bero/test
1
0
Fork 0
Code Issues 52 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

First round of powerdns and traefik install

Browse Source
This commit is contained in:
Derek Crudgington 2023-05-10 19:16:51 +00:00
parent 240741e7cf
commit af39face59
27 changed files with 644 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
bin/dumpcerts Executable file
View File

@ -0,0 +1,29 @@
#!/bin/bash
#
# Dump Traefik certs and install into containers that need them
if ! command -v traefik-certs-dumper &> /dev/null; then
failcheck "FAILED - traefik-certs-dumper tool not installed"
fi
traefik-certs-dumper file --version v2 --source /federated/apps/traefik/data/letsencrypt/acme.json --dest /federated/certs &> /dev/null
# Install into PostgreSQL container
cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/postgresql/data/var/lib/postgresql/server.crt
cp /federated/apps/certs/private/$DOMAIN.key /federated/apps/postgresql/data/var/lib/postgresql/server.key
chown 999 /federated/apps/postgresql/data/var/lib/postgresql/server.crt /federated/apps/postgresql/data/var/lib/postgresql/server.key
chmod 600 /federated/apps/postgresql/data/var/lib/postgresql/server.crt /federated/apps/postgresql/data/var/lib/postgresql/server.key
# Install into LDAP container
cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/ldap/data/certs/
# Install into Mail container
cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/mail/data/root/certs/
# Install into Collabora container
cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/collabora/data/root/certs/
chown 104 /federated/apps/collabora/data/root/certs/*
# Install into Matrix container
cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/matrix/data/matrix/
chmod 644 /federated/apps/matrix/data/matrix/$DOMAIN.crt /federated/apps/matrix/data/matrix/$DOMAIN.key

24
bin/install-federated
View File

@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/bash -x
#
# Federated installation script
@ -34,8 +34,13 @@ get_config() {
. /federated/lib/proxy.sh
. /federated/lib/wireguard.sh
. /federated/lib/baserow.sh
. /federated/lib/calcom.sh
. /federated/lib/gitea.sh
. /federated/lib/caddy.sh
. /federated/lib/pdns-mysql.sh
. /federated/lib/pdns.sh
. /federated/lib/pdnsadmin.sh
. /federated/lib/pdns-static.sh
COUNTRIES=("AF" "AL" "DZ" "AS" "AD" "AO" "AI" "AQ" "AG" "AR" "AM" "AW" "AU" "AT" "AZ" "BS" "BH" "BD" "BB" "BY" "BE" "BZ" "BJ" "BM" "BT" "BO" "BO" "BA" "BW" "BV" "BR" "IO" "BN" "BN" "BG" "BF" "BI" "KH" "CM" "CA" "CV" "KY" "CF" "TD" "CL" "CN" "CX" "CC" "CO" "KM" "CG" "CD" "CK" "CR" "CI" "CI" "HR" "CU" "CY" "CZ" "DK" "DJ" "DM" "DO" "EC" "EG" "SV" "GQ" "ER" "EE" "ET" "FK" "FO" "FJ" "FI" "FR" "GF" "PF" "TF" "GA" "GM" "GE" "DE" "GH" "GI" "GR" "GL" "GD" "GP" "GU" "GT" "GG" "GN" "GW" "GY" "HT" "HM" "VA" "HN" "HK" "HU" "IS" "IN" "ID" "IR" "IQ" "IE" "IM" "IL" "IT" "JM" "JP" "JE" "JO" "KZ" "KE" "KI" "KP" "KR" "KR" "KW" "KG" "LA" "LV" "LB" "LS" "LR" "LY" "LY" "LI" "LT" "LU" "MO" "MK" "MG" "MW" "MY" "MV" "ML" "MT" "MH" "MQ" "MR" "MU" "YT" "MX" "FM" "MD" "MC" "MN" "ME" "MS" "MA" "MZ" "MM" "MM" "NA" "NR" "NP" "NL" "AN" "NC" "NZ" "NI" "NE" "NG" "NU" "NF" "MP" "NO" "OM" "PK" "PW" "PS" "PA" "PG" "PY" "PE" "PH" "PN" "PL" "PT" "PR" "QA" "RE" "RO" "RU" "RU" "RW" "SH" "KN" "LC" "PM" "VC" "VC" "VC" "WS" "SM" "ST" "SA" "SN" "RS" "SC" "SL" "SG" "SK" "SI" "SB" "SO" "ZA" "GS" "SS" "ES" "LK" "SD" "SR" "SJ" "SZ" "SE" "CH" "SY" "TW" "TW" "TJ" "TZ" "TH" "TL" "TG" "TK" "TO" "TT" "TN" "TR" "TM" "TC" "TV" "UG" "UA" "AE" "GB" "US" "UM" "UY" "UZ" "VU" "VE" "VE" "VN" "VN" "VG" "VI" "WF" "EH" "YE" "ZM" "ZW")
@ -53,6 +58,19 @@ get_config() {
else
failcheck "/federated/bin/.env doesn't exist"
fi
# Setup DOMAIN variable for domain or subdomain
DOMAIN_ARRAY=(${DOMAIN//./ })
if [ "${#DOMAIN_ARRAY[@]}" -eq "2" ]; then
DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
DOMAIN_LAST=${DOMAIN_ARRAY[1]}
elif [ "${#DOMAIN_ARRAY[@]}" -eq "3" ]; then
DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
DOMAIN_MIDDLE=${DOMAIN_ARRAY[1]}
DOMAIN_LAST=${DOMAIN_ARRAY[2]}
else
failcheck "$DOMAIN is not a valid domain.com or sub.domain.com"
fi
}
while getopts d OPTION; do
@ -77,11 +95,13 @@ check_ports
config_network
# Configure and start each federated service
for i in dns postgresql ldap mail collabora proxy nextcloud matrix element listmonk vaultwarden panel wireguard jitsi baserow gitea caddy; do
#for i in pdnsmysql pdns pdnsadmin traefik postgresql ldap mail collabora nextcloud matrix element listmonk vaultwarden panel wireguard jitsi baserow gitea caddy; do
for i in "${SERVICES[@]}"; do
config_$i
start_$i
done
# Add cron jobs for backup, upgrade, dumpcerts
add_cron
# Print out federated environment details

17
bin/start
View File

@ -1,9 +1,11 @@
#!/bin/bash
#
# Federated Start Script
. /federated/lib/functions.sh
usage() {
echo "$0: all|dns|postgresql|ldap|mail|collabora|nextcloud|matrix|element|jitsi|listmonk|vaultwarden|panel|proxy|wireguard|connector|baserow|calcom|gitea|caddy"
printf -v SERVICES_JOINED '%s|' "${SERVICES[@]}"
echo "$0: ${SERVICES_JOINED%|}"
exit 2
}
startservice() {
@ -11,7 +13,7 @@ startservice() {
cd /federated/apps/$SERVICE && docker-compose -f docker-compose.yml -p $SERVICE up -d
}
startservice_all() {
for i in dns postgresql ldap mail collabora nextcloud matrix element jitsi listmonk vaultwarden panel proxy wireguard connector baserow calcom gitea caddy; do
for i in "${SERVICES[@]}"; do
echo "* Starting $i.."
cd /federated/apps/$i && docker-compose -f docker-compose.yml -p $i up -d
done
@ -20,8 +22,9 @@ startservice_all() {
[ $# != 1 ] && usage
SERVICE=$1
case "$SERVICE" in
all) startservice_all;;
dns|postgresql|ldap|mail|collabora|nextcloud|matrix|element|jitsi|listmonk|vaultwarden|panel|proxy|wireguard|connector|baserow|calcom|gitea|caddy) startservice;;
*) usage;;
esac
[ "$SERVICE" = "all" ] && startservice_all
if printf '%s\0' "${SERVICES[@]}" | grep -Fxqz -- "$SERVICE"; then
startservice
else
usage
fi

17
bin/stop
View File

@ -1,9 +1,11 @@
#!/bin/bash
#
# Federated Stop Script
. /federated/lib/functions.sh
usage() {
echo "$0: all|dns|postgresql|ldap|mail|collabora|nextcloud|matrix|element|jitsi|listmonk|vaultwarden|panel|proxy|wireguard|connector|baserow|calcom|gitea|caddy"
printf -v SERVICES_JOINED '%s|' "${SERVICES[@]}"
echo "$0: ${SERVICES_JOINED%|}"
exit 2
}
stopservice() {
@ -11,7 +13,7 @@ stopservice() {
cd /federated/apps/$SERVICE && docker-compose -f docker-compose.yml -p $SERVICE down
}
stopservice_all() {
for i in dns postgresql ldap mail collabora nextcloud matrix element jitsi listmonk vaultwarden panel proxy wireguard connector baserow calcom gitea caddy; do
for i in "${SERVICES[@]}"; do
echo "* Stopping $i.."
cd /federated/apps/$i && docker-compose -f docker-compose.yml -p $i down
done
@ -20,8 +22,9 @@ stopservice_all() {
[ $# != 1 ] && usage
SERVICE=$1
case "$SERVICE" in
all) stopservice_all;;
dns|postgresql|ldap|mail|collabora|nextcloud|matrix|element|jitsi|listmonk|vaultwarden|panel|proxy|wireguard|connector|baserow|calcom|gitea|caddy) stopservice;;
*) usage;;
esac
[ "$SERVICE" = "all" ] && stopservice_all
if printf '%s\0' "${SERVICES[@]}" | grep -Fxqz -- "$SERVICE"; then
stopservice
else
usage
fi

8
lib/baserow.sh
View File

@ -34,6 +34,11 @@ services:
- ./.env
volumes:
- ./data/baserow/data:/baserow/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.baserow.rule=Host(\`baserow.$DOMAIN\`)"
- "traefik.http.routers.baserow.entrypoints=websecure"
- "traefik.http.routers.baserow.tls.certresolver=letsencrypt"
networks:
federated:
@ -59,9 +64,6 @@ EMAIL_SMTP_PORT=587
EMAIL_SMTP_USER=admin
EMAIL_SMTP_PASSWORD=$ADMINPASS
EMAIL_SMTP_USE_TLS=True
VIRTUAL_PROTO=http
VIRTUAL_PORT=80
VIRTUAL_HOST=baserow.$DOMAIN
EOF
chmod 600 /federated/apps/baserow/.env

12
lib/caddy.sh
View File

@ -40,6 +40,11 @@ services:
- ./data/srv:/srv
- ./data/etc/caddy/Caddyfile:/etc/caddy/Caddyfile
- ./data/data:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.pdnsadmin.rule=Host(\`www.$DOMAIN\`,\`blog.$DOMAIN\`,\`documentation.$DOMAIN\`)"
- "traefik.http.routers.pdnsadmin.entrypoints=websecure"
- "traefik.http.routers.pdnsadmin.tls.certresolver=letsencrypt"
networks:
federated:
@ -48,9 +53,6 @@ EOF
cat > /federated/apps/caddy/.env <<EOF
IMAGE_VERSION="latest"
VIRTUAL_PROTO=http
VIRTUAL_PORT=80
VIRTUAL_HOST=www.$DOMAIN,blog.$DOMAIN,documentation.$DOMAIN,$DOMAIN
EOF
chmod 600 /federated/apps/caddy/.env
@ -70,10 +72,6 @@ www.$DOMAIN:80 {
}
}
}
$DOMAIN:80 {
root * /srv/www.$DOMAIN/public
file_server
}
blog.$DOMAIN:80 {
root * /srv/blog.$DOMAIN/public
file_server

15
lib/collabora.sh
View File

@ -11,7 +11,7 @@ config_collabora() {
if [ ! -d "/federated/apps/collabora" ]; then
mkdir -p /federated/apps/collabora/data/root/certs &> /dev/null
cp -rf /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem /federated/apps/collabora/data/root/certs/
cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/collabora/data/root/certs/
chown 104 /federated/apps/collabora/data/root/certs/*
fi
@ -38,13 +38,17 @@ services:
- "9980:9980"
volumes:
- ./data/root:/root
- ./data/root/certs/fullchain1.pem:/etc/coolwsd/cert.pem
- ./data/root/certs/privkey1.pem:/etc/coolwsd/key.pem
- ./data/root/certs/chain1.pem:/etc/coolwsd/ca-chain.cert.pem
- ./data/root/certs/$DOMAIN.crt:/etc/coolwsd/cert.pem
- ./data/root/certs/$DOMAIN.key:/etc/coolwsd/key.pem
env_file:
- ./.env
cap_add:
- MKNOD
labels:
- "traefik.enable=true"
- "traefik.http.routers.pdnsadmin.rule=Host(\`collabora.$DOMAIN\`)"
- "traefik.http.routers.pdnsadmin.entrypoints=websecure"
- "traefik.http.routers.pdnsadmin.tls.certresolver=letsencrypt"
networks:
federated:
@ -53,9 +57,6 @@ EOF
cat > /federated/apps/collabora/.env <<EOF
IMAGE_VERSION="22.05.13.1.1"
VIRTUAL_PROTO=https
VIRTUAL_PORT=9980
VIRTUAL_HOST=collabora.$DOMAIN
domain=nextcloud.$DOMAIN
server_name=collabora.$DOMAIN
EOF

22
lib/dns.sh
View File

@ -70,7 +70,7 @@ if [ ! -e /etc/bind/.firstdone ]; then
CNAME_RECORD=`certbot certonly --manual --manual-auth-hook /root/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.$DOMAIN -d $DOMAIN --agree-tos --email hostmaster@$DOMAIN -n 2>1 | grep acme-dns | awk '{ print $3 }'`
echo "Got CNAME record: $CNAME_RECORD"
echo "$CNAME_RECORD" > /etc/bind/.cnamerecord
echo -e "_acme-challenge\tIN\tCNAME\t$CNAME_RECORD" >> /etc/bind/zones/$DOMAIN
echo -e "_acme-challenge.customer2\tIN\tCNAME\t$CNAME_RECORD" >> /etc/bind/zones/$DOMAIN
# Reload Bind configuration without restarting the container or process
named -f -g &
@ -91,6 +91,7 @@ if [ ! -e /etc/bind/.firstdone ]; then
touch /etc/bind/.firstdone
echo "[federated]: FAILED generating certificates for $DOMAIN"
echo "[federated]: Check that you have DNS setup properly"
wait -n
exit 2;
fi
@ -116,6 +117,7 @@ elif [ -e /etc/bind/.firstdone ] && [ -e /etc/bind/.failedcert ]; then
touch /etc/bind/.failedcert
echo "[federated]: FAILED generating certificates for $DOMAIN"
echo "[federated]: Check that you have DNS setup properly"
wait -n
exit 2;
fi
wait -n
@ -177,24 +179,6 @@ ns1 IN A $EXTERNALIP
ns2 IN A $EXTERNALIP
mail IN A $EXTERNALIP
www IN A $EXTERNALIP
computer IN A $EXTERNALIP
panel IN A $EXTERNALIP
nextcloud IN A $EXTERNALIP
collabora IN A $EXTERNALIP
jitsi IN A $EXTERNALIP
matrix IN A $EXTERNALIP
element IN A $EXTERNALIP
listmonk IN A $EXTERNALIP
vaultwarden IN A $EXTERNALIP
vpn IN A $EXTERNALIP
connector IN A $EXTERNALIP
baserow IN A $EXTERNALIP
gitea IN A $EXTERNALIP
blog IN A $EXTERNALIP
documentation IN A $EXTERNALIP
* IN A $EXTERNALIP
$DOMAIN. IN A $EXTERNALIP
$DOMAIN. IN CNAME www.$DOMAIN
EOF
cat > /federated/apps/dns/data/etc/bind/zones/$DOMAIN.rev <<EOF

8
lib/element.sh
View File

@ -34,6 +34,11 @@ services:
- ./data/element/element-config.json:/app/config.json
env_file:
- ./.env
labels:
- "traefik.enable=true"
- "traefik.http.routers.pdnsadmin.rule=Host(\`element.$DOMAIN\`)"
- "traefik.http.routers.pdnsadmin.entrypoints=websecure"
- "traefik.http.routers.pdnsadmin.tls.certresolver=letsencrypt"
networks:
federated:
@ -42,9 +47,6 @@ EOF
cat > /federated/apps/element/.env <<EOF
IMAGE_VERSION="v1.11.19"
VIRTUAL_PROTO=http
VIRTUAL_PORT=80
VIRTUAL_HOST=element.$DOMAIN
EOF
chmod 600 /federated/apps/element/.env

22
lib/functions.sh
View File

@ -1,7 +1,7 @@
# Federated Computer functions
# Define all services
SERVICES=("dns" "postgresql" "ldap" "mail" "collabora" "proxy" "nextcloud" "matrix" "element" "listmonk" "vaultwarden" "panel" "wireguard" "jitsi" "baserow" "gitea" "caddy")
SERVICES=("pdnsmysql" "pdns" "pdnsadmin" "traefik" "postgresql" "ldap" "mail" "collabora" "nextcloud" "matrix" "element" "listmonk" "vaultwarden" "panel" "wireguard" "jitsi" "baserow" "gitea" "caddy")
fail() {
echo -ne "FAILED\n\n$1\n\n"
@ -31,8 +31,9 @@ spin() {
done
}
add_cron() {
(crontab -l 2>/dev/null; echo "30 23 * * * /federated/bin/backuptool -b all >> /federated/logs/backup.log 2>&1") | sort -u | crontab -
(crontab -l 2>/dev/null; echo "0 2 * * * /federated/bin/upgrade >> /federated/logs/upgrade.log 2>&1") | sort -u | crontab -
(crontab -l 2>/dev/null; echo "30 23 * * * date >> /federated/logs/backup.log && /federated/bin/backuptool -b all >> /federated/logs/backup.log 2>&1") | sort -u | crontab -
(crontab -l 2>/dev/null; echo "0 2 * * * date >> /federated/logs/upgrade.log && /federated/bin/upgrade >> /federated/logs/upgrade.log 2>&1") | sort -u | crontab -
(crontab -l 2>/dev/null; echo "0 3 * * * date >> /federated/logs/dumpcerts.log && /federated/bin/dumpcerts >> /federated/logs/dumpcerts.log 2>&1") | sort -u | crontab -
}
install_federated() {
[ -d "/federated" ] && fail "Directory /federated already exists. Already installed?"
@ -199,6 +200,10 @@ Baserow: Easy Database. Replacement for Airtable. Build amazing, easy
to create on-line databases to be used by your team.
https://baserow.$DOMAIN
Cal.com: Easy scheduling. Create easy links so that others can easily
schedule time on your calendar without the annoying back-and-forth.
https://calcom.$DOMAIN
All documentation for users can be found at
https://documentation.federated.computer/users.
EOF
@ -239,8 +244,12 @@ check_docker() {
[ $? -ne 0 ] && failcheck "Couldn't run sudo apt install docker packages"
# Install extra packages
sudo apt-get install duplicity python3-b2sdk uuid -y &> /dev/null
sudo apt-get install duplicity python3-b2sdk uuid apache2-utils -y &> /dev/null
[ $? -ne 0 ] && failcheck "Couldn't run sudo apt install extra packages"
# Install Traefik certs dumper
curl -sfL https://raw.githubusercontent.com/ldez/traefik-certs-dumper/master/godownloader.sh | bash -s -- -b $(go env GOPATH 2>/dev/null)/bin v2.8.1 &> /dev/null
[ $? -ne 0 ] && failcheck "Couldn't install traefik certs dumper"
fi
kill -9 $SPINPID &> /dev/null
echo -ne "done."
@ -289,8 +298,9 @@ check_ports() {
[ $? -ne 0 ] && failcheck "Failed running systemctl stop systemd-resolved"
# Put nameserver entries so will exist on reboot
echo "nameserver 8.8.8.8" > /etc/resolvconf/resolv.conf.d/tail
echo "nameserver 8.8.8.8" > /run/resolvconf/resolv.conf
rm /etc/resolv.conf
echo "nameserver 1.1.1.1" >> /etc/resolv/resolv.conf
echo "nameserver 1.0.0.1" >> /etc/resolv/resolv.conf
kill -9 $SPINPID &> /dev/null
echo -ne "done."

20
lib/gitea.sh
View File

@ -11,9 +11,6 @@ config_gitea() {
if [ ! -d "/federated/apps/gitea" ]; then
mkdir -p /federated/apps/gitea/data/data
mkdir -p /federated/apps/gitea/data/data/git/.ssh
touch /federated/apps/gitea/data/data/git/.ssh/authorized_keys
chmod 600 /federated/apps/gitea/data/data/git/.ssh/authorized_keys
fi
DOMAIN_ARRAY=(${DOMAIN//./ })
@ -38,27 +35,26 @@ services:
- "blog.$DOMAIN:$EXTERNALIP"
- "documentation.$DOMAIN:$EXTERNALIP"
ports:
- "2222:22"
- 22:22
env_file:
- ./.env
volumes:
- ./data/data:/data
- ./data/data/git/.ssh:/data/git/.ssh
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.pdnsadmin.rule=Host(\`gitea.$DOMAIN\`)"
- "traefik.http.routers.pdnsadmin.entrypoints=websecure"
- "traefik.http.routers.pdnsadmin.tls.certresolver=letsencrypt"
networks:
federated:
external: true
EOF
#GITEA_SECRET="RbzalooGM4BbQug6wvRaklR7NeN0GRSA"
cat > /federated/apps/gitea/.env <<EOF
IMAGE_VERSION="1.19.0"
VIRTUAL_PROTO=http
VIRTUAL_PORT=3000
VIRTUAL_HOST=gitea.$DOMAIN
USER_UID=1000
USER_GID=1000
GITEA__database__DB_TYPE=postgres
@ -68,10 +64,6 @@ GITEA__database__USER=gitea
GITEA__database__PASSWD=$GITEA_SECRET
GITEA__security__INSTALL_LOCK=true
GITEA__server__ROOT_URL=https://gitea.$DOMAIN
GITEA__server__DOMAIN=$DOMAIN
GITEA__server__SSH_DOMAIN=$DOMAIN
GITEA__server__SSH_PORT=2222
GITEA__server__SSH_LISTEN_PORT=2222
EOF
chmod 600 /federated/apps/gitea/.env

9
lib/jitsi.sh
View File

@ -43,10 +43,12 @@ services:
- \${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z
- \${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
- ./data/config/keys:/config/keys:Z
labels:
- "traefik.enable=true"
- "traefik.http.routers.pdnsadmin.rule=Host(\`jitsi.$DOMAIN\`)"
- "traefik.http.routers.pdnsadmin.entrypoints=websecure"
- "traefik.http.routers.pdnsadmin.tls.certresolver=letsencrypt"
environment:
- VIRTUAL_PROTO=http
- VIRTUAL_PORT=80
- VIRTUAL_HOST=jitsi.$DOMAIN
- AMPLITUDE_ID
- ANALYTICS_SCRIPT_URLS
- ANALYTICS_WHITELISTED_EVENTS
@ -279,7 +281,6 @@ services:
ipv4_address: 172.99.0.24
aliases:
- xmpp.meet.jitsi
- xmpp.northendnetwork.com
# Focus component
jicofo:

2
lib/latest-versions
View File

@ -6,7 +6,7 @@ calcom=1.0
postgresql=14
proxy=1.1
nextcloud=25.0.3
listmonk=v2.4.0
listmonk=v2.3.0
panel=v1.10
vaultwarden=1.27.0
matrix=v1.75.0

8
lib/ldap.sh
View File

@ -15,7 +15,7 @@ config_ldap() {
mkdir -p /federated/apps/ldap/data/etc/ldap/slap.d &> /dev/null
mkdir -p /federated/apps/ldap/data/certs &> /dev/null
mkdir -p /federated/apps/ldap/data/root &> /dev/null
cp -rf /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem /federated/apps/ldap/data/certs/
cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/ldap/data/certs/
fi
DOMAIN_ARRAY=(${DOMAIN//./ })
@ -63,9 +63,9 @@ LDAP_ADMIN_PASSWORD_FILE=/run/secrets/federated_ldap_password
LDAP_RFC2307BIS_SCHEMA=true
LDAP_REMOVE_CONFIG_AFTER_SETUP=true
LDAP_TLS=true
LDAP_TLS_CRT_FILENAME=fullchain1.pem
LDAP_TLS_KEY_FILENAME=privkey1.pem
LDAP_TLS_CA_CRT_FILENAME=chain1.pem
LDAP_TLS_CRT_FILENAME=$DOMAIN.crt
LDAP_TLS_KEY_FILENAME=$DOMAIN.key
#LDAP_TLS_CA_CRT_FILENAME=chain1.pem
LDAP_TLS_VERIFY_CLIENT=try
EOF
chmod 600 /federated/apps/ldap/.env

8
lib/listmonk.sh
View File

@ -36,6 +36,11 @@ services:
volumes:
- ./data/listmonk/config.toml:/listmonk/config.toml
- ./data/listmonk/static:/listmonk/static
labels:
- "traefik.enable=true"
- "traefik.http.routers.listmonk.rule=Host(\`listmonk.$DOMAIN\`)"
- "traefik.http.routers.listmonk.entrypoints=websecure"
- "traefik.http.routers.listmonk.tls.certresolver=letsencrypt"
networks:
federated:
@ -44,9 +49,6 @@ EOF
cat > /federated/apps/listmonk/.env <<EOF
IMAGE_VERSION="v2.3.0"
VIRTUAL_PROTO=http
VIRTUAL_PORT=9000
VIRTUAL_HOST=listmonk.$DOMAIN
TZ=Etc/UTC
EOF

11
lib/mail.sh
View File

@ -15,7 +15,7 @@ config_mail() {
mkdir -p /federated/apps/mail/data/var/mail-state &> /dev/null
mkdir -p /federated/apps/mail/data/var/log/mail &> /dev/null
mkdir -p /federated/apps/mail/data/tmp/docker-mailserver &> /dev/null
cp -rf /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem /federated/apps/mail/data/root/certs/
cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/mail/data/root/certs/
fi
DOMAIN_ARRAY=(${DOMAIN//./ })
@ -72,8 +72,8 @@ DMS_DEBUG=0
LOG_LEVEL=debug
ENABLE_LDAP=1
SSL_TYPE=manual
SSL_CERT_PATH=/root/certs/fullchain1.pem
SSL_KEY_PATH=/root/certs/privkey1.pem
SSL_CERT_PATH=/root/certs/$DOMAIN.crt
SSL_KEY_PATH=/root/certs/$DOMAIN.key
LDAP_START_TLS=yes
DOVECOT_TLS=yes
SASLAUTHD_LDAP_START_TLS=yes
@ -103,8 +103,7 @@ EOF
chmod 600 /federated/apps/mail/.env
cat > /federated/apps/mail/data/tmp/docker-mailserver/postfix-main.cf <<'EOF'
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:10023, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client zen.spamhaus.org
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf
EOF
@ -124,7 +123,7 @@ start_mail() {
[ $? -ne 0 ] && fail "Couldn't insert DKIM record into /federated/apps/dns container"
# Insert the DMARC DNS TXT entry into /federated/apps/dns container
echo "_dmarc.$DOMAIN. IN TXT \"v=DMARC1; p=quarantine; rua=mailto:admin@$DOMAIN; ruf=mailto:admin@$DOMAIN; sp=none; ri=86400\"" >> /federated/apps/dns/data/etc/bind/zones/$DOMAIN
echo "_dmarc.$DOMAIN. IN TXT \"v=DMARC1; p=none; rua=mailto:admin@$DOMAIN; ruf=mailto:admin@$DOMAIN; sp=none; ri=86400\"" >> /federated/apps/dns/data/etc/bind/zones/$DOMAIN
[ $? -ne 0 ] && fail "Couldn't insert DMARC record into /federated/apps/dns container"
# Reload DNS configuration in /federated/apps/dns container

16
lib/matrix.sh
View File

@ -11,8 +11,8 @@ config_matrix() {
if [ ! -d "/federated/apps/matrix" ]; then
mkdir -p /federated/apps/matrix/data/matrix &> /dev/null
cp -rf /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem /federated/apps/matrix/data/matrix
chmod 644 /federated/apps/matrix/data/matrix/*.pem
cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/certs/private/$DOMAIN.key /federated/apps/matrix/data/matrix/
chmod 644 /federated/apps/matrix/data/matrix/$DOMAIN.crt /federated/apps/matrix/data/matrix/$DOMAIN.key
fi
DOMAIN_ARRAY=(${DOMAIN//./ })
@ -36,6 +36,11 @@ services:
- ./data/matrix:/data
env_file:
- ./.env
labels:
- "traefik.enable=true"
- "traefik.http.routers.listmonk.rule=Host(\`matrix.$DOMAIN\`)"
- "traefik.http.routers.listmonk.entrypoints=websecure"
- "traefik.http.routers.listmonk.tls.certresolver=letsencrypt"
networks:
federated:
@ -44,9 +49,6 @@ EOF
cat > /federated/apps/matrix/.env <<EOF
IMAGE_VERSION="v1.75.0"
VIRTUAL_PROTO=http
VIRTUAL_PORT=8008
VIRTUAL_HOST=matrix.$DOMAIN
EOF
chmod 600 /federated/apps/matrix/.env
@ -87,8 +89,8 @@ modules:
bind_password: $LDAP_SECRET
tls_options:
validate: true
local_certificate_file: /data/fullchain1.pem
local_private_key_file: /data/privkey1.pem
local_certificate_file: /data/$DOMAIN.crt
local_private_key_file: /data/$DOMAIN.key
EOF
kill -9 $SPINPID &> /dev/null

8
lib/nextcloud.sh
View File

@ -50,6 +50,11 @@ services:
secrets:
- federated_psql_password
- federated_nextcloud_password
labels:
- "traefik.enable=true"
- "traefik.http.routers.listmonk.rule=Host(\`nextcloud.$DOMAIN\`)"
- "traefik.http.routers.listmonk.entrypoints=websecure"
- "traefik.http.routers.listmonk.tls.certresolver=letsencrypt"
secrets:
federated_psql_password:
@ -68,9 +73,6 @@ chmod 600 /federated/apps/nextcloud/.postgresql.secret /federated/apps/nextcloud
cat > /federated/apps/nextcloud/.env <<EOF
IMAGE_VERSION="25.0.3"
NEXTCLOUD_UPDATE=1
VIRTUAL_PROTO=http
VIRTUAL_PORT=80
VIRTUAL_HOST=nextcloud.$DOMAIN
PHP_MEMORY_LIMIT=2048M
PHP_UPLOAD_LIMIT=2048M
NEXTCLOUD_ADMIN_USER=nextcloud

10
lib/panel.sh
View File

@ -32,6 +32,11 @@ services:
ipv4_address: 172.99.0.21
env_file:
- ./.env
labels:
- "traefik.enable=true"
- "traefik.http.routers.listmonk.rule=Host(\`panel.$DOMAIN\`)"
- "traefik.http.routers.listmonk.entrypoints=websecure"
- "traefik.http.routers.listmonk.tls.certresolver=letsencrypt"
networks:
federated:
@ -40,9 +45,6 @@ EOF
cat > /federated/apps/panel/.env <<EOF
IMAGE_VERSION="v1.10"
VIRTUAL_PROTO=http
VIRTUAL_PORT=80
VIRTUAL_HOST=panel.$DOMAIN
SERVER_HOSTNAME=panel.$DOMAIN
LDAP_URI=ldap://ldap.$DOMAIN
LDAP_BASE_DN=dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
@ -59,7 +61,7 @@ SMTP_HOSTNAME=mail.$DOMAIN
SMTP_USERNAME=admin
SMTP_PASSWORD=$ADMINPASS
EMAIL_FROM_ADDRESS=admin@$DOMAIN
SMTP_USE_TLS=true
#SMTP_USE_TLS=true
NO_HTTPS=true
EOF
chmod 600 /federated/apps/panel/.env

107
lib/pdns.sh Normal file
View File

@ -0,0 +1,107 @@
#!/bin/bash
#
# PowerDNS DNS Service
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
config_pdns() {
echo -ne "\n* Configuring /federated/apps/pdns container.."
spin &
SPINPID=$!
if [ ! -d "/federated/apps/pdns" ]; then
mkdir -p /federated/apps/pdns/data/root
fi
cat > /federated/apps/pdns/docker-compose.yml <<EOF
version: '3.7'
services:
pdns:
image: pschiffe/pdns-mysql:\${IMAGE_VERSION}
container_name: pdns
hostname: pdns.$DOMAIN
domainname: $DOMAIN
restart: always
networks:
federated:
ipv4_address: 172.99.0.9
ports:
- "53:53"
- "53:53/udp"
env_file:
- ./.env
volumes:
- ./data/root:/root
networks:
federated:
external: true
EOF
MYSQL_PASSWORD=`grep MYSQL_PASSWORD /federated/apps/pdnsmysql/.env | awk -F= '{ print $2 }'`
PDNS_APIKEY=$(create_password);
PDNS_WEBSERVER_PASSWORD=$(create_password);
cat > /federated/apps/pdns/.env <<EOF
IMAGE_VERSION="4.7"
PDNS_gmysql_host=pdnsmysql.$DOMAIN
PDNS_gmysql_port=3306
PDNS_gmysql_user=pdns
PDNS_gmysql_dbname=pdns
PDNS_gmysql_password=$MYSQL_PASSWORD
PDNS_master=yes
PDNS_api=yes
PDNS_api_key=$PDNS_APIKEY
PDNSCONF_API_KEY=$PDNS_APIKEY
PDNS_webserver=yes
PDNS_webserver-allow-from=127.0.0.1,10.0.0.0/8,172.0.0.0/8,192.0.0.0/24,172.99.0.0/16
PDNS_webserver_address=0.0.0.0
PDNS_webserver_password=$PDNS_WEBSERVER_PASSWORD
PDNS_version_string=anonymous
PDNS_default_ttl=1500
PDNS_allow_notify_from=0.0.0.0
PDNS_allow_axfr_ips=127.0.0.1
PDNS_default_soa_content=ns1.@ hostmaster.@ 0 10800 3600 604800 3600
PDNS_allow_dnsupdate_from=127.0.0.0/8,::1,172.99.0.0/16
PDNS_dnsupdate=yes
EOF
chmod 600 /federated/apps/pdns/.env
cat > /federated/apps/pdns/data/root/createrecords.sh <<EOF
#!/bin/bash
# Create the default domain DNS zone
curl -X POST --data '{"name":"$DOMAIN.", "kind": "Master", "masters": []}' -v -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones
# Create the MX and SPF TXT record for domain
curl -X PATCH --data '{"rrsets": [ {"name": "$DOMAIN.", "type": "MX", "ttl": 86400, "changetype": "REPLACE", "records": [ {"content": "10 mail.$DOMAIN.", "disabled": false } ] } ] }' -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.
curl -X PATCH --data '{"rrsets": [ {"name": "$DOMAIN.", "type": "TXT", "ttl": 86400, "changetype": "REPLACE", "records": [ {"content": "\"v=spf1 mx a:$DOMAIN ~all\"", "disabled": false } ] } ] }' -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.
# Create the A records for domain
for i in ns1 ns2 mail www computer panel nextcloud collabora jitsi matrix element listmonk vaultwarden vpn baserow gitea blog documentation; do
curl -X PATCH --data "{\"rrsets\": [ {\"name\": \"\$i.$DOMAIN.\", \"type\": \"A\", \"ttl\": 86400, \"changetype\": \"REPLACE\", \"records\": [ {\"content\": \"$EXTERNALIP\", \"disabled\": false } ] } ] }" -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.
done
# Create catchall A record for domain
#curl -X PATCH --data '{"rrsets": [ {"name": "*.$DOMAIN.", "type": "A", "ttl": 86400, "changetype": "REPLACE", "records": [ {"content": "$EXTERNALIP", "disabled": false } ] } ] }' -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.
# Create CNAME record for domain to www
curl -X PATCH --data '{"rrsets": [ {"name": "*.$DOMAIN.", "type": "CNAME", "ttl": 86400, "changetype": "REPLACE", "records": [ {"content": "www.$DOMAIN.", "disabled": false } ] } ] }' -H 'X-API-Key: $PDNS_APIKEY' http://127.0.0.1:8081/api/v1/servers/localhost/zones/$DOMAIN.
EOF
chmod +x /federated/apps/pdns/data/root/createrecords.sh
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}
start_pdns() {
# Start service with command to make sure it's up before proceeding
start_service "pdns" "nc -z 172.99.0.9 8081 &> /dev/null"
# Run createrecords.sh inside baserow container
docker exec -it pdns /root/createrecords.sh
[ $? -ne 0 ] && fail "Couldn't run createrecords.sh in /federated/apps/pdns container"
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}

104
lib/pdnsadmin.sh Normal file
View File

@ -0,0 +1,104 @@
#!/bin/bash
#
# PowerDNS Admin Service
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
config_pdnsadmin() {
echo -ne "\n* Configuring /federated/apps/pdnsadmin container.."
spin &
SPINPID=$!
if [ ! -d "/federated/apps/pdnsadmin" ]; then
mkdir -p /federated/apps/pdnsadmin/data/etc
fi
cat > /federated/apps/pdnsadmin/docker-compose.yml <<EOF
version: '3.7'
services:
pdnsadmin:
image: pschiffe/pdnsadmin-uwsgi\${IMAGE_VERSION}
container_name: pdnsadmin
hostname: pdnsadmin.$DOMAIN
domainname: $DOMAIN
restart: always
networks:
federated:
ipv4_address: 172.99.0.10
env_file:
- ./.env
volumes:
- ./data/etc/uwsgi.ini:/etc/uwsgi.ini
labels:
- "traefik.enable=true"
- "traefik.http.routers.listmonk.rule=Host(\`pdnsadmin.$DOMAIN\`)"
- "traefik.http.routers.listmonk.entrypoints=websecure"
- "traefik.http.routers.listmonk.tls.certresolver=letsencrypt"
networks:
federated:
external: true
EOF
MYSQL_PASSWORD=`grep MYSQL_PASSWORD /federated/apps/pdns-mysql/.env | awk -F= '{ print $2 }'`
PDNS_APIKEY=`grep PDNS_api_key /federated/apps/pdns/.env | awk -F= '{ print $2 }'`
PDNS_ADMIN_WEBSERVER_PASSWORD_SALT=`htpasswd -bnBC 10 "" $ADMINPASS | tr -d ':\n' | sed 's/$2y/$2b/'`
PDNS_MYSQL_COMMAND="insert into user (id, username, password, firstname, lastname, email, otp_secret, role_id, confirmed) values (\"1\", \"admin\", \"$PDNS_ADMIN_WEBSERVER_PASSWORD_SALT\", \"Admin\", \"Federated\", \"admin@$DOMAIN\", \"\", \"1\", \"0\");"
cat > /federated/apps/pdnsadmin/.env <<EOF
IMAGE_VERSION="@sha256:d4bcc2cd76bd1711c1501555a8db3b932ad58425a4ecc362aac13e97b082d5c2"
PDNS_ADMIN_SQLA_DB_HOST="'mysql'"
PDNS_ADMIN_SQLA_DB_PORT="'3306'"
PDNS_ADMIN_SQLA_DB_USER="'pdns'"
PDNS_ADMIN_SQLA_DB_PASSWORD="'$MYSQL_PASSWORD'"
PDNS_ADMIN_SQLA_DB_NAME="'pdns'"
PDNS_API_URL="http://pdns.$DOMAIN:8081/"
PDNS_API_KEY="$PDNS_APIKEY"
PDNS_VERSION="4.7.0"
EOF
chmod 600 /federated/apps/pdnsadmin/.env
cat > /federated/apps/pdnsadmin/data/etc/uwsgi.ini <<'EOF'
[uwsgi]
strict = true
master = true
die-on-term = true
need-app = true
plugins = python3
uid = uwsgi
gid = uwsgi
chdir = /opt/powerdns-admin
pythonpath = /opt/powerdns-admin
mount = /=run.py
manage-script-name = true
callable = app
vacuum = true
harakiri = 20
buffer-size = 32768
post-buffering = 8192
protocol = http
http-socket = 0.0.0.0:9494
pidfile = /run/uwsgi/%n.pid
enable-threads = true
EOF
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}
start_pdnsadmin() {
# Start service with command to make sure it's up before proceeding
start_service "pdnsadmin" "nc -z 172.99.0.10 9494 &> /dev/null"
# Run MySQL command to create admin user for pdns admin interface
docker exec -it pdns-mysql bash -c "mysql -updns -p$MYSQL_PASSWORD pdns -e '$PDNS_MYSQL_COMMAND;'"
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}

60
lib/pdnsmysql.sh Normal file
View File

@ -0,0 +1,60 @@
#!/bin/bash
#
# PowerDNS MySQL Service
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
config_pdnsmysql() {
echo -ne "\n* Configuring /federated/apps/pdnsmysql container.."
spin &
SPINPID=$!
if [ ! -d "/federated/apps/pdnsmysql" ]; then
mkdir -p /federated/apps/pdnsmysql/data/var/lib/mysql
fi
cat > /federated/apps/pdnsmysql/docker-compose.yml <<EOF
version: '3.7'
services:
mysql:
image: mariadb:\${IMAGE_VERSION}
container_name: pdnsmysql
hostname: pdnsmysql.$DOMAIN
domainname: $DOMAIN
restart: always
networks:
federated:
ipv4_address: 172.99.0.8
env_file:
- ./.env
volumes:
- ./data/var/lib/mysql:/var/lib/mysql
networks:
federated:
external: true
EOF
MYSQL_ROOTPASSWORD=$(create_password);
MYSQL_PASSWORD=$(create_password);
cat > /federated/apps/pdnsmysql/.env <<EOF
IMAGE_VERSION="10.7.8"
MYSQL_ROOT_PASSWORD=$MYSQL_ROOTPASSWORD
MYSQL_PASSWORD=$MYSQL_PASSWORD
MYSQL_DATABASE=pdns
MYSQL_USER=pdns
EOF
chmod 600 /federated/apps/pdnsmysql/.env
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}
start_pdnsmysql() {
# Start service with command to make sure it's up before proceeding
start_service "pdnsmysql" "nc -z 172.99.0.8 3306 &> /dev/null"
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}

64
lib/pdnsstatic.sh Normal file
View File

@ -0,0 +1,64 @@
#!/bin/bash
#
# PowerDNS Nginx Service
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
config_pdnsstatic() {
echo -ne "\n* Configuring /federated/apps/pdns-static container.."
spin &
SPINPID=$!
DOMAIN_ARRAY=(${DOMAIN//./ })
DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
DOMAIN_MIDDLE=${DOMAIN_ARRAY[1]}
DOMAIN_LAST=${DOMAIN_ARRAY[2]}
if [ ! -d "/federated/apps/pdns-static" ]; then
mkdir -p /federated/apps/pdns-static
fi
# DOMAIN_ARRAY=(${DOMAIN//./ })
# DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
# DOMAIN_LAST=${DOMAIN_ARRAY[1]}
cat > /federated/apps/pdns-static/docker-compose.yml <<EOF
version: '3.7'
services:
pdns-static:
image: pschiffe/pdns-admin-static\${IMAGE_VERSION}
container_name: pdns-static
hostname: pdns-static.$DOMAIN
domainname: $DOMAIN
restart: always
networks:
federated:
ipv4_address: 172.99.0.7
ports:
- "8989:80"
volumes:
- /etc/localtime:/etc/localtime:ro
env_file:
- ./.env
networks:
federated:
external: true
EOF
cat > /federated/apps/pdns-static/.env <<EOF
IMAGE_VERSION="@sha256:c75fd98215db2ac2d4abe6e56710f93fecf3394e984c017fa9fffa5228d7b35a"
EOF
chmod 600 /federated/apps/pdns-static/.env
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}
start_pdnsstatic() {
# Start service with command to make sure it's up before proceeding
start_service "pdns-static" "nc -z 172.99.0.7 80 &> /dev/null"
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}

12
lib/postgresql.sh
View File

@ -11,16 +11,12 @@ config_postgresql() {
if [ ! -d "/federated/apps/postgresql" ]; then
mkdir -p /federated/apps/postgresql/data/var/lib/postgresql /federated/apps/postgresql/data/docker-entrypoint-initdb.d
cp /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/fullchain1.pem /federated/apps/postgresql/data/var/lib/postgresql/server.crt
cp /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/privkey1.pem /federated/apps/postgresql/data/var/lib/postgresql/server.key
chown 999 /federated/apps/postgresql/data/var/lib/postgresql/server.*
chmod 600 /federated/apps/postgresql/data/var/lib/postgresql/server.*
cp /federated/apps/certs/certs/$DOMAIN.crt /federated/apps/postgresql/data/var/lib/postgresql/server.crt
cp /federated/apps/certs/private/$DOMAIN.key /federated/apps/postgresql/data/var/lib/postgresql/server.key
chown 999 /federated/apps/postgresql/data/var/lib/postgresql/server.crt /federated/apps/postgresql/data/var/lib/postgresql/server.key
chmod 600 /federated/apps/postgresql/data/var/lib/postgresql/server.crt /federated/apps/postgresql/data/var/lib/postgresql/server.key
fi
DOMAIN_ARRAY=(${DOMAIN//./ })
DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
DOMAIN_LAST=${DOMAIN_ARRAY[1]}
cat > /federated/apps/postgresql/docker-compose.yml <<EOF
version: "3.7"

23
lib/proxy.sh
View File

@ -9,15 +9,20 @@ config_proxy() {
spin &
SPINPID=$!
if [ ! -d "/federated/apps/proxy" ]; then
mkdir -p /federated/apps/proxy/data/root/certs &> /dev/null
cp /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/fullchain1.pem /federated/apps/proxy/data/root/certs/$DOMAIN.crt
cp /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/privkey1.pem /federated/apps/proxy/data/root/certs/$DOMAIN.key
fi
DOMAIN_ARRAY=(${DOMAIN//./ })
DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
DOMAIN_LAST=${DOMAIN_ARRAY[1]}
DOMAIN_MIDDLE=${DOMAIN_ARRAY[1]}
DOMAIN_LAST=${DOMAIN_ARRAY[2]}
if [ ! -d "/federated/apps/proxy" ]; then
mkdir -p /federated/apps/proxy/data/root/certs &> /dev/null
cp /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN_MIDDLE.$DOMAIN_LAST/fullchain1.pem /federated/apps/proxy/data/root/certs/$DOMAIN_MIDDLE.$DOMAIN_LAST.crt
cp /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN_MIDDLE.$DOMAIN_LAST/privkey1.pem /federated/apps/proxy/data/root/certs/$DOMAIN_MIDDLE.$DOMAIN_LAST.key
fi
# DOMAIN_ARRAY=(${DOMAIN//./ })
# DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
# DOMAIN_LAST=${DOMAIN_ARRAY[1]}
cat > /federated/apps/proxy/docker-compose.yml <<EOF
version: '3.7'
@ -33,8 +38,8 @@ services:
federated:
ipv4_address: 172.99.0.15
ports:
- 80:80
- 443:443
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./data/root/certs:/etc/nginx/certs

119
lib/traefik.sh Normal file
View File

@ -0,0 +1,119 @@
#!/bin/bash
#
# Traefik Service
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
config_traefik() {
echo -ne "\n* Configuring /federated/apps/traefik container.."
spin &
SPINPID=$!
if [ ! -d "/federated/apps/traefik" ]; then
mkdir -p /federated/apps/traefik/data/letsencrypt
fi
TRAEFIK_HTTPAUTH_STRING=$(echo `htpasswd -nb admin $ADMINPASS` | sed -e s/\\$/\\$\\$/g)
cat > /federated/apps/traefik/docker-compose.yml <<EOF
version: "3.7"
services:
traefik:
image: traefik:\${IMAGE_VERSION}
container_name: traefik
hostname: traefik.$DOMAIN
domainname: $DOMAIN
restart: always
networks:
federated:
ipv4_address: 172.99.0.5
command:
# Tell Traefik to discover containers using the Docker API
- --providers.docker=true
# Enable the Trafik dashboard
- --api.dashboard=true
# Set up LetsEncrypt
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=pdns
- --certificatesresolvers.letsencrypt.acme.email=hostmaster@$DOMAIN
- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
- --certificatesresolvers.letsencrypt.acme.dnschallenge.DisablePropagationCheck=true
# --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --log.level=DEBUG
# Set up an insecure listener that redirects all traffic to HTTPS
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
# Set up the TLS configuration for our websecure listener
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.certResolver=letsencrypt
- --entrypoints.websecure.http.tls.domains[0].main=$DOMAIN
- --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAIN
env_file:
- ./.env
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/letsencrypt:/letsencrypt
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(\`traefik.$DOMAIN\`)"
- "traefik.http.routers.traefik.entrypoints=websecure"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.middlewares=strip"
- "traefik.http.middlewares.strip.stripprefix.prefixes=/traefik"
- "traefik.http.routers.traefik.middlewares=traefik-auth"
- "traefik.http.middlewares.traefik-auth.basicauth.users=$TRAEFIK_HTTPAUTH_STRING"
networks:
federated:
external: true
EOF
cat > /federated/apps/traefik/.env <<EOF
IMAGE_VERSION="v2.10.1"
PDNS_API_KEY=$PDNS_APIKEY
PDNS_API_URL=http://pdns.$DOMAIN:8081
EOF
chmod 600 /federated/apps/traefik/.env
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}
start_traefik() {
if [ $DEBUG ]; then
# Start /federated/apps/traefik with output to console for debug
docker-compose -f /federated/apps/traefik/docker-compose.yml -p traefik up
[ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service /federated/apps/traefik"
else
# Start /federated/apps/traefik with output to /dev/null
docker-compose -f /federated/apps/traefik/docker-compose.yml -p traefik up -d &> /dev/null
# Keep trying to see that certificates are generated
RETRY="20"
while [ $RETRY -gt 0 ]; do
traefik-certs-dumper file --version v2 --source /federated/apps/traefik/data/letsencrypt/acme.json --dest /federated/certs &> /dev/null
# Check if certs are generated
ls /federated/certs/private/$DOMAIN.key /federated/certs/certs/$DOMAIN.crt &> /dev/null
if [ $? -eq 0 ]; then
kill -9 $SPINPID &> /dev/null
echo -ne "done."
break
else
if [ "$RETRY" == 1 ]; then
docker-compose -f /federated/apps/traefik/docker-compose.yml -p traefik down &> /dev/null
fail "There was a problem starting service /federated/apps/traefik\nCheck the output of 'docker logs traefik' or turn on\ndebug with -d"
fi
((RETRY--))
sleep 9
fi
done
fi
}

19
lib/vaultwarden.sh
View File

@ -9,13 +9,18 @@ config_vaultwarden() {
spin &
SPINPID=$!
DOMAIN_ARRAY=(${DOMAIN//./ })
DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
DOMAIN_MIDDLE=${DOMAIN_ARRAY[1]}
DOMAIN_LAST=${DOMAIN_ARRAY[2]}
if [ ! -d "/federated/apps/vaultwarden" ]; then
mkdir -p /federated/apps/vaultwarden/data/data
fi
DOMAIN_ARRAY=(${DOMAIN//./ })
DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
DOMAIN_LAST=${DOMAIN_ARRAY[1]}
# DOMAIN_ARRAY=(${DOMAIN//./ })
# DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
# DOMAIN_LAST=${DOMAIN_ARRAY[1]}
cat > /federated/apps/vaultwarden/docker-compose.yml <<EOF
version: '3.7'
@ -34,6 +39,11 @@ services:
- ./.env
volumes:
- ./data/data:/data
labels:
- "traefik.enable=true"
- "traefik.http.routers.vaultwarden.rule=Host(\`vaultwarden.$DOMAIN\`)"
- "traefik.http.routers.vaultwarden.entrypoints=websecure"
- "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
networks:
federated:
@ -43,9 +53,6 @@ EOF
cat > /federated/apps/vaultwarden/.env <<EOF
IMAGE_VERSION="1.27.0"
DATABASE_URL=postgresql://vaultwarden:$VAULTWARDEN_SECRET@postgresql.$DOMAIN:5432/vaultwarden
VIRTUAL_PROTO=http
VIRTUAL_PORT=80
VIRTUAL_HOST=vaultwarden.$DOMAIN
WEBSOCKET_ENABLED=true
ADMIN_TOKEN=$VAULTWARDEN_SECRET
#- SIGNUPS_ALLOWED=false