#!/bin/bash # Detect version from environment variable or detect latest stable from GitHub # Usage with curl (export first): export DOKPLOY_VERSION=canary && curl -sSL https://dokploy.com/install.sh | sh # Usage with curl (export first): export DOKPLOY_VERSION=latest && curl -sSL https://dokploy.com/install.sh | sh # Usage with curl (bash -s): DOKPLOY_VERSION=canary bash -s < <(curl -sSL https://dokploy.com/install.sh) # Usage with curl (default): curl -sSL https://dokploy.com/install.sh | sh (detects latest stable version) # Usage with bash: DOKPLOY_VERSION=canary bash install.sh # Usage with bash: DOKPLOY_VERSION=latest bash install.sh # Usage with bash: bash install.sh (detects latest stable version) detect_version() { local version="${DOKPLOY_VERSION}" # If no version specified, get latest stable version from GitHub releases if [ -z "$version" ]; then echo "Detecting latest stable version from GitHub..." >&2 # Try to get latest release from GitHub by following redirects version=$(curl -fsSL -o /dev/null -w '%{url_effective}\n' \ https://github.com/dokploy/dokploy/releases/latest 2>/dev/null | \ sed 's#.*/tag/##') # Fallback to latest tag if detection fails if [ -z "$version" ]; then echo "Warning: Could not detect latest version from GitHub, using fallback version latest" >&2 version="latest" else echo "Latest stable version detected: $version" >&2 fi fi echo "$version" } # Function to detect if running in Proxmox LXC container is_proxmox_lxc() { # Check for LXC in environment if [ -n "$container" ] && [ "$container" = "lxc" ]; then return 0 # LXC container fi # Check for LXC in /proc/1/environ if grep -q "container=lxc" /proc/1/environ 2>/dev/null; then return 0 # LXC container fi return 1 # Not LXC } generate_random_password() { # Generate a secure random password using multiple methods with fallbacks local password="" # Try using openssl (most reliable, available on most systems) if command -v openssl >/dev/null 2>&1; then password=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32) # Fallback to /dev/urandom with tr (most Linux systems) elif [ -r /dev/urandom ]; then password=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 32) # Last resort fallback using date and simple hashing else if command -v sha256sum >/dev/null 2>&1; then password=$(date +%s%N | sha256sum | base64 | head -c 32) elif command -v shasum >/dev/null 2>&1; then password=$(date +%s%N | shasum -a 256 | base64 | head -c 32) else # Very basic fallback - combines multiple sources of entropy password=$(echo "$(date +%s%N)-$(hostname)-$$-$RANDOM" | base64 | tr -d "=+/" | head -c 32) fi fi # Ensure we got a password of correct length if [ -z "$password" ] || [ ${#password} -lt 20 ]; then echo "Error: Failed to generate random password" >&2 exit 1 fi echo "$password" } install_dokploy() { # Detect version tag VERSION_TAG=$(detect_version) DOCKER_IMAGE="dokploy/dokploy:${VERSION_TAG}" echo "Installing Dokploy version: ${VERSION_TAG}" if [ "$(id -u)" != "0" ]; then echo "This script must be run as root" >&2 exit 1 fi # check if is Mac OS if [ "$(uname)" = "Darwin" ]; then echo "This script must be run on Linux" >&2 exit 1 fi # check if is running inside a container if [ -f /.dockerenv ]; then echo "This script must be run on Linux" >&2 exit 1 fi # check if something is running on port 80 if ss -tulnp | grep ':80 ' >/dev/null; then echo "Error: something is already running on port 80" >&2 exit 1 fi # check if something is running on port 443 if ss -tulnp | grep ':443 ' >/dev/null; then echo "Error: something is already running on port 443" >&2 exit 1 fi # check if something is running on port 3000 if ss -tulnp | grep ':3000 ' >/dev/null; then echo "Error: something is already running on port 3000" >&2 echo "Dokploy requires port 3000 to be available. Please stop any service using this port." >&2 exit 1 fi command_exists() { command -v "$@" > /dev/null 2>&1 } if command_exists docker; then echo "Docker already installed" else curl -sSL https://get.docker.com | sh -s -- --version 28.5.0 fi # Check if running in Proxmox LXC container and set endpoint mode endpoint_mode="" if is_proxmox_lxc; then echo "⚠️ WARNING: Detected Proxmox LXC container environment!" echo "Adding --endpoint-mode dnsrr to Docker services for LXC compatibility." echo "This may affect service discovery but is required for LXC containers." echo "" endpoint_mode="--endpoint-mode dnsrr" echo "Waiting for 5 seconds before continuing..." sleep 5 fi docker swarm leave --force 2>/dev/null get_ip() { local ip="" # Try IPv4 first # First attempt: ifconfig.io ip=$(curl -4s --connect-timeout 5 https://ifconfig.io 2>/dev/null) # Second attempt: icanhazip.com if [ -z "$ip" ]; then ip=$(curl -4s --connect-timeout 5 https://icanhazip.com 2>/dev/null) fi # Third attempt: ipecho.net if [ -z "$ip" ]; then ip=$(curl -4s --connect-timeout 5 https://ipecho.net/plain 2>/dev/null) fi # If no IPv4, try IPv6 if [ -z "$ip" ]; then # Try IPv6 with ifconfig.io ip=$(curl -6s --connect-timeout 5 https://ifconfig.io 2>/dev/null) # Try IPv6 with icanhazip.com if [ -z "$ip" ]; then ip=$(curl -6s --connect-timeout 5 https://icanhazip.com 2>/dev/null) fi # Try IPv6 with ipecho.net if [ -z "$ip" ]; then ip=$(curl -6s --connect-timeout 5 https://ipecho.net/plain 2>/dev/null) fi fi if [ -z "$ip" ]; then echo "Error: Could not determine server IP address automatically (neither IPv4 nor IPv6)." >&2 echo "Please set the ADVERTISE_ADDR environment variable manually." >&2 echo "Example: export ADVERTISE_ADDR=" >&2 exit 1 fi echo "$ip" } get_private_ip() { ip addr show | grep -E "inet (192\.168\.|10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.)" | head -n1 | awk '{print $2}' | cut -d/ -f1 } advertise_addr="${ADVERTISE_ADDR:-$(get_private_ip)}" if [ -z "$advertise_addr" ]; then echo "ERROR: We couldn't find a private IP address." echo "Please set the ADVERTISE_ADDR environment variable manually." echo "Example: export ADVERTISE_ADDR=192.168.1.100" exit 1 fi echo "Using advertise address: $advertise_addr" # Allow custom Docker Swarm init arguments via DOCKER_SWARM_INIT_ARGS environment variable # Example: export DOCKER_SWARM_INIT_ARGS="--default-addr-pool 172.20.0.0/16 --default-addr-pool-mask-length 24" # This is useful to avoid CIDR overlapping with cloud provider VPCs (e.g., AWS) swarm_init_args="${DOCKER_SWARM_INIT_ARGS:-}" if [ -n "$swarm_init_args" ]; then echo "Using custom swarm init arguments: $swarm_init_args" docker swarm init --advertise-addr $advertise_addr $swarm_init_args else docker swarm init --advertise-addr $advertise_addr fi if [ $? -ne 0 ]; then echo "Error: Failed to initialize Docker Swarm" >&2 exit 1 fi echo "Swarm initialized" docker network rm -f dokploy-network 2>/dev/null docker network create --driver overlay --attachable dokploy-network echo "Network created" mkdir -p /etc/dokploy chmod 777 /etc/dokploy # Generate secure random password for Postgres POSTGRES_PASSWORD=$(generate_random_password) # Store password as Docker Secret (encrypted and secure) echo "$POSTGRES_PASSWORD" | docker secret create dokploy_postgres_password - 2>/dev/null || true echo "Generated secure database credentials (stored in Docker Secrets)" docker service create \ --name dokploy-postgres \ --constraint 'node.role==manager' \ --network dokploy-network \ --env POSTGRES_USER=dokploy \ --env POSTGRES_DB=dokploy \ --secret source=dokploy_postgres_password,target=/run/secrets/postgres_password \ --env POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password \ --mount type=volume,source=dokploy-postgres,target=/var/lib/postgresql/data \ $endpoint_mode \ postgres:16 docker service create \ --name dokploy-redis \ --constraint 'node.role==manager' \ --network dokploy-network \ --mount type=volume,source=dokploy-redis,target=/data \ $endpoint_mode \ redis:7 # Installation # Set RELEASE_TAG environment variable for canary/feature versions release_tag_env="" if [[ "$VERSION_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]]; then # Specific version (v0.26.6, v0.26.7, etc.) → latest release_tag_env="-e RELEASE_TAG=latest" elif [ "$VERSION_TAG" != "latest" ]; then # canary, feature/*, etc. → use the tag as-is release_tag_env="-e RELEASE_TAG=$VERSION_TAG" fi docker service create \ --name dokploy \ --replicas 1 \ --network dokploy-network \ --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ --mount type=bind,source=/etc/dokploy,target=/etc/dokploy \ --mount type=volume,source=dokploy,target=/root/.docker \ --secret source=dokploy_postgres_password,target=/run/secrets/postgres_password \ --publish published=3000,target=3000,mode=host \ --update-parallelism 1 \ --update-order stop-first \ --constraint 'node.role == manager' \ $endpoint_mode \ $release_tag_env \ -e ADVERTISE_ADDR=$advertise_addr \ -e POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password \ $DOCKER_IMAGE sleep 4 docker run -d \ --name dokploy-traefik \ --restart always \ -v /etc/dokploy/traefik/traefik.yml:/etc/traefik/traefik.yml \ -v /etc/dokploy/traefik/dynamic:/etc/dokploy/traefik/dynamic \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ -p 80:80/tcp \ -p 443:443/tcp \ -p 443:443/udp \ traefik:v3.6.7 docker network connect dokploy-network dokploy-traefik # Optional: Use docker service create instead of docker run # docker service create \ # --name dokploy-traefik \ # --constraint 'node.role==manager' \ # --network dokploy-network \ # --mount type=bind,source=/etc/dokploy/traefik/traefik.yml,target=/etc/traefik/traefik.yml \ # --mount type=bind,source=/etc/dokploy/traefik/dynamic,target=/etc/dokploy/traefik/dynamic \ # --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ # --publish mode=host,published=443,target=443 \ # --publish mode=host,published=80,target=80 \ # --publish mode=host,published=443,target=443,protocol=udp \ # traefik:v3.6.7 GREEN="\033[0;32m" YELLOW="\033[1;33m" BLUE="\033[0;34m" NC="\033[0m" # No Color format_ip_for_url() { local ip="$1" if echo "$ip" | grep -q ':'; then # IPv6 echo "[${ip}]" else # IPv4 echo "${ip}" fi } public_ip="${ADVERTISE_ADDR:-$(get_ip)}" formatted_addr=$(format_ip_for_url "$public_ip") echo "" printf "${GREEN}Congratulations, Dokploy is installed!${NC}\n" printf "${BLUE}Wait 15 seconds for the server to start${NC}\n" printf "${YELLOW}Please go to http://${formatted_addr}:3000${NC}\n\n" } update_dokploy() { # Detect version tag VERSION_TAG=$(detect_version) DOCKER_IMAGE="dokploy/dokploy:${VERSION_TAG}" echo "Updating Dokploy to version: ${VERSION_TAG}" # Pull the image docker pull $DOCKER_IMAGE # Update the service docker service update --image $DOCKER_IMAGE dokploy echo "Dokploy has been updated to version: ${VERSION_TAG}" } # Main script execution if [ "$1" = "update" ]; then update_dokploy else install_dokploy fi