Initialize Git Repository: 'Traefik'

root/etc/traefik/acme/00-export

@@ -0,0 +1,84 @@
+#!/usr/bin/bash
+
+
+#
+# Export the certificates and keys from 'acme.json'
+#
+
+
+###
+#
+# Options Section
+#
+###
+
+set -e
+set -u
+set -o pipefail
+
+
+###
+#
+# Variables Section
+#
+###
+
+source '/etc/traefik/acme/acme.env'
+ACME_STORAGE="${ACME_STORAGE:='/var/lib/traefik/acme'}"
+ACME_DATABASE="${ACME_DATABASE:='/var/lib/traefik/acme.json'}"
+
+
+###
+#
+# Runtime Environment
+#
+###
+
+if [[ "${EUID}" -ne '0' && "${USER}" != 'traefik' ]]; then
+  /usr/bin/echo -e 'Error: Permission Denied'
+  exit 1
+fi
+
+if [[ -d "${ACME_STORAGE}" ]]; then
+  /usr/bin/rm --force --recursive "${ACME_STORAGE}"
+fi
+
+/usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}"
+
+for RESOLVER in $(/usr/bin/jq --raw-output --exit-status 'keys[]' "${ACME_DATABASE}"); do
+  ACCOUNT=$(/usr/bin/jq --raw-output --arg resolver "${RESOLVER}" --exit-status '.[$resolver].Account.PrivateKey' "${ACME_DATABASE}")
+  /usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}/.${RESOLVER}"
+  /usr/bin/echo -e "-----BEGIN RSA PRIVATE KEY-----\n${ACCOUNT}\n-----END RSA PRIVATE KEY-----" | \
+    /usr/bin/openssl 'rsa' -inform 'pem' -out "${ACME_STORAGE}/.${RESOLVER}/account.key" &> '/dev/null'
+  /usr/bin/chmod '0400' "${ACME_STORAGE}/.${RESOLVER}/account.key"
+  /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/.${RESOLVER}/account.key"
+  for DOMAIN in $(/usr/bin/jq --raw-output --arg resolver "${RESOLVER}" --exit-status '.[$resolver].Certificates[].domain.main' "${ACME_DATABASE}"); do
+    CERTIFICATE=$(/usr/bin/jq --raw-output --arg resolver "${RESOLVER}" --arg domain "${DOMAIN}" --exit-status '.[$resolver].Certificates[] | select (.domain.main == $domain ) | .certificate' "${ACME_DATABASE}")
+    KEY=$(/usr/bin/jq --raw-output --arg resolver "${RESOLVER}" --arg domain "${DOMAIN}" --exit-status '.[$resolver].Certificates[] | select (.domain.main == $domain ) | .key' "${ACME_DATABASE}")
+    /usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}/${DOMAIN}"
+    case "${RESOLVER}" in
+      *rsa*)
+        /usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}/${DOMAIN}/rsa"
+	      /usr/bin/echo "${CERTIFICATE}" | \
+          /usr/bin/base64 --decode > "${ACME_STORAGE}/${DOMAIN}/rsa/root.crt"
+        /usr/bin/chmod '0400' "${ACME_STORAGE}/${DOMAIN}/rsa/root.crt"
+        /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/${DOMAIN}/rsa/root.crt"
+	      /usr/bin/echo "${KEY}" | \
+          /usr/bin/base64 --decode > "${ACME_STORAGE}/${DOMAIN}/rsa/root.key"
+        /usr/bin/chmod '0400' "${ACME_STORAGE}/${DOMAIN}/rsa/root.key"
+        /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/${DOMAIN}/rsa/root.key"
+      ;;
+      *ecdsa*)
+        /usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}/${DOMAIN}/ecc"
+	      /usr/bin/echo "${CERTIFICATE}" | \
+          /usr/bin/base64 --decode > "${ACME_STORAGE}/${DOMAIN}/ecc/root.crt"
+        /usr/bin/chmod '0400' "${ACME_STORAGE}/${DOMAIN}/ecc/root.crt"
+        /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/${DOMAIN}/ecc/root.crt"
+	      /usr/bin/echo "${KEY}" | \
+          /usr/bin/base64 --decode > "${ACME_STORAGE}/${DOMAIN}/ecc/root.key"
+        /usr/bin/chmod '0400' "${ACME_STORAGE}/${DOMAIN}/ecc/root.key"
+        /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/${DOMAIN}/ecc/root.key"
+      ;;
+    esac
+  done
+done

root/etc/traefik/acme/01-changelog

@@ -0,0 +1,62 @@
+#!/usr/bin/bash
+
+
+#
+# Generate changelog with hashsum from the exported certificates
+#
+
+
+###
+#
+# Options Section
+#
+###
+
+set -e
+set -u
+set -o pipefail
+
+
+###
+#
+# Variables Section
+#
+###
+
+source '/etc/traefik/acme/acme.env'
+ACME_STORAGE="${ACME_STORAGE:='/var/lib/traefik/acme'}"
+ACME_STORAGE_HASH="${ACME_STORAGE_HASH:='/var/lib/traefik/acme.md5sum'}"
+ACME_STORAGE_CHANGELOG="${ACME_STORAGE_CHANGELOG:='/var/lib/traefik/acme.log'}"
+
+
+###
+#
+# Runtime Environment
+#
+###
+
+if [[ "${EUID}" -ne '0' && "${USER}" != 'traefik' ]]; then
+  /usr/bin/echo -e 'Error: Permission Denied'
+  exit 1
+fi
+
+TMP_DIRECTORY=$(/usr/bin/mktemp --directory --quiet)
+trap "/usr/bin/rm --force --recursive ${TMP_DIRECTORY}" EXIT
+
+if [[ ! -f "${ACME_STORAGE_HASH}" ]]; then
+  /usr/bin/find "${ACME_STORAGE}" -type f -exec /usr/bin/md5sum {} + > "${ACME_STORAGE_HASH}"
+  /usr/bin/chmod 0400 "${ACME_STORAGE_HASH}"
+  /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE_HASH}"
+  /usr/bin/diff '/dev/null' "${ACME_STORAGE_HASH}" | /usr/bin/grep '^>' | /usr/bin/mawk '{print $3}' > "${ACME_STORAGE_CHANGELOG}" || \
+    /usr/bin/true
+  /usr/bin/chmod 0400 "${ACME_STORAGE_CHANGELOG}"
+  /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE_CHANGELOG}"
+  exit 0
+fi
+
+/usr/bin/find "${ACME_STORAGE}" -type f -exec /usr/bin/md5sum {} + > "${TMP_DIRECTORY}/traefik_acme.md5sum"
+
+/usr/bin/diff "${ACME_STORAGE_HASH}" "${TMP_DIRECTORY}/traefik_acme.md5sum" | /usr/bin/grep '^>' | /usr/bin/mawk '{print $3}' > "${ACME_STORAGE_CHANGELOG}" || \
+  /usr/bin/true
+
+/usr/bin/cat "${TMP_DIRECTORY}/traefik_acme.md5sum" > "${ACME_STORAGE_HASH}"

root/etc/traefik/acme/acme.env

@@ -0,0 +1,25 @@
+#
+# Traefik ACME Configuration
+#
+
+
+###############################
+# --- ACME Configurartion --- #
+###############################
+
+# Default: '/var/lib/traefik/acme.json'
+ACME_DATABASE='/var/lib/traefik/acme.json'
+
+# Default: '/var/lib/traefik/acme'
+ACME_STORAGE='/var/lib/traefik/acme'
+
+# Default: '/var/lib/traefik/acme.md5sum'
+ACME_STORAGE_HASH='/var/lib/traefik/acme.md5sum'
+
+# Default: '/var/lib/traefik/acme.log'
+ACME_STORAGE_CHANGELOG='/var/lib/traefik/acme.log'
+
+
+################################
+# --- Custom Configuration --- #
+################################

root/etc/traefik/providers.yml

@@ -0,0 +1,101 @@
+# - - - - - HTTP - - - - - #
+
+http:
+  middlewares:
+    auth:
+      digestAuth:
+        users:
+          # User: root
+          # Password: root
+          - root:traefik:d73fbe874041cb3659ad7d8ca0415268
+    compress:
+      compress:
+        defaultEncoding: gzip
+        minResponseBodyBytes: 256
+    headers:
+      headers:
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        referrerPolicy: strict-origin-when-cross-origin
+        stsIncludeSubdomains: true
+        stsSeconds: 31536000
+    redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true
+  routers:
+    catchall:
+      entryPoints:
+        - http
+      middlewares:
+        - compress
+        - redirectscheme
+      priority: 1
+      rule: HostRegexp(`^.*$`)
+      service: catchall
+    catchall-tls:
+      entryPoints:
+        - https
+      middlewares:
+        - compress
+        - headers
+      priority: 1
+      rule: HostRegexp(`^.*$`)
+      service: catchall
+      tls: {}
+    traefik:
+      entryPoints:
+        - http
+      middlewares:
+        - auth
+        - compress
+        - redirectscheme
+      priority: 2
+      rule: Host(`localhost`)
+      service: api@internal
+    traefik-tls:
+      entryPoints:
+        - https
+      middlewares:
+        - auth
+        - compress
+        - headers
+      priority: 2
+      rule: Host(`localhost`)
+      service: api@internal
+      tls: {}
+  services:
+    catchall:
+      loadBalancer:
+        servers:
+          - url: http://localhost
+
+# - - - - - TCP - - - - - #
+
+tcp:
+  routers:
+    acme:
+      rule: HostSNI(`*`)
+      service: acme
+      tls:
+        passthrough: true
+        certResolver: dns-01
+        domains:
+          - main: example.com
+            sans:
+              - '*.example.com'
+  services:
+    acme:
+      loadBalancer:
+        servers:
+          - address: localhost:80
+
+# - - - - - TLS - - - - - #
+
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/ssl/traefik/root.crt
+        keyFile: /etc/ssl/traefik/root.key

root/etc/traefik/traefik.yml

@@ -0,0 +1,63 @@
+# - - - - - Access Log - - - - - #
+
+accessLog:
+  filePath: /var/log/traefik/access.log
+
+# - - - - - API - - - - - #
+
+api:
+  disableDashboardAd: true
+
+# - - - - - Certificates Resolver - - - - - #
+
+#certificatesResolvers:
+#  http:
+#    acme:
+#      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+#      email: hostmaster@localhost
+#      storage: /var/lib/traefik/acme.json
+#      keyType: [RSA4096|EC384] # Select
+#      httpChallenge:
+#        entryPoint: http
+#  tls:
+#    acme:
+#      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+#      email: hostmaster@localhost
+#      storage: /var/lib/traefik/acme.json
+#      keyType: [RSA4096|EC384] # Select
+#      tlsChallenge: {}
+#  dns-01:
+#    acme:
+#      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+#      email: hostmaster@localhost
+#      storage: /var/lib/traefik/acme.json
+#      keyType: [RSA4096|EC384] # Select
+#      dnsChallenge:
+#        resolvers:
+#          - "localhost:53"
+#        propagation:
+#          delayBeforeChecks: 60s
+#          requireAllRNS: true
+#        provider:
+
+# - - - - - Entry Points - - - - - #
+
+entryPoints:
+  http:
+    address: :80
+  https:
+    address: :443
+
+# - - - - - Log - - - - - #
+
+log:
+  filePath: /var/log/traefik/error.log
+  level: ERROR
+  maxSize: 64
+
+# - - - - - Providers - - - - - #
+
+providers:
+  file:
+    filename: /etc/traefik/providers.yml
+    watch: true