Docker + Portainer + Let's Encrypt

by 2lab
16 deployments · 6 still active · last rev. 6 months ago

Deploy Docker with Portainer secured with Let's Encrypt. Important: You must have a domain that resolves to the instance's IP, and once deployed, visit https://<host>:9000 to change the default admin password!

Compatible with: Ubuntu 16.04 LTS
						#!/bin/bash
#
# Docker + Portainer + Let's Encrypt
# Author: Daniel M. Hendricks
# Web Site: https://www.danhendricks.com/
# Feedback: https://daniel.hn/contact/
#
# IMPORTANT: Once deployed, visit https://{host}:9000 to change the default admin password!
# 
# <UDF name="hostname" label="Hostname" example="Example: docker01" />
# <UDF name="fqdn" label="Fully Qualified Domain Name (FQDN)" example="Example: docker01.mydomain.com" />
# <UDF name="enable_le" label="Use Let's Encrypt to manage Portainer's HTTPS certificate? (Y/n)" default="Y" example="Important: This will only work if you do not plan to bind any ports to port 80." />
# <UDF name="letsencrypt_email" label="E-mail address for Let's Encrypt" default="" />
# <UDF name="enable_www" label="Add additional 'www.' domain? (y/N)" default="N" example="Specifying 'Y' will cause Let's Encrypt to add www.{FQDN} as well. Both must resolve to your instance's IP address first!" />
# <UDF name="tz" label="Time Zone" default="" example="Example: America/New_York (see: http://bit.ly/TZlisting)" />

# Variables
IPADDR=$(/sbin/ifconfig eth0 | awk '/inet / { print $2 }' | sed 's/addr://')

# Set timezone
if [ -n $TZ ]
then
  timedatectl set-timezone $TZ
fi

# Update repositories and system packages
apt update
DEBIAN_FRONTEND=noninteractive apt upgrade -y

# Set the hostname & add fully-qualified domain name (FQDN) in hosts file
echo $HOSTNAME > /etc/hostname
hostname -F /etc/hostname

if [ -n $FQDN ]
then
  echo $IPADDR $FQDN $HOSTNAME >> /etc/hosts
else
  echo $IPADDR $HOSTNAME >> /etc/hosts
fi

# Install dependencies
apt install -y software-properties-common

# Install Docker
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
apt update
apt-cache policy docker-ce
apt install -y docker-ce

# Generate TLS certificates via Let's Encrypt for Portainer
add-apt-repository ppa:certbot/certbot --yes
apt update && apt install certbot -y

if [ -n $LETSENCRYPT_EMAIL ] && [ -n $FQDN ] && [ "${ENABLE_LE,,}" = 'y' ] && [ "${ENABLE_WWW,,}" = 'y' ]
then
  certbot certonly --standalone --preferred-challenges http --email "${LETSENCRYPT_EMAIL}" --noninteractive --quiet --agree-tos -d $FQDN -d www.$FQDN
elif [ -n $LETSENCRYPT_EMAIL ] && [ -n $FQDN ] && [ "${ENABLE_LE,,}" = 'y' ]
then
  certbot certonly --standalone --preferred-challenges http --email "${LETSENCRYPT_EMAIL}" --noninteractive --quiet --agree-tos -d $FQDN
fi

if [ "${ENABLE_LE,,}" = 'y' ]
then
  cat <(crontab -l) <(echo "0 1,13 * * * certbot renew") | crontab -
fi

# Install Portainer
docker run -d -p 9000:9000 --restart unless-stopped --name portainer \
	-v /var/run/docker.sock:/var/run/docker.sock \
	-v /root/portainer/data:/data \
	-v /etc/letsencrypt/live/$FQDN:/certs/live/$FQDN:ro \
	-v /etc/letsencrypt/archive/$FQDN:/certs/archive/$FQDN:ro \
	portainer/portainer --ssl --sslcert /certs/live/$FQDN/cert.pem --sslkey /certs/live/$FQDN/privkey.pem

# Install ctop: https://github.com/bcicen/ctop
wget https://github.com/bcicen/ctop/releases/download/v0.7/ctop-0.7-linux-amd64 -O /usr/local/bin/ctop
chmod +x /usr/local/bin/ctop