175 lines
5.1 KiB
Bash
Executable File
175 lines
5.1 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
set -e
|
|
|
|
# TODO basic error checking
|
|
# TODO verbosity
|
|
# TODO hardening
|
|
|
|
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
|
|
_server_base_url="$_domain"
|
|
|
|
echo "Provisioning: $_server_base_url$ - (whoami)@$(hostname)"
|
|
|
|
_docker_container_config_dir="/var/docker"
|
|
_docker_compose_version="1.25.4"
|
|
|
|
# add user
|
|
useradd -m -s /bin/bash "$_docker_user"
|
|
groupadd docker
|
|
usermod -aG docker "$_docker_user"
|
|
mkdir /home/"$_docker_user"/.ssh
|
|
cp /root/.ssh/authorized_keys /home/"$_docker_user"/.ssh/
|
|
chown "$_docker_user": /home/"$_docker_user"/.ssh/authorized_keys
|
|
|
|
apt-get update
|
|
apt-get upgrade --yes
|
|
apt-get install \
|
|
apt-transport-https \
|
|
ca-certificates \
|
|
curl \
|
|
gnupg2 \
|
|
software-properties-common \
|
|
apache2-utils \
|
|
ufw
|
|
|
|
ufw allow ssh
|
|
ufw allow http
|
|
ufw allow https
|
|
ufw --force enable
|
|
|
|
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
|
|
add-apt-repository \
|
|
"deb [arch=amd64] https://download.docker.com/linux/debian \
|
|
$(lsb_release -cs) \
|
|
stable"
|
|
apt-get update
|
|
apt-get install docker-ce docker-ce-cli containerd.io
|
|
|
|
curl -L "https://github.com/docker/compose/releases/download/$_docker_compose_version/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
|
|
chmod +x /usr/local/bin/docker-compose
|
|
|
|
echo "Basic HTTP authorisation password for user: $_docker_user"
|
|
_HT_PASSWD=$(htpasswd -nB "$_docker_user" | sed -e 's/\$/\$\$/g')
|
|
|
|
docker network create web
|
|
|
|
mkdir -p "$_docker_container_config_dir"/traefik
|
|
mkdir -p "$_docker_container_config_dir"/portainer
|
|
touch "$_docker_container_config_dir"/traefik/acme.json
|
|
chmod 600 "$_docker_container_config_dir"/traefik/acme.json
|
|
|
|
cd "$_docker_container_config_dir"/traefik || exit 20
|
|
echo "api:
|
|
dashboard: true
|
|
|
|
entryPoints:
|
|
http:
|
|
address: \":80\"
|
|
https:
|
|
address: \":443\"
|
|
|
|
providers:
|
|
docker:
|
|
endpoint: \"unix:///var/run/docker.sock\"
|
|
exposedByDefault: false
|
|
|
|
certificatesResolvers:
|
|
http:
|
|
acme:
|
|
email: $_lets_encrypt_email
|
|
storage: acme.json
|
|
httpChallenge:
|
|
entryPoint: http
|
|
" > traefik.yml
|
|
|
|
echo "version: '3'
|
|
|
|
services:
|
|
traefik:
|
|
image: traefik:v2.0
|
|
container_name: traefik
|
|
restart: unless-stopped
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
networks:
|
|
- web
|
|
ports:
|
|
- 80:80
|
|
- 443:443
|
|
volumes:
|
|
- /etc/localtime:/etc/localtime:ro
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- ./traefik.yml:/traefik.yml:ro
|
|
- ./acme.json:/acme.json
|
|
labels:
|
|
- \"traefik.enable=true\"
|
|
- \"traefik.http.routers.traefik.entrypoints=http\"
|
|
- \"traefik.http.routers.traefik.rule=Host(\`$_server_base_url\`)\"
|
|
- \"traefik.http.middlewares.traefik-auth.basicauth.users=$_HT_PASSWD\"
|
|
- \"traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https\"
|
|
- \"traefik.http.routers.traefik.middlewares=traefik-https-redirect\"
|
|
- \"traefik.http.routers.traefik-secure.entrypoints=https\"
|
|
- \"traefik.http.routers.traefik-secure.rule=Host(\`$_server_base_url\`)\"
|
|
- \"traefik.http.routers.traefik-secure.middlewares=traefik-auth\"
|
|
- \"traefik.http.routers.traefik-secure.tls=true\"
|
|
- \"traefik.http.routers.traefik-secure.tls.certresolver=http\"
|
|
- \"traefik.http.routers.traefik-secure.service=api@internal\"
|
|
|
|
networks:
|
|
web:
|
|
external: true
|
|
" >> docker-compose.yml
|
|
docker-compose up -d
|
|
|
|
cd "$_docker_container_config_dir"/portainer || exit 30
|
|
# create "$_docker_container_config_dir"/portainer/docker-compose.yml
|
|
_portainer_url="portainer.$_server_base_url"
|
|
echo "version: '3'
|
|
|
|
services:
|
|
portainer:
|
|
image: portainer/portainer:latest
|
|
container_name: portainer
|
|
restart: unless-stopped
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
networks:
|
|
- web
|
|
volumes:
|
|
- /etc/localtime:/etc/localtime:ro
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- ./data:/data
|
|
labels:
|
|
- \"traefik.enable=true\"
|
|
- \"traefik.http.routers.portainer.entrypoints=http\"
|
|
- \"traefik.http.routers.portainer.rule=Host(\`$_portainer_url\`)\"
|
|
- \"traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https\"
|
|
- \"traefik.http.routers.portainer.middlewares=portainer-https-redirect\"
|
|
- \"traefik.http.routers.portainer-secure.entrypoints=https\"
|
|
- \"traefik.http.routers.portainer-secure.rule=Host(\`$_portainer_url\`)\"
|
|
- \"traefik.http.routers.portainer-secure.tls=true\"
|
|
- \"traefik.http.routers.portainer-secure.tls.certresolver=http\"
|
|
- \"traefik.http.routers.portainer-secure.service=portainer\"
|
|
- \"traefik.http.services.portainer.loadbalancer.server.port=9000\"
|
|
- \"traefik.docker.network=web\"
|
|
|
|
networks:
|
|
web:
|
|
external: true
|
|
" >> docker-compose.yml
|
|
docker-compose up -d
|
|
|
|
echo "-------------------------------------------------------------------------"
|
|
echo ""
|
|
echo "VISIT PORTAINER URL NOW TO SET INITIAL LOGIN:"
|
|
echo " https://$_portainer_url"
|
|
echo ""
|
|
echo "Traefik URl: https://$_server_base_url"
|
|
echo ""
|
|
echo "WARNING: May get insecure SSL errors"
|
|
echo " this is temporary while certs are in process of being issued"
|
|
|
|
rm /tmp/setup.sh
|