diff --git a/.gitignore b/.gitignore index a31d138..27a07e2 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,8 @@ .env setup.conf server.conf +certs.toml +.htpasswd # Certificate files *.pem @@ -17,8 +19,4 @@ server.conf *.srl # pycharm folder -.idea/ - -# traefik test stuff -traefik-docker/ -*traefik* \ No newline at end of file +.idea/ \ No newline at end of file diff --git a/docker-compose.yaml b/docker-compose.yaml index 1dcd468..2151358 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -3,24 +3,24 @@ version: '3.5' services: - # ngix container - nginx: - container_name: nginx - hostname: ${HOSTNAME} - image: nginx:latest - volumes: - - ./nginx-docker/configs/:/etc/nginx/ - - ./certificates/certs/:/etc/ssl/certs/ - - ./certificates/private/:/etc/ssl/private/ - - ./certificates/dhparam.pem:/etc/nginx/dhparam.pem - ports: - - "80:80" - - "443:443" - - "853:853" - networks: - dns_network0: - ipv4_address: 172.16.1.2 - restart: always +# # ngix container +# nginx: +# container_name: nginx +# hostname: ${HOSTNAME} +# image: nginx:latest +# volumes: +# - ./nginx-docker/configs/:/etc/nginx/ +# - ./certificates/certs/:/etc/ssl/certs/ +# - ./certificates/private/:/etc/ssl/private/ +# - ./certificates/dhparam.pem:/etc/nginx/dhparam.pem +# ports: +# - "80:80" +# - "443:443" +# - "853:853" +# networks: +# dns_network0: +# ipv4_address: 172.16.1.2 +# restart: always # DoH server container doh_server: @@ -34,7 +34,24 @@ services: networks: dns_network0: ipv4_address: 172.16.1.3 + traefik_proxy: + ipv4_address: 172.16.0.3 restart: always + labels: + - traefik.enable=true + - traefik.docker.network=traefik_proxy + ##### http + ### services + # backend port + - traefik.http.services.svc-doh_server.loadbalancer.server.port=8053 + ### routers + # DoH forward + - traefik.http.routers.rou_encr-doh_server.entrypoints=https + - traefik.http.routers.rou_encr-doh_server.rule=Host(`doh.${DOMAIN}`) && Path(`/dns-query`) + - traefik.http.routers.rou_encr-doh_server.tls=true + - traefik.http.routers.rou_encr-doh_server.tls.options=default + - traefik.http.routers.rou_encr-doh_server.middlewares=secure_headers@file + - traefik.http.routers.rou_encr-doh_server.service=svc-doh_server # pihole container pihole: @@ -57,13 +74,66 @@ services: - "53:53/udp" expose: - "80" - - "443" networks: dns_network0: ipv4_address: 172.16.1.4 + traefik_proxy: + ipv4_address: 172.16.0.4 dns: - 127.0.0.1 restart: always + labels: + - traefik.enable=true + - traefik.docker.network=traefik_proxy + ##### http + ### services + # backend port + - traefik.http.services.svc-pihole_gui.loadbalancer.server.port=80 + ### middleware + # redirecting pi.hole + - traefik.http.middlewares.redirect_pihole.redirectregex.permanent=true + - traefik.http.middlewares.redirect_pihole.redirectregex.regex=^.*pi\.hole(.*) + - traefik.http.middlewares.redirect_pihole.redirectregex.replacement=https://pihole.${DOMAIN}$$1 + # remove and add /admin + - traefik.http.middlewares.add_admin.addprefix.prefix=/admin + ### routers + # redirect http to https + - traefik.http.routers.rou_admin-pihole_gui.entrypoints=http + - traefik.http.routers.rou_admin-pihole_gui.rule=Host(`pihole.${DOMAIN}`,`pi.hole`) && PathPrefix(`/admin`) + - traefik.http.middlewares.chain1.chain.middlewares=redirect_pihole,https_redirect@file + - traefik.http.routers.rou_admin-pihole_gui.middlewares=chain1 + # pihole dashboard + - traefik.http.routers.rou_encr_admin-pihole_gui.entrypoints=https + - traefik.http.routers.rou_encr_admin-pihole_gui.rule=Host(`pihole.${DOMAIN}`,`pi.hole`) && PathPrefix(`/admin`) + - traefik.http.routers.rou_encr_admin-pihole_gui.tls=true + - traefik.http.routers.rou_encr_admin-pihole_gui.tls.options=default + - traefik.http.middlewares.chain2.chain.middlewares=redirect_pihole,secure_headers@file + - traefik.http.routers.rou_encr_admin-pihole_gui.middlewares=chain2 + - traefik.http.routers.rou_encr_admin-pihole_gui.service=svc-pihole_gui + # redirect http to https; without /admin + - traefik.http.routers.rou-pihole_gui.entrypoints=http + - traefik.http.routers.rou-pihole_gui.rule=Host(`pihole.${DOMAIN}`,`pi.hole`) + - traefik.http.middlewares.chain3.chain.middlewares=redirect_pihole,https_redirect@file,add_admin + - traefik.http.routers.rou-pihole_gui.middlewares=chain3 + # pihole dashboard; without /admin + - traefik.http.routers.rou_encr-pihole_gui.entrypoints=https + - traefik.http.routers.rou_encr-pihole_gui.rule=Host(`pihole.${DOMAIN}`,`pi.hole`) + - traefik.http.routers.rou_encr-pihole_gui.tls=true + - traefik.http.routers.rou_encr-pihole_gui.tls.options=default + - traefik.http.middlewares.chain4.chain.middlewares=redirect_pihole,add_admin,secure_headers@file + - traefik.http.routers.rou_encr-pihole_gui.middlewares=chain4 + - traefik.http.routers.rou_encr-pihole_gui.service=svc-pihole_gui +# ##### tcp +# ### services +# # backend port +# - traefik.tcp.services.svc-pihole_dns.loadbalancer.server.port=53 +# ### routers +# # DoT forward +# - traefik.tcp.routers.rou_encr-pihole_dns.entrypoints=dot +# - traefik.tcp.routers.rou_encr-pihole_dns.rule=HostSNI(`dot.${DOMAIN}`) +# - traefik.tcp.routers.rou_encr-pihole_dns.tls=true +# - traefik.tcp.routers.rou_encr-pihole_dns.tls.options=default +# - traefik.tcp.routers.rou_encr-pihole_dns.service=svc-pihole_dns # unbound container unbound: @@ -82,11 +152,57 @@ services: dns_network0: ipv4_address: 172.16.1.5 restart: always + labels: + - traefik.enable=false + + # træfik container + traefik: + container_name: traefik + hostname: ${HOSTNAME} + image: traefik:v2.0 + environment: + - TZ=${TZ:-Europe/London} + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/run/docker.sock:/var/run/docker.sock + - ./traefik-docker/configs/:/etc/traefik/ + - ./traefik-docker/shared/:/shared/:ro + - ./certificates/certs:/etc/ssl/certs/ + - ./certificates/private/:/etc/ssl/private/ + ports: + - "80:80" + - "443:443" + - "853:853" + - "8080:8080" + networks: + traefik_proxy: + ipv4_address: 172.16.0.250 + restart: always + labels: + - traefik.enable=true + - traefik.docker.network=traefik_proxy + ##### http + ### services + # backend port + - traefik.http.services.svc-traefik.loadbalancer.server.port=8080 + ### routers + # redirect http to https + - traefik.http.routers.rou-traefik.entrypoints=http + - traefik.http.routers.rou-traefik.rule=Host(`traefik.${DOMAIN}`) + - traefik.http.routers.rou-traefik.middlewares=https_redirect@file + # traefik dashboard + - traefik.http.routers.rou_encr-traefik.entrypoints=https + - traefik.http.routers.rou_encr-traefik.rule=Host(`traefik.${DOMAIN}`) + - traefik.http.routers.rou_encr-traefik.tls=true + - traefik.http.routers.rou_encr-traefik.tls.options=default + - traefik.http.routers.rou_encr-traefik.middlewares=secure_headers@file + - traefik.http.routers.rou_encr-traefik.service=svc-traefik networks: - # Bridge network for internal communication. + # Bridge network for internal communication dns_network0: + name: dns_network0 driver: bridge driver_opts: encrypted: "true" @@ -94,3 +210,14 @@ networks: config: - subnet: 172.16.1.0/24 attachable: false + + # Bridge network for træfik's communication + traefik_proxy: + name: traefik_proxy + driver: bridge + driver_opts: + encrypted: "true" + ipam: + config: + - subnet: 172.16.0.0/24 + attachable: false \ No newline at end of file diff --git a/run.sh b/run.sh index aaf28d0..52b0276 100755 --- a/run.sh +++ b/run.sh @@ -1,6 +1,14 @@ #!/bin/bash +# Color variables for output messages +RED='\033[0;31m' # For ERROR messages +GREEN='\033[0;32m' # For SUCCESS messages +ORANGE='\033[0;33m' # For WARNING messages +CYAN='\033[0;36m' # For INFO messages +BLANK='\033[0m' # For resetting colors + + # Func for showing usage string usage_string() { echo -e "Usage: $0 [-R] [-U] [-h]" 1>&2; @@ -81,29 +89,29 @@ fi echo -e "\n####################\n" -echo -e "INFO! Starting docker-pihole-unbound-encrypted.\n" +echo -e "${CYAN}INFO${BLANK}! Starting docker-pihole-unbound-encrypted.\n" # Testing unbound-docker # Check if container started and works; timeout after 1 min -printf 'INFO! Starting up unbound container ' +echo -e -n "${CYAN}INFO${BLANK}! Starting up unbound container " for i in $(seq 1 20); do if [ "$(docker inspect -f "{{.State.Health.Status}}" unbound)" == "healthy" ]; then - printf ' OK' + echo -e -n " ${GREEN}OK${BLANK}" break else sleep 3 - printf '.' + echo -e -n "." fi if [ "$i" -eq 20 ]; then - printf ' FAILED' - echo -e "\nERROR! Timed out waiting for unbound to start, check your container logs for more info (\`docker logs unbound\`)" - printf "INFO! Container health status of 'unbound': " && docker inspect -f {{.State.Health.Status}} unbound + echo -e -n " ${RED}FAILED${BLANK}" + echo -e "\n${RED}ERROR${BLANK}! Timed out waiting for unbound to start, check your container logs for more info (\`docker logs unbound\`)." + echo -e -n "${CYAN}INFO${BLANK}! Container health status of 'unbound': " && docker inspect -f {{.State.Health.Status}} unbound exit_err fi done; -printf "\nINFO! Container health status of 'unbound': " && docker inspect -f {{.State.Health.Status}} unbound +echo -e -n "\n${CYAN}INFO${BLANK}! Container health status of 'unbound': " && docker inspect -f {{.State.Health.Status}} unbound # Test DNSSEC - The first command should give a status report of SERVFAIL and no IP address. The second should give NOERROR plus an IP address. TEST=$(docker exec unbound drill sigfail.verteiltesysteme.net @127.0.0.1 -p 53) @@ -112,59 +120,59 @@ then TEST=$(docker exec unbound drill sigok.verteiltesysteme.net @127.0.0.1 -p 53) if [ "$(echo "$TEST" | sed '/SERVER:/d' | grep -cE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')" = 1 ] && [ "$(echo "$TEST" | grep -c 'rcode: NOERROR')" = 1 ] then - echo "SUCCESS! DNSSEC works." + echo -e "${GREEN}SUCCESS${BLANK}! DNSSEC works." else - echo "WARNING! DNSSEC fail with second check (positiv check)." + echo -e "${ORANGE}WARNING${BLANK}! DNSSEC fail with second check (positiv check)." fi else - echo "WARNING! DNSSEC fail with first check (negativ check)." + echo -e "${ORANGE}WARNING${BLANK}! DNSSEC fail with first check (negativ check)." fi # Testing pihole-docker # Check if container started and works; timeout after 1 min -printf '\nINFO! Starting up pihole container ' +echo -e -n "\n${CYAN}INFO${BLANK}! Starting up pihole container " for i in $(seq 1 20); do if [ "$(docker inspect -f "{{.State.Health.Status}}" pihole)" == "healthy" ]; then - printf ' OK' + echo -e -n " ${GREEN}OK${BLANK}" HOST_IP=$(grep 'ServerIP' pihole-docker/configs/server.conf | sed 's/ServerIP=//') if [ "$(docker logs pihole 2> /dev/null | grep -c 'password:')" -gt 0 ]; then - echo -e "\nINFO! $(docker logs pihole 2> /dev/null | grep 'password:') for your pi-hole: https://${HOST_IP}/admin/" + echo -e "\n${CYAN}INFO${BLANK}! $(docker logs pihole 2> /dev/null | grep 'password:') for your pi-hole: https://${HOST_IP}/admin/." RAN_PW='y' else - echo -e "\nINFO! Set given WEBPASSWORD for your pi-hole: https://${HOST_IP}/admin/" + echo -e "\n${CYAN}INFO${BLANK}! Set given WEBPASSWORD for your pi-hole: https://${HOST_IP}/admin/." RAN_PW='n' fi break else sleep 3 - printf '.' + echo -e -n "." fi if [ "$i" -eq 20 ]; then - printf ' FAILED' - echo -e "\nERROR! Timed out waiting for Pi-hole to start, check your container logs for more info (\`docker logs pihole\`)" - printf "INFO! Container health status of 'pihole': " && docker inspect -f {{.State.Health.Status}} pihole + echo -e -n " ${RED}FAILED${BLANK}" + echo -e "\n${RED}ERROR${BLANK}! Timed out waiting for Pi-hole to start, check your container logs for more info (\`docker logs pihole\`)." + echo -e -n "${CYAN}INFO${BLANK}! Container health status of 'pihole': " && docker inspect -f {{.State.Health.Status}} pihole exit_err fi done; -printf "INFO! Container health status of 'pihole': " && docker inspect -f {{.State.Health.Status}} pihole +echo -e -n "${CYAN}INFO${BLANK}! Container health status of 'pihole': " && docker inspect -f {{.State.Health.Status}} pihole # Check if blocklist setup is finished and when then restore custom conf; timeout after 10 min -printf 'INFO! Waiting for blocklist setup to finish ' +echo -e -n "${CYAN}INFO${BLANK}! Waiting for blocklist setup to finish " for i in $(seq 1 60); do if [ "$(docker logs pihole | grep -c "\[services.d\] done.")" -gt 0 ]; then - printf ' OK' - echo -e "\n INFO! Blocklists setup finished" + echo -e -n " ${GREEN}OK${BLANK}" + echo -e "\n ${CYAN}INFO${BLANK}! Blocklists setup finished." break else sleep 10 - printf '.' + echo -e -n "." fi if [ "$i" -eq 60 ]; then - printf ' FAILED' - echo -e "\nERROR! Timed out waiting for blocklists to set up, check your container logs for more info (\`docker logs pihole\`)" + echo -e -n " ${RED}FAILED${BLANK}" + echo -e "\n${RED}ERROR${BLANK}! Timed out waiting for blocklists to set up, check your container logs for more info (\`docker logs pihole\`)." exit_err fi done; @@ -172,57 +180,83 @@ done; # Testing doh_server-docker # Check if container started and is running; timeout after 1 min -printf '\nINFO! Starting up doh_server container ' +echo -e -n "\n${CYAN}INFO${BLANK}! Starting up doh_server container " for i in $(seq 1 20); do if [ "$(docker inspect -f "{{.State.Status}}" doh_server)" == "running" ]; then if [ "$(docker inspect -f "{{.State.Status}}" doh_server)" == "running" ]; then sleep 5 - printf ' OK' + echo -e -n " ${GREEN}OK${BLANK}" fi break else sleep 3 - printf '.' + echo -e -n "." fi if [ "$i" -eq 20 ]; then - printf ' FAILED' - echo -e "\nERROR! Timed out waiting for doh_server to start, check your container logs for more info (\`docker logs doh_server\`)" - printf "INFO! Container health status of 'doh_server': " && docker inspect -f {{.State.Status}} doh_server + echo -e -n " ${RED}FAILED${BLANK}" + echo -e "\n${RED}ERROR${BLANK}! Timed out waiting for doh_server to start, check your container logs for more info (\`docker logs doh_server\`)." + echo -e -n "${CYAN}INFO${BLANK}! Container health status of 'doh_server': " && docker inspect -f {{.State.Status}} doh_server exit_err fi done; -printf "\nINFO! Container health status of 'doh_server': " && docker inspect -f {{.State.Status}} doh_server +echo -e -n "\n${CYAN}INFO${BLANK}! Container health status of 'doh_server': " && docker inspect -f {{.State.Status}} doh_server + + +## Testing nginx-docker +## Check if container started and is running; timeout after 1 min +#printf '\nINFO! Starting up nginx container ' +#for i in $(seq 1 20); do +# if [ "$(docker inspect -f "{{.State.Status}}" nginx)" == "running" ]; then +# sleep 5 +# if [ "$(docker inspect -f "{{.State.Status}}" nginx)" == "running" ]; then +# printf 'OK' +# break +# fi +# else +# sleep 3 +# printf '.' +# fi +# +# if [ "$i" -eq 20 ]; then +# printf ' FAILED' +# echo -e "\nERROR! Timed out waiting for nginx to start, check your container logs for more info (\`docker logs nginx\`)" +# printf "INFO! Container health status of 'nginx': " && docker inspect -f {{.State.Status}} nginx +# exit_err +# fi +#done; +#printf "\nINFO! Container health status of 'nginx': " && docker inspect -f {{.State.Status}} nginx -# Testing nginx-docker +# Testing traefik-docker # Check if container started and is running; timeout after 1 min -printf '\nINFO! Starting up nginx container ' +echo -e -n "\n${CYAN}INFO${BLANK}! Starting up traefik container " for i in $(seq 1 20); do - if [ "$(docker inspect -f "{{.State.Status}}" nginx)" == "running" ]; then - sleep 5 - if [ "$(docker inspect -f "{{.State.Status}}" nginx)" == "running" ]; then - printf 'OK' - break + if [ "$(docker inspect -f "{{.State.Status}}" traefik)" == "running" ]; then + if [ "$(docker inspect -f "{{.State.Status}}" traefik)" == "running" ]; then + sleep 5 + echo -e -n " ${GREEN}OK${BLANK}" fi + break else sleep 3 - printf '.' + echo -e -n "." fi if [ "$i" -eq 20 ]; then - printf ' FAILED' - echo -e "\nERROR! Timed out waiting for nginx to start, check your container logs for more info (\`docker logs nginx\`)" - printf "INFO! Container health status of 'nginx': " && docker inspect -f {{.State.Status}} nginx + echo -e -n " ${RED}FAILED${BLANK}" + echo -e "\n${RED}ERROR${BLANK}! Timed out waiting for traefik to start, check your container logs for more info (\`docker logs traefik\`)." + echo -e -n "${CYAN}INFO${BLANK}! Container health status of 'traefik': " && docker inspect -f {{.State.Status}} traefik exit_err fi done; -printf "\nINFO! Container health status of 'nginx': " && docker inspect -f {{.State.Status}} nginx +echo -e -n "\n${CYAN}INFO${BLANK}! Container health status of 'traefik': " && docker inspect -f {{.State.Status}} traefik -echo -e "\nSUCCESS! docker-pihole-unbound-encrypted is up and running." +echo -e "\n${GREEN}SUCCESS${BLANK}! docker-pihole-unbound-encrypted is up and running." echo -e "\n####################" -if echo ${RAN_PW} | grep -q 'y'; then - echo -e "\nPlease don't forget to set a secure password for your pihole dashboard.\nRun 'sudo docker exec pihole pihole -a -p' to change it." + +if echo "${RAN_PW}" | grep -q 'y'; then + echo -e "\n${ORANGE}ATTENTION${BLANK}!\nPlease don't forget to set a secure password for your pihole dashboard.\nRun 'sudo docker exec pihole pihole -a -p' to change it." fi \ No newline at end of file diff --git a/setup.sh b/setup.sh index fbc053a..32f0de8 100755 --- a/setup.sh +++ b/setup.sh @@ -1,6 +1,14 @@ #!/bin/bash +# Color variables for output messages +RED='\033[0;31m' # For ERROR messages +GREEN='\033[0;32m' # For SUCCESS messages +ORANGE='\033[0;33m' # For WARNING messages +CYAN='\033[0;36m' # For INFO messages +BLANK='\033[0m' # For resetting colors + + # Func for showing usage string usage_string() { echo -e "Usage: $0 [-f ] [-a ] [-c ] [-I ] [-i ] ` @@ -68,7 +76,7 @@ while getopts ":f:a:c:I:i:n:t:d:h" flag; do I) # Set INTERFACE variable with . E.g. eth0 INTERFACE=${OPTARG} ;; - i) # Set HOST_IP variable with . E.g. 192.168.0.1 + i) # Set HOST_IP variable with . E.g. 192.168.0.2 HOST_IP=${OPTARG} ;; n) # Set HOST_NAME variable with . E.g. raspberry @@ -96,72 +104,71 @@ done echo -e "\n####################\n" -echo -e "INFO! Starting setup for docker-pihole-unbound-encrypted.\n" -if echo "${_CONF_FILE}" | grep -q 'y'; then echo "INFO! setup.conf loaded";fi +echo -e "${CYAN}INFO${BLANK}! Starting setup for docker-pihole-unbound-encrypted.\n" +if echo "${_CONF_FILE}" | grep -q 'y'; then echo -e "${CYAN}INFO${BLANK}! setup.conf loaded.";fi # Get architecture if not set [ -z "${ARCHITECTURE}" ] && ARCHITECTURE=$(lscpu | grep Architecture: | awk '{print $2}') if [ -z "${ARCHITECTURE}" ]; then - echo "ERROR! No ARCHITECTURE set and none could be determined. Please set the variable in 'setup.conf' and restart the script." + echo -e "${RED}ERROR${BLANK}! No ARCHITECTURE set and none could be determined. Please set the variable in 'setup.conf' and restart the script." exit_err else - echo "INFO! No ARCHITECTURE set found and using ${ARCHITECTURE}" + echo -e "${CYAN}INFO${BLANK}! No ARCHITECTURE set found and using ${ARCHITECTURE}." fi # Get default interface if not set [ -z "${INTERFACE}" ] && INTERFACE=$(route | grep '^default' | grep -o '[^ ]*$') if [ -z "${INTERFACE}" ]; then - echo "ERROR! No INTERFACE set and none could be determined. Please set the variable in 'setup.conf' and restart the script." + echo -e "${RED}ERROR${BLANK}! No INTERFACE set and none could be determined. Please set the variable in 'setup.conf' and restart the script." exit_err else - echo "INFO! No INTERFACE set found and using ${INTERFACE}" + echo -e "${CYAN}INFO${BLANK}! No INTERFACE set found and using ${INTERFACE}." fi # Get IP for given INTERFACE if not set [ -z "${HOST_IP}" ] && HOST_IP=$(ifconfig "${INTERFACE}" | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p') if [ -z "${HOST_IP}" ]; then - echo "ERROR! No HOST_IP set and none could be determined. Please set the variable in 'setup.conf' and restart the script." + echo -e "${RED}ERROR${BLANK}! No HOST_IP set and none could be determined. Please set the variable in 'setup.conf' and restart the script." exit_err else - echo "INFO! No HOST_IP set found and using ${HOST_IP}" + echo -e "${CYAN}INFO${BLANK}! No HOST_IP set found and using ${HOST_IP}." fi -# TODO: delete if not needed anymore ## Get IP + bit length of subnet for given INTERFACE if not set #[ -z "${HOST_IP_W_SUBNET}" ] && HOST_IP_W_SUBNET=$(ip -o -4 addr show | grep "${INTERFACE}" | awk '/scope global/ {print $4}') #if [ -z "${HOST_IP_W_SUBNET}" ]; then -# echo "ERROR! No HOST_IP_W_SUBNET set and none could be determined. Please set the variable in 'setup.conf' and restart the script." +# echo -e "${RED}ERROR${BLANK}! No HOST_IP_W_SUBNET set and none could be determined. Please set the variable in 'setup.conf' and restart the script." # exit_err #else -# echo "INFO! No HOST_IP_W_SUBNET set found and using ${HOST_IP_W_SUBNET}" +# echo -e "${CYAN}INFO${BLANK}! No HOST_IP_W_SUBNET set found and using ${HOST_IP_W_SUBNET}." #fi # Get hostname if not set [ -z "${HOST_NAME}" ] && HOST_NAME=$(hostname) if [ -z "${HOST_NAME}" ]; then - echo "ERROR! No HOST_NAME set and none could be determined. Please set the variable in 'setup.conf' and restart the script." + echo -e "${RED}ERROR${BLANK}! No HOST_NAME set and none could be determined. Please set the variable in 'setup.conf' and restart the script." exit_err else - echo "INFO! No HOST_NAME set found and using ${HOST_NAME}" + echo -e "${CYAN}INFO${BLANK}! No HOST_NAME set found and using ${HOST_NAME}." fi # Get timezone if not set [ -z "${TIMEZONE}" ] && TIMEZONE=$(timedatectl | grep 'Time zone' | awk '{print $3}') if [ -z "${TIMEZONE}" ]; then - echo "ERROR! No TIMEZONE set and none could be determined. Please set the variable in 'setup.conf' and restart the script." + echo -e "${RED}ERROR${BLANK}! No TIMEZONE set and none could be determined. Please set the variable in 'setup.conf' and restart the script." exit_err else - echo "INFO! No TIMEZONE set found and using ${TIMEZONE}" + echo -e "${CYAN}INFO${BLANK}! No TIMEZONE set found and using ${TIMEZONE}." fi # Create domain if not set [ -z "${DOMAIN}" ] && DOMAIN="${HOST_NAME}.dns" if [ -z "${DOMAIN}" ]; then - echo "ERROR! No DOMAIN set and none could be created. Please set the variable in 'setup.conf' and restart the script." + echo -e "${RED}ERROR${BLANK}! No DOMAIN set and none could be created. Please set the variable in 'setup.conf' and restart the script." exit_err else - echo "INFO! No DOMAIN set found and using ${DOMAIN}" + echo -e "${CYAN}INFO${BLANK}! No DOMAIN set found and using ${DOMAIN}." fi @@ -171,151 +178,166 @@ if echo "${ARCHITECTURE}" | grep -iq arm; then elif echo "${ARCHITECTURE}" | grep -iq x86; then sed -i 's,mvance/unbound-rpi:latest,mvance/unbound:latest,' docker-compose.yaml else - echo "ERROR! Invalid architecture. Only 'ARM' and 'x86' are allowed." + echo -e "${RED}ERROR${BLANK}! Invalid architecture. Only 'ARM' and 'x86' are allowed." exit_err fi # Checking for 'server.conf' file and if necessary settings (ServerIP and TZ) are set -echo "INFO! Checking for 'server.conf' file" +echo -e "${CYAN}INFO${BLANK}! Checking for 'server.conf' file." if ! [ -f pihole-docker/configs/server.conf ] || echo "${FRESH}" | grep -q 'y'; then if echo -e "ServerIP=${HOST_IP}\nTZ=${TIMEZONE}" | tee pihole-docker/configs/server.conf > /dev/null; then - echo "SUCCESS! Created 'server.conf' file" + echo -e "${GREEN}SUCCESS${BLANK}! Created 'server.conf' file." else if [ -f pihole-docker/configs/server.conf ]; then - echo "ERROR! Error while creating 'server.conf' file. Data could not be gathered and empty file was created." \ + echo -e "${RED}ERROR${BLANK}! Error while creating 'server.conf' file. Data could not be gathered and empty file was created." \ "Please add necessary settings (ServerIP and TZ) manually." exit_err else - echo "ERROR! Error while creating 'server.conf' file. The file was not created." + echo -e "${RED}ERROR${BLANK}! Error while creating 'server.conf' file. The file was not created." exit_err fi fi else - echo "SUCCESS! Found 'server.conf' file" + echo -e "${GREEN}SUCCESS${BLANK}! Found 'server.conf' file." if ! [ "$(. pihole-docker/configs/server.conf && [[ -n "${ServerIP}" ]] && [[ -n "${TZ}" ]] && echo "OK")" = "OK" ]; then - echo "ERROR! Please fill necessary settings (ServerIP and TZ) in 'server.conf' file and restart this script." + echo -e "${RED}ERROR${BLANK}! Please fill necessary settings (ServerIP and TZ) in 'server.conf' file and restart this script." exit_err fi fi # Checking for '.env' file for compose and if necessary settings (HOSTNAME and TZ) are set -echo "INFO! Checking for '.env' file" +echo -e "${CYAN}INFO${BLANK}! Checking for '.env' file." if ! [ -f .env ] || echo "${FRESH}" | grep -q 'y'; then if echo -e "HOSTNAME=${HOST_NAME}\nDOMAIN=${DOMAIN}\nTZ=${TIMEZONE}" | tee .env > /dev/null; then - echo "SUCCESS! Created '.env' file" + echo -e "${GREEN}SUCCESS${BLANK}! Created '.env' file." else if [ -f .env ]; then - echo "ERROR! Error while creating '.env' file. Data could not be gathered and empty file was created." \ + echo -e "${RED}ERROR${BLANK}! Error while creating '.env' file. Data could not be gathered and empty file was created." \ "Please add necessary settings (ServerIP, DOMAIN and TZ) manually." exit_err else - echo "ERROR! Error while creating '.env' file. The file was not created." + echo -e "${RED}ERROR${BLANK}! Error while creating '.env' file. The file was not created." exit_err fi fi else - echo "SUCCESS! Found '.env' file" + echo -e "${GREEN}SUCCESS${BLANK}! Found '.env' file." if ! [ "$(. .env && [[ -n "${HOSTNAME}" ]] && [[ -n "${DOMAIN}" ]] && [[ -n "${TZ}" ]] && echo "OK")" = "OK" ]; then - echo "ERROR! Please fill necessary settings (ServerIP, DOMAIN and TZ) in '.env' file and restart this script." + echo -e "${RED}ERROR${BLANK}! Please fill necessary settings (ServerIP, DOMAIN and TZ) in '.env' file and restart this script." exit_err fi fi # Auto create lan.list file or complement it -echo "INFO! Checking for 'lan.list' file" +echo -e "${CYAN}INFO${BLANK}! Checking for 'lan.list' file." if ! [ -f pihole-docker/configs/pihole/lan.list ] || echo "${FRESH}" | grep -q 'y'; then if echo "${HOST_IP} ${HOST_NAME}.dns ${HOST_NAME}" | tee pihole-docker/configs/pihole/lan.list > /dev/null; then - echo "SUCCESS! Created 'lan.list' file" + echo -e "${GREEN}SUCCESS${BLANK}! Created 'lan.list' file." else if [ -f pihole-docker/configs/pihole/lan.list ]; then - echo "ERROR! Error while creating 'lan.list' file. Data could not be gathered and empty file was created." \ + echo -e "${RED}ERROR${BLANK}! Error while creating 'lan.list' file. Data could not be gathered and empty file was created." \ "Please add necessary host data manually." exit_err else - echo "ERROR! Error while creating 'lan.list' file. The file was not created." + echo -e "${RED}ERROR${BLANK}! Error while creating 'lan.list' file. The file was not created." exit_err fi fi else if ! grep -qw -e "${HOST_IP}" 'pihole-docker/configs/pihole/lan.list'; then - echo -e "\n${HOST_IP} ${HOST_NAME}.dns ${HOST_NAME}" | tee -a pihole-docker/configs/pihole/lan.list > /dev/null && + echo -e "\n${HOST_IP} ${HOST_NAME}.dns ${HOST_NAME}" | tee -a pihole-docker/configs/pihole/lan.list > /dev/null if grep -qw -e "${HOST_IP}" 'pihole-docker/configs/pihole/lan.list'; then - echo "SUCCESS! Added host to 'lan.list' file" + echo -e "${GREEN}SUCCESS${BLANK}! Added host to 'lan.list' file." else - echo "ERROR! Host could not be added to 'lan.list' file" + echo -e "${RED}ERROR${BLANK}! Host could not be added to 'lan.list' file." exit_err fi else - echo "SUCCESS! Found 'lan.list' file" + echo -e "${GREEN}SUCCESS${BLANK}! Found 'lan.list' file." fi fi -# Auto create nginx conf files -echo "INFO! Checking for nginx configuration files" -#Conf files based on DOMAIN -if ! [ -f nginx-docker/configs/sites-enabled/"${DOMAIN}".conf ] || echo "${FRESH}" | grep -q 'y'; then - if ! cp nginx-docker/templates/DOMAIN.conf.template nginx-docker/configs/sites-enabled/"${DOMAIN}".conf; then - echo "ERROR! 'DOMAIN.conf.template' could not be copied." - exit_err - fi - if ! sed -i s/DOMAIN/"${DOMAIN}"/g nginx-docker/configs/sites-enabled/"${DOMAIN}".conf; then - echo "ERROR! '${DOMAIN}.conf' copy could not be modified." - exit_err - fi - echo "SUCCESS! Created '${DOMAIN}.conf' file." -else - echo "SUCCESS! Found '${DOMAIN}.conf' file." -fi -if ! [ -f nginx-docker/configs/snippets/cert_"${DOMAIN}".conf ] || echo "${FRESH}" | grep -q 'y'; then - if ! cp nginx-docker/templates/cert_DOMAIN.conf.template nginx-docker/configs/snippets/cert_"${DOMAIN}".conf; then - echo "ERROR! 'cert_DOMAIN.conf' could not be copied." - exit_err - fi - if ! sed -i s/DOMAIN/"${DOMAIN}"/g nginx-docker/configs/snippets/cert_"${DOMAIN}".conf; then - echo "ERROR! 'cert_${DOMAIN}.conf' copy could not be modified." - exit_err - fi - echo "SUCCESS! Created 'cert_${DOMAIN}.conf' file." -else - echo "SUCCESS! Found 'cert_${DOMAIN}.conf' file." -fi -# Conf file for HTTP redirect -if ! [ -f nginx-docker/configs/sites-enabled/http_redirect.conf ] || echo "${FRESH}" | grep -q 'y'; then - if ! cp nginx-docker/templates/http_redirect.conf.template nginx-docker/configs//sites-enabled/http_redirect.conf; then - echo "ERROR! 'http_redirect.conf.template' could not be copied." - exit_err - fi - if ! sed -i s/DOMAIN/"${DOMAIN}"/g nginx-docker/configs//sites-enabled/http_redirect.conf; then - echo "ERROR! 'http_redirect.conf' copy could not be modified." - exit_err - fi - echo "SUCCESS! Created 'http_redirect.conf' file." -else - echo "SUCCESS! Found 'http_redirect.conf' file." -fi -# Conf file for DoT -if ! [ -f nginx-docker/configs/streams/dns-over-tls.conf ] || echo "${FRESH}" | grep -q 'y'; then - if ! cp nginx-docker/templates/dns-over-tls.conf.template nginx-docker/configs/streams/dns-over-tls.conf; then - echo "ERROR! 'dns-over-tls.conf.template' could not be copied." - exit_err - fi - if ! sed -i s/DOMAIN/"${DOMAIN}"/g nginx-docker/configs/streams/dns-over-tls.conf; then - echo "ERROR! 'dns-over-tls.conf' copy could not be modified." +# Check for host IP address mapping in dnsmasq.conf +echo -e "${CYAN}INFO${BLANK}! Checking for domain mapping in 'dnsmasq.conf' file." +if ! grep -qw -e "address=/${DOMAIN}/${HOST_IP}" 'pihole-docker/configs/dnsmasq.d/dnsmasq.conf'; then + echo -e "address=/${DOMAIN}/${HOST_IP}" | tee -a pihole-docker/configs/dnsmasq.d/dnsmasq.conf > /dev/null + if grep -qw -e "address=/${DOMAIN}/${HOST_IP}" 'pihole-docker/configs/dnsmasq.d/dnsmasq.conf'; then + echo -e "${GREEN}SUCCESS${BLANK}! Added domain mapping to 'dnsmasq.conf' file." + else + echo -e "${RED}ERROR${BLANK}! Domain mapping could not be added to 'dnsmasq.conf' file." exit_err fi - echo "SUCCESS! Created 'dns-over-tls.conf' file." else - echo "SUCCESS! Found 'dns-over-tls.conf' file." + echo -e "${GREEN}SUCCESS${BLANK}! Found domain mapping in 'dnsmasq.conf' file." fi -echo "SUCCESS! nginx configuration finished." + + +## Auto create nginx conf files +#echo -e "${CYAN}INFO${BLANK}! Checking for nginx configuration files." +##Conf files based on DOMAIN +#if ! [ -f nginx-docker/configs/sites-enabled/"${DOMAIN}".conf ] || echo "${FRESH}" | grep -q 'y'; then +# if ! cp nginx-docker/templates/DOMAIN.conf.template nginx-docker/configs/sites-enabled/"${DOMAIN}".conf; then +# echo -e "${RED}ERROR${BLANK}! 'DOMAIN.conf.template' could not be copied." +# exit_err +# fi +# if ! sed -i s/DOMAIN/"${DOMAIN}"/g nginx-docker/configs/sites-enabled/"${DOMAIN}".conf; then +# echo -e "${RED}ERROR${BLANK}! '${DOMAIN}.conf' copy could not be modified." +# exit_err +# fi +# echo -e "${GREEN}SUCCESS${BLANK}! Created '${DOMAIN}.conf' file." +#else +# echo -e "${GREEN}SUCCESS${BLANK}! Found '${DOMAIN}.conf' file." +#fi +#if ! [ -f nginx-docker/configs/snippets/cert_"${DOMAIN}".conf ] || echo "${FRESH}" | grep -q 'y'; then +# if ! cp nginx-docker/templates/cert_DOMAIN.conf.template nginx-docker/configs/snippets/cert_"${DOMAIN}".conf; then +# echo -e "${RED}ERROR${BLANK}! 'cert_DOMAIN.conf' could not be copied." +# exit_err +# fi +# if ! sed -i s/DOMAIN/"${DOMAIN}"/g nginx-docker/configs/snippets/cert_"${DOMAIN}".conf; then +# echo -e "${RED}ERROR${BLANK}! 'cert_${DOMAIN}.conf' copy could not be modified." +# exit_err +# fi +# echo -e "${GREEN}SUCCESS${BLANK}! Created 'cert_${DOMAIN}.conf' file." +#else +# echo -e "${GREEN}SUCCESS${BLANK}! Found 'cert_${DOMAIN}.conf' file." +#fi +## Conf file for HTTP redirect +#if ! [ -f nginx-docker/configs/sites-enabled/http_redirect.conf ] || echo "${FRESH}" | grep -q 'y'; then +# if ! cp nginx-docker/templates/http_redirect.conf.template nginx-docker/configs//sites-enabled/http_redirect.conf; then +# echo -e "${RED}ERROR${BLANK}! 'http_redirect.conf.template' could not be copied." +# exit_err +# fi +# if ! sed -i s/DOMAIN/"${DOMAIN}"/g nginx-docker/configs//sites-enabled/http_redirect.conf; then +# echo -e "${RED}ERROR${BLANK}! 'http_redirect.conf' copy could not be modified." +# exit_err +# fi +# echo -e "${GREEN}SUCCESS${BLANK}! Created 'http_redirect.conf' file." +#else +# echo -e "${GREEN}SUCCESS${BLANK}! Found 'http_redirect.conf' file." +#fi +## Conf file for DoT +#if ! [ -f nginx-docker/configs/streams/dns-over-tls.conf ] || echo "${FRESH}" | grep -q 'y'; then +# if ! cp nginx-docker/templates/dns-over-tls.conf.template nginx-docker/configs/streams/dns-over-tls.conf; then +# echo -e "${RED}ERROR${BLANK}! 'dns-over-tls.conf.template' could not be copied." +# exit_err +# fi +# if ! sed -i s/DOMAIN/"${DOMAIN}"/g nginx-docker/configs/streams/dns-over-tls.conf; then +# echo -e "${RED}ERROR${BLANK}! 'dns-over-tls.conf' copy could not be modified." +# exit_err +# fi +# echo -e "${GREEN}SUCCESS${BLANK}! Created 'dns-over-tls.conf' file." +#else +# echo -e "${GREEN}SUCCESS${BLANK}! Found 'dns-over-tls.conf' file." +#fi +#echo -e "${GREEN}SUCCESS${BLANK}! nginx configuration finished." # Check for certificates and keys -echo "INFO! Checking for SSL certificates and keys" +echo -e "${CYAN}INFO${BLANK}! Checking for SSL certificates and keys." CERT_COUNT=0 for cert in certificates/certs/*.crt do @@ -333,44 +355,62 @@ do done if (( CERT_COUNT < 1)) || (( KEY_COUNT < 1 )); then - echo "ERROR! Add at least one certificate to 'certificates/certs/' and the matching key to " \ + echo -e "${RED}ERROR${BLANK}! Add at least one certificate to 'certificates/certs/' and the matching key to " \ "'certificates/' for your DOMAIN. Then restart the script." exit_err elif ! (( CERT_COUNT = KEY_COUNT )); then - echo "WARNING! There is an uneven amount of certificates and keys." + echo -e "${ORANGE}WARNING${BLANK}! There is an uneven amount of certificates and keys." else - echo "SUCCESS! Found SSL certificate and key." + echo -e "${GREEN}SUCCESS${BLANK}! Found SSL certificate and key." fi # Check for 'dhparam.pem' file -echo "INFO! Checking for dhparam.pem file" +echo -e "${CYAN}INFO${BLANK}! Checking for dhparam.pem file." if [ -f certificates/dhparam.pem ]; then - echo "SUCCESS! Found dhparam.pem file" + echo -e "${GREEN}SUCCESS${BLANK}! Found dhparam.pem file." else - echo "ERROR! No 'dhparam.pem' file found. Please add a 'dhparam.pem' file to certificates/. Then restart this script." + echo -e "${RED}ERROR${BLANK}! No 'dhparam.pem' file found. Please add a 'dhparam.pem' file to certificates/. Then restart this script." exit_err fi +# Traefik conf file for certs +echo -e "${GREEN}SUCCESS${BLANK}! Checking for traefik configuration files." +if ! [ -f traefik-docker/configs/traefik.conf.d/certs.toml ] || echo "${FRESH}" | grep -q 'y'; then + if ! cp traefik-docker/templates/certs.toml.template traefik-docker/configs/traefik.conf.d/certs.toml; then + echo -e "${RED}ERROR${BLANK}! 'certs.toml.template' could not be copied." + exit_err + fi + if ! sed -i s/DOMAIN/"${DOMAIN}"/g traefik-docker/configs/traefik.conf.d/certs.toml; then + echo -e "${RED}ERROR${BLANK}! 'certs.toml' copy could not be modified." + exit_err + fi + echo -e "${GREEN}SUCCESS${BLANK}! Created 'certs.toml' file." +else + echo -e "${GREEN}SUCCESS${BLANK}! Found 'certs.toml' file." +fi +echo -e "${GREEN}SUCCESS${BLANK}! traefik configuration finished." + + # Compile doh server image if echo "${COMPILE}" | grep -q 'n'; then - echo "INFO! COMPILE set to 'n'. Not compiling 'goofball222/dns-over-https'." + echo -e "${CYAN}INFO${BLANK}! COMPILE set to 'n'. Not compiling 'goofball222/dns-over-https'." else if echo "${COMPILE}" | grep -q 'y' || echo "${ARCHITECTURE}" | grep -iq arm; then if VERSION="$(git ls-remote -t --refs https://github.com/m13253/dns-over-https.git | tail -n1 | awk '{print $2}' | sed 's,refs/tags/v,,')" && CUR_DIR="$(pwd)" && - echo "INFO! Compiling image for 'goofball222/dns-over-https' for version ${VERSION}." && + echo -e "${CYAN}INFO${BLANK}! Compiling image for 'goofball222/dns-over-https' for version ${VERSION}." && mkdir -p ~/dns-over-https_tmp && cd ~/dns-over-https_tmp && git clone https://github.com/goofball222/dns-over-https.git && cd dns-over-https && echo "$VERSION" | tee 'stable/VERSION' > /dev/null && sudo make && cd "$CUR_DIR" && rm -rf ~/dns-over-https_tmp then - echo "SUCCESS! Image compiled." + echo -e "${GREEN}SUCCESS${BLANK}! Image compiled." else - echo "ERROR! Compiling failed. Deleting '~/dns-over-https_tmp' directory." - rm -rf ~/dns-over-https_tmp || echo "ERROR! Failed to delete '~/dns-over-https_tmp' directory." + echo -e "${RED}ERROR${BLANK}! Compiling failed. Deleting '~/dns-over-https_tmp' directory." + rm -rf ~/dns-over-https_tmp || echo -e "${RED}ERROR${BLANK}! Failed to delete '~/dns-over-https_tmp' directory." exit_err fi fi @@ -378,23 +418,27 @@ fi # Download root.hints file +echo -e "${CYAN}INFO${BLANK}! Checking for 'root.hints' file." if ! [ -f unbound-docker/var/root.hints ]; then if echo "" && wget -nv https://www.internic.net/domain/named.root -O unbound-docker/var/root.hints; then - echo "SUCCESS! 'root.hints' file downloaded." + echo -e "${GREEN}SUCCESS${BLANK}! 'root.hints' file downloaded." else - echo "ERROR! 'root.hints' file download failed." + echo -e "${RED}ERROR${BLANK}! 'root.hints' file download failed." + exit_err fi else (( DIFF = ($(date +%s) - $(stat -c %Z unbound-docker/var/root.hints))/3600 )) if ((DIFF > 1)) || echo "${FRESH}" | grep -q 'y'; then if wget -nv https://www.internic.net/domain/named.root -O unbound-docker/var/root.hints; then - echo "SUCCESS! 'root.hints' file updated." + echo -e "${GREEN}SUCCESS${BLANK}! 'root.hints' file updated." else - echo "ERROR! 'root.hints' file update failed." + echo -e "${ORANGE}WARNING${BLANK}! 'root.hints' file update failed." fi + else + echo -e "${GREEN}SUCCESS${BLANK}! 'root.hints' file found." fi fi -echo -e "\nSUCCESS! Setup for docker-pihole-unbound-encrypted finished." +echo -e "\n${GREEN}SUCCESS${BLANK}! Setup for docker-pihole-unbound-encrypted finished." echo -e "\n####################" \ No newline at end of file diff --git a/traefik-docker/configs/traefik.conf.d/middleware.toml b/traefik-docker/configs/traefik.conf.d/middleware.toml new file mode 100644 index 0000000..8f77290 --- /dev/null +++ b/traefik-docker/configs/traefik.conf.d/middleware.toml @@ -0,0 +1,26 @@ +######################################################################################################################## +# +# Configuration file for Traefik v2.0. +# +######################################################################################################################## + + + +######################################################################################################################## +# Redirect configuration +######################################################################################################################## + +[http.middlewares] + + [http.middlewares.secure_headers.headers] + forceSTSHeader=true + STSIncludeSubdomains=true + STSSeconds=63072000 + STSPreload=true + browserXSSFilter=true + contentTypeNosniff=true + frameDeny=true + + [http.middlewares.https_redirect.redirectscheme] + permanent=true + scheme = "https" \ No newline at end of file diff --git a/traefik-docker/configs/traefik.toml b/traefik-docker/configs/traefik.toml new file mode 100644 index 0000000..e6d6273 --- /dev/null +++ b/traefik-docker/configs/traefik.toml @@ -0,0 +1,66 @@ +######################################################################################################################## +# +# Configuration file for Traefik v2.0. +# +######################################################################################################################## + + + +######################################################################################################################## +# Traefik global configuration +######################################################################################################################## + +[global] + checkNewVersion = true + sendAnonymousUsage = false + + +######################################################################################################################## +# API and dashboard configuration +######################################################################################################################## + +[api] + debug = true + dashboard = true + +[ping] + + +######################################################################################################################## +# Traefik logs configuration +######################################################################################################################## + +[log] + level = "INFO" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC + +[accessLog] + + +######################################################################################################################## +# Entrypoints configuration +######################################################################################################################## + +[entryPoints] + [entryPoints.http] + address = ":80" + + [entryPoints.https] + address = ":443" + + [entryPoints.dot] + address = ":853" + + +######################################################################################################################## +# Traefik provider configuration +######################################################################################################################## + +[providers] + [providers.docker] + watch = true + endpoint = "unix:///var/run/docker.sock" + exposedByDefault = false + + [providers.file] + watch = true + directory = "/etc/traefik/traefik.conf.d/" \ No newline at end of file diff --git a/traefik-docker/shared/.keep b/traefik-docker/shared/.keep new file mode 100644 index 0000000..e69de29 diff --git a/traefik-docker/templates/certs.toml.template b/traefik-docker/templates/certs.toml.template new file mode 100644 index 0000000..0405dba --- /dev/null +++ b/traefik-docker/templates/certs.toml.template @@ -0,0 +1,44 @@ +######################################################################################################################## +# +# Configuration file for Traefik v2.0. +# +######################################################################################################################## + + + +######################################################################################################################## +# TLS certificates configuration +######################################################################################################################## + +[tls.stores] + [tls.stores.default] + [tls.stores.default.defaultCertificate] + certFile = "/etc/ssl/certs/DOMAIN.crt" + keyFile = "/etc/ssl/private/DOMAIN.key" + +[tls.options] + [tls.options.default] + minVersion = "VersionTLS13" + cipherSuites = [ + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + ] +# cipherSuites = [ +# "TLS_AES_256_GCM_SHA384", +# "TLS_CHACHA20_POLY1305_SHA256", +# "TLS_AES_128_GCM_SHA256", +# ] +# cipherSuites = [ +# "HIGH:!aNULL:!MD5" +# ] +# https://stackoverflow.com/questions/52128979/recommended-tls-ciphers-for-traefik + + +[[tls.certificates]] + certFile = "/etc/ssl/certs/DOMAIN.crt" + keyFile = "/etc/ssl/private/DOMAIN.key" + stores = ["default"] \ No newline at end of file