#!/bin/sh # TODO basic error checking # TODO verbosity # TODO hardening _lets_encrypt_email="wptest@isnet.uk" _server_base_url="wptest.isnet.uk" # add user useradd -m -s /bin/bash ray groupadd docker usermod -aG docker ray mkdir /home/ray/.ssh cp /root/.ssh/authorized_keys /home/ray/.ssh/ chown ray: /home/ray/.ssh/authorized_keys apt-get update apt-get install \ apt-transport-https \ ca-certificates \ curl \ gnupg2 \ software-properties-common \ apache2-utils \ ufw ufw allow ssh ufw allow http ufw allow https ufw enable curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - add-apt-repository \ "deb [arch=amd64] https://download.docker.com/linux/debian \ $(lsb_release -cs) \ stable" apt-get update apt-get install docker-ce docker-ce-cli containerd.io curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose echo "Basic HTTP authorisation password for user: ray" _HT_PASSWD=$(htpasswd -nB ray | sed -e 's/\$/\$\$/g') docker network create web mkdir -p /var/docker/traefik mkdir -p /var/docker/portainer touch /var/docker/traefik/acme.json chmod 600 /var/docker/traefik/acme.json cd /var/docker/traefik || exit 20 echo "api: dashboard: true entryPoints: http: address: \":80\" https: address: \":443\" providers: docker: endpoint: \"unix:///var/run/docker.sock\" exposedByDefault: false certificatesResolvers: http: acme: email: $_lets_encrypt_email storage: acme.json httpChallenge: entryPoint: http " > traefik.yml echo "version: '3' services: traefik: image: traefik:v2.0 container_name: traefik restart: unless-stopped security_opt: - no-new-privileges:true networks: - web ports: - 80:80 - 443:443 volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro - ./traefik.yml:/traefik.yml:ro - ./acme.json:/acme.json labels: - \"traefik.enable=true\" - \"traefik.http.routers.traefik.entrypoints=http\" - \"traefik.http.routers.traefik.rule=Host(\`$_server_base_url\`)\" - \"traefik.http.middlewares.traefik-auth.basicauth.users=$_HT_PASSWD\" - \"traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https\" - \"traefik.http.routers.traefik.middlewares=traefik-https-redirect\" - \"traefik.http.routers.traefik-secure.entrypoints=https\" - \"traefik.http.routers.traefik-secure.rule=Host(\`$_server_base_url\`)\" - \"traefik.http.routers.traefik-secure.middlewares=traefik-auth\" - \"traefik.http.routers.traefik-secure.tls=true\" - \"traefik.http.routers.traefik-secure.tls.certresolver=http\" - \"traefik.http.routers.traefik-secure.service=api@internal\" networks: web: external: true " >> docker-compose.yml docker-compose up -d cd /var/docker/portainer || exit 30 # create /var/docker/portainer/docker-compose.yml _portainer_url="portainer.$_server_base_url" echo "version: '3' services: portainer: image: portainer/portainer:latest container_name: portainer restart: unless-stopped security_opt: - no-new-privileges:true networks: - web volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro - ./data:/data labels: - \"traefik.enable=true\" - \"traefik.http.routers.portainer.entrypoints=http\" - \"traefik.http.routers.portainer.rule=Host(\`$_portainer_url\`)\" - \"traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https\" - \"traefik.http.routers.portainer.middlewares=portainer-https-redirect\" - \"traefik.http.routers.portainer-secure.entrypoints=https\" - \"traefik.http.routers.portainer-secure.rule=Host(\`$_portainer_url\`)\" - \"traefik.http.routers.portainer-secure.tls=true\" - \"traefik.http.routers.portainer-secure.tls.certresolver=http\" - \"traefik.http.routers.portainer-secure.service=portainer\" - \"traefik.http.services.portainer.loadbalancer.server.port=9000\" - \"traefik.docker.network=web\" networks: web: external: true " >> docker-compose.yml docker-compose up -d echo "VISIT PORTAINER URL NOW TO SET INITIAL LOGIN:" # or see if can set from script echo " https://$_portainer_url"