configuration file for $app_name"
traefikSetupLoginCredentials;
((menu_number++))
echo ""
echo "---- $menu_number. Running the docker-compose.yml to install and start $app_name"
echo ""
dockerComposeUpdateAndStartApp $app_name install;
((menu_number++))
echo ""
echo "---- $menu_number. Updating file permissions before starting."
echo ""
fixPermissionsBeforeStart $app_name;
((menu_number++))
echo ""
echo "---- $menu_number. Running Application specific updates (if required)"
echo ""
appUpdateSpecifics $app_name;
((menu_number++))
echo ""
echo "---- $menu_number. Running Headscale setup (if required)"
echo ""
setupHeadscale $app_name;
((menu_number++))
echo ""
echo "---- $menu_number. Adding $app_name to the Apps Database table."
echo ""
databaseInstallApp $app_name;
((menu_number++))
echo ""
echo "---- $menu_number. Updating WebUI config file."
echo ""
webuiContainerSetup $app_name install;
((menu_number++))
echo ""
echo "---- $menu_number. Refreshing monitoring integration."
echo ""
# Self-correcting: adds Traefik's scrape target + dashboard to
# Prometheus/Grafana when CFG_TRAEFIK_MONITORING=true, removes them
# when it's off. No-ops with a notice if either app isn't installed.
monitoringRefreshAll;
((menu_number++))
echo ""
echo "---- $menu_number. You can find $app_name files at $containers_dir$app_name"
echo ""
echo " You can now navigate to your $app_name service using any of the options below : "
echo ""
menuShowFinalMessages $app_name;
menu_number=0
#sleep 3s
cd
fi
traefik=n
}