torbjorn/lovdata-chat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0ff43b1a9c696cf79ae2ea7f11c172e8be07e6ac
lovdata-chat/docker/scripts/setup-docker-tls.sh
Torbjørn Lindahl 7a9b4b751e docker related
2026-01-18 23:29:04 +01:00

101 lines
3.1 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Docker TLS Setup Script
# Configures Docker daemon with TLS certificates for secure API access
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
CERTS_DIR="$PROJECT_ROOT/certs"
# Configuration
DOCKER_HOST_IP="${DOCKER_HOST_IP:-127.0.0.1}"
DOCKER_TLS_PORT="${DOCKER_TLS_PORT:-2376}"
echo "Setting up Docker TLS configuration..."
echo "Certificates directory: $CERTS_DIR"
echo "Docker host IP: $DOCKER_HOST_IP"
echo "TLS port: $DOCKER_TLS_PORT"
# Check if certificates exist
if [[ ! -f "$CERTS_DIR/ca.pem" || ! -f "$CERTS_DIR/server-cert.pem" || ! -f "$CERTS_DIR/server-key.pem" ]]; then
echo "Error: TLS certificates not found. Run generate-certs.sh first."
exit 1
fi
# Create Docker daemon configuration
DAEMON_CONFIG="/etc/docker/daemon.json"
BACKUP_CONFIG="/etc/docker/daemon.json.backup.$(date +%Y%m%d_%H%M%S)"
echo "Configuring Docker daemon for TLS..."
# Backup existing configuration if it exists
if [[ -f "$DAEMON_CONFIG" ]]; then
echo "Backing up existing daemon.json to $BACKUP_CONFIG"
sudo cp "$DAEMON_CONFIG" "$BACKUP_CONFIG"
fi
# Create new daemon configuration
sudo tee "$DAEMON_CONFIG" > /dev/null << EOF
{
"tls": true,
"tlsverify": true,
"tlscacert": "/etc/docker/certs/ca.pem",
"tlscert": "/etc/docker/certs/server-cert.pem",
"tlskey": "/etc/docker/certs/server-key.pem",
"hosts": ["tcp://0.0.0.0:$DOCKER_TLS_PORT", "unix:///var/run/docker.sock"],
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"storage-driver": "overlay2",
"iptables": false,
"bridge": "none",
"live-restore": true,
"userland-proxy": false,
"no-new-privileges": true,
"userns-remap": "default"
}
EOF
# Create Docker certificates directory
sudo mkdir -p /etc/docker/certs
# Copy certificates to Docker directory
echo "Installing TLS certificates..."
sudo cp "$CERTS_DIR/ca.pem" /etc/docker/certs/
sudo cp "$CERTS_DIR/server-cert.pem" /etc/docker/certs/
sudo cp "$CERTS_DIR/server-key.pem" /etc/docker/certs/
sudo cp "$CERTS_DIR/client-cert.pem" /etc/docker/certs/
sudo cp "$CERTS_DIR/client-key.pem" /etc/docker/certs/
# Set proper permissions
sudo chmod 0444 /etc/docker/certs/ca.pem /etc/docker/certs/server-cert.pem /etc/docker/certs/client-cert.pem
sudo chmod 0400 /etc/docker/certs/server-key.pem /etc/docker/certs/client-key.pem
sudo chown root:root /etc/docker/certs/*
echo "Restarting Docker daemon..."
sudo systemctl restart docker
# Wait for Docker to restart
sleep 5
# Test TLS connection
echo "Testing TLS connection..."
if docker --tlsverify --tlscacert="$CERTS_DIR/ca.pem" --tlscert="$CERTS_DIR/client-cert.pem" --tlskey="$CERTS_DIR/client-key.pem" -H tcp://$DOCKER_HOST_IP:$DOCKER_TLS_PORT version > /dev/null 2>&1; then
echo "✅ TLS connection successful!"
else
echo "❌ TLS connection failed!"
exit 1
fi
echo ""
echo "Docker TLS setup complete!"
echo ""
echo "Environment variables for applications:"
echo " export DOCKER_TLS_VERIFY=1"
echo " export DOCKER_CERT_PATH=$CERTS_DIR"
echo " export DOCKER_HOST=tcp://$DOCKER_HOST_IP:$DOCKER_TLS_PORT"
echo ""
echo "For docker-compose, add these to your environment or .env file."
Reference in New Issue View Git Blame Copy Permalink