364 lines
12 KiB
Bash
364 lines
12 KiB
Bash
#!/bin/bash
|
|
|
|
# Detect version from environment variable or detect latest stable from GitHub
|
|
# Usage with curl (export first): export DOKPLOY_VERSION=canary && curl -sSL https://dokploy.com/install.sh | sh
|
|
# Usage with curl (export first): export DOKPLOY_VERSION=latest && curl -sSL https://dokploy.com/install.sh | sh
|
|
# Usage with curl (bash -s): DOKPLOY_VERSION=canary bash -s < <(curl -sSL https://dokploy.com/install.sh)
|
|
# Usage with curl (default): curl -sSL https://dokploy.com/install.sh | sh (detects latest stable version)
|
|
# Usage with bash: DOKPLOY_VERSION=canary bash install.sh
|
|
# Usage with bash: DOKPLOY_VERSION=latest bash install.sh
|
|
# Usage with bash: bash install.sh (detects latest stable version)
|
|
detect_version() {
|
|
local version="${DOKPLOY_VERSION}"
|
|
|
|
# If no version specified, get latest stable version from GitHub releases
|
|
if [ -z "$version" ]; then
|
|
echo "Detecting latest stable version from GitHub..." >&2
|
|
|
|
# Try to get latest release from GitHub by following redirects
|
|
version=$(curl -fsSL -o /dev/null -w '%{url_effective}\n' \
|
|
https://github.com/dokploy/dokploy/releases/latest 2>/dev/null | \
|
|
sed 's#.*/tag/##')
|
|
|
|
# Fallback to latest tag if detection fails
|
|
if [ -z "$version" ]; then
|
|
echo "Warning: Could not detect latest version from GitHub, using fallback version latest" >&2
|
|
version="latest"
|
|
else
|
|
echo "Latest stable version detected: $version" >&2
|
|
fi
|
|
fi
|
|
|
|
echo "$version"
|
|
}
|
|
|
|
# Function to detect if running in Proxmox LXC container
|
|
is_proxmox_lxc() {
|
|
# Check for LXC in environment
|
|
if [ -n "$container" ] && [ "$container" = "lxc" ]; then
|
|
return 0 # LXC container
|
|
fi
|
|
|
|
# Check for LXC in /proc/1/environ
|
|
if grep -q "container=lxc" /proc/1/environ 2>/dev/null; then
|
|
return 0 # LXC container
|
|
fi
|
|
|
|
return 1 # Not LXC
|
|
}
|
|
|
|
generate_random_password() {
|
|
# Generate a secure random password using multiple methods with fallbacks
|
|
local password=""
|
|
|
|
# Try using openssl (most reliable, available on most systems)
|
|
if command -v openssl >/dev/null 2>&1; then
|
|
password=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
|
|
# Fallback to /dev/urandom with tr (most Linux systems)
|
|
elif [ -r /dev/urandom ]; then
|
|
password=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 32)
|
|
# Last resort fallback using date and simple hashing
|
|
else
|
|
if command -v sha256sum >/dev/null 2>&1; then
|
|
password=$(date +%s%N | sha256sum | base64 | head -c 32)
|
|
elif command -v shasum >/dev/null 2>&1; then
|
|
password=$(date +%s%N | shasum -a 256 | base64 | head -c 32)
|
|
else
|
|
# Very basic fallback - combines multiple sources of entropy
|
|
password=$(echo "$(date +%s%N)-$(hostname)-$$-$RANDOM" | base64 | tr -d "=+/" | head -c 32)
|
|
fi
|
|
fi
|
|
|
|
# Ensure we got a password of correct length
|
|
if [ -z "$password" ] || [ ${#password} -lt 20 ]; then
|
|
echo "Error: Failed to generate random password" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "$password"
|
|
}
|
|
|
|
install_dokploy() {
|
|
# Detect version tag
|
|
VERSION_TAG=$(detect_version)
|
|
DOCKER_IMAGE="dokploy/dokploy:${VERSION_TAG}"
|
|
|
|
echo "Installing Dokploy version: ${VERSION_TAG}"
|
|
if [ "$(id -u)" != "0" ]; then
|
|
echo "This script must be run as root" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# check if is Mac OS
|
|
if [ "$(uname)" = "Darwin" ]; then
|
|
echo "This script must be run on Linux" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# check if is running inside a container
|
|
if [ -f /.dockerenv ]; then
|
|
echo "This script must be run on Linux" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# check if something is running on port 80
|
|
if ss -tulnp | grep ':80 ' >/dev/null; then
|
|
echo "Error: something is already running on port 80" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# check if something is running on port 443
|
|
if ss -tulnp | grep ':443 ' >/dev/null; then
|
|
echo "Error: something is already running on port 443" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# check if something is running on port 3000
|
|
if ss -tulnp | grep ':3000 ' >/dev/null; then
|
|
echo "Error: something is already running on port 3000" >&2
|
|
echo "Dokploy requires port 3000 to be available. Please stop any service using this port." >&2
|
|
exit 1
|
|
fi
|
|
|
|
command_exists() {
|
|
command -v "$@" > /dev/null 2>&1
|
|
}
|
|
|
|
if command_exists docker; then
|
|
echo "Docker already installed"
|
|
else
|
|
curl -sSL https://get.docker.com | sh -s -- --version 28.5.0
|
|
fi
|
|
|
|
# Check if running in Proxmox LXC container and set endpoint mode
|
|
endpoint_mode=""
|
|
if is_proxmox_lxc; then
|
|
echo "⚠️ WARNING: Detected Proxmox LXC container environment!"
|
|
echo "Adding --endpoint-mode dnsrr to Docker services for LXC compatibility."
|
|
echo "This may affect service discovery but is required for LXC containers."
|
|
echo ""
|
|
endpoint_mode="--endpoint-mode dnsrr"
|
|
echo "Waiting for 5 seconds before continuing..."
|
|
sleep 5
|
|
fi
|
|
|
|
|
|
docker swarm leave --force 2>/dev/null
|
|
|
|
get_ip() {
|
|
local ip=""
|
|
|
|
# Try IPv4 first
|
|
# First attempt: ifconfig.io
|
|
ip=$(curl -4s --connect-timeout 5 https://ifconfig.io 2>/dev/null)
|
|
|
|
# Second attempt: icanhazip.com
|
|
if [ -z "$ip" ]; then
|
|
ip=$(curl -4s --connect-timeout 5 https://icanhazip.com 2>/dev/null)
|
|
fi
|
|
|
|
# Third attempt: ipecho.net
|
|
if [ -z "$ip" ]; then
|
|
ip=$(curl -4s --connect-timeout 5 https://ipecho.net/plain 2>/dev/null)
|
|
fi
|
|
|
|
# If no IPv4, try IPv6
|
|
if [ -z "$ip" ]; then
|
|
# Try IPv6 with ifconfig.io
|
|
ip=$(curl -6s --connect-timeout 5 https://ifconfig.io 2>/dev/null)
|
|
|
|
# Try IPv6 with icanhazip.com
|
|
if [ -z "$ip" ]; then
|
|
ip=$(curl -6s --connect-timeout 5 https://icanhazip.com 2>/dev/null)
|
|
fi
|
|
|
|
# Try IPv6 with ipecho.net
|
|
if [ -z "$ip" ]; then
|
|
ip=$(curl -6s --connect-timeout 5 https://ipecho.net/plain 2>/dev/null)
|
|
fi
|
|
fi
|
|
|
|
if [ -z "$ip" ]; then
|
|
echo "Error: Could not determine server IP address automatically (neither IPv4 nor IPv6)." >&2
|
|
echo "Please set the ADVERTISE_ADDR environment variable manually." >&2
|
|
echo "Example: export ADVERTISE_ADDR=<your-server-ip>" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "$ip"
|
|
}
|
|
|
|
get_private_ip() {
|
|
ip addr show | grep -E "inet (192\.168\.|10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.)" | head -n1 | awk '{print $2}' | cut -d/ -f1
|
|
}
|
|
|
|
advertise_addr="${ADVERTISE_ADDR:-$(get_private_ip)}"
|
|
|
|
if [ -z "$advertise_addr" ]; then
|
|
echo "ERROR: We couldn't find a private IP address."
|
|
echo "Please set the ADVERTISE_ADDR environment variable manually."
|
|
echo "Example: export ADVERTISE_ADDR=192.168.1.100"
|
|
exit 1
|
|
fi
|
|
echo "Using advertise address: $advertise_addr"
|
|
|
|
# Allow custom Docker Swarm init arguments via DOCKER_SWARM_INIT_ARGS environment variable
|
|
# Example: export DOCKER_SWARM_INIT_ARGS="--default-addr-pool 172.20.0.0/16 --default-addr-pool-mask-length 24"
|
|
# This is useful to avoid CIDR overlapping with cloud provider VPCs (e.g., AWS)
|
|
swarm_init_args="${DOCKER_SWARM_INIT_ARGS:-}"
|
|
|
|
if [ -n "$swarm_init_args" ]; then
|
|
echo "Using custom swarm init arguments: $swarm_init_args"
|
|
docker swarm init --advertise-addr $advertise_addr $swarm_init_args
|
|
else
|
|
docker swarm init --advertise-addr $advertise_addr
|
|
fi
|
|
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Failed to initialize Docker Swarm" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "Swarm initialized"
|
|
|
|
docker network rm -f dokploy-network 2>/dev/null
|
|
docker network create --driver overlay --attachable dokploy-network
|
|
|
|
echo "Network created"
|
|
|
|
mkdir -p /etc/dokploy
|
|
|
|
chmod 777 /etc/dokploy
|
|
|
|
# Generate secure random password for Postgres
|
|
POSTGRES_PASSWORD=$(generate_random_password)
|
|
|
|
# Store password as Docker Secret (encrypted and secure)
|
|
echo "$POSTGRES_PASSWORD" | docker secret create dokploy_postgres_password - 2>/dev/null || true
|
|
|
|
echo "Generated secure database credentials (stored in Docker Secrets)"
|
|
|
|
docker service create \
|
|
--name dokploy-postgres \
|
|
--constraint 'node.role==manager' \
|
|
--network dokploy-network \
|
|
--env POSTGRES_USER=dokploy \
|
|
--env POSTGRES_DB=dokploy \
|
|
--secret source=dokploy_postgres_password,target=/run/secrets/postgres_password \
|
|
--env POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password \
|
|
--mount type=volume,source=dokploy-postgres,target=/var/lib/postgresql/data \
|
|
$endpoint_mode \
|
|
postgres:16
|
|
|
|
docker service create \
|
|
--name dokploy-redis \
|
|
--constraint 'node.role==manager' \
|
|
--network dokploy-network \
|
|
--mount type=volume,source=dokploy-redis,target=/data \
|
|
$endpoint_mode \
|
|
redis:7
|
|
|
|
# Installation
|
|
# Set RELEASE_TAG environment variable for canary/feature versions
|
|
release_tag_env=""
|
|
if [[ "$VERSION_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]]; then
|
|
# Specific version (v0.26.6, v0.26.7, etc.) → latest
|
|
release_tag_env="-e RELEASE_TAG=latest"
|
|
elif [ "$VERSION_TAG" != "latest" ]; then
|
|
# canary, feature/*, etc. → use the tag as-is
|
|
release_tag_env="-e RELEASE_TAG=$VERSION_TAG"
|
|
fi
|
|
|
|
docker service create \
|
|
--name dokploy \
|
|
--replicas 1 \
|
|
--network dokploy-network \
|
|
--mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
|
|
--mount type=bind,source=/etc/dokploy,target=/etc/dokploy \
|
|
--mount type=volume,source=dokploy,target=/root/.docker \
|
|
--secret source=dokploy_postgres_password,target=/run/secrets/postgres_password \
|
|
--publish published=3000,target=3000,mode=host \
|
|
--update-parallelism 1 \
|
|
--update-order stop-first \
|
|
--constraint 'node.role == manager' \
|
|
$endpoint_mode \
|
|
$release_tag_env \
|
|
-e ADVERTISE_ADDR=$advertise_addr \
|
|
-e POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password \
|
|
$DOCKER_IMAGE
|
|
|
|
sleep 4
|
|
|
|
docker run -d \
|
|
--name dokploy-traefik \
|
|
--restart always \
|
|
-v /etc/dokploy/traefik/traefik.yml:/etc/traefik/traefik.yml \
|
|
-v /etc/dokploy/traefik/dynamic:/etc/dokploy/traefik/dynamic \
|
|
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
|
-p 80:80/tcp \
|
|
-p 443:443/tcp \
|
|
-p 443:443/udp \
|
|
traefik:v3.6.7
|
|
|
|
docker network connect dokploy-network dokploy-traefik
|
|
|
|
|
|
# Optional: Use docker service create instead of docker run
|
|
# docker service create \
|
|
# --name dokploy-traefik \
|
|
# --constraint 'node.role==manager' \
|
|
# --network dokploy-network \
|
|
# --mount type=bind,source=/etc/dokploy/traefik/traefik.yml,target=/etc/traefik/traefik.yml \
|
|
# --mount type=bind,source=/etc/dokploy/traefik/dynamic,target=/etc/dokploy/traefik/dynamic \
|
|
# --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
|
|
# --publish mode=host,published=443,target=443 \
|
|
# --publish mode=host,published=80,target=80 \
|
|
# --publish mode=host,published=443,target=443,protocol=udp \
|
|
# traefik:v3.6.7
|
|
|
|
GREEN="\033[0;32m"
|
|
YELLOW="\033[1;33m"
|
|
BLUE="\033[0;34m"
|
|
NC="\033[0m" # No Color
|
|
|
|
format_ip_for_url() {
|
|
local ip="$1"
|
|
if echo "$ip" | grep -q ':'; then
|
|
# IPv6
|
|
echo "[${ip}]"
|
|
else
|
|
# IPv4
|
|
echo "${ip}"
|
|
fi
|
|
}
|
|
|
|
public_ip="${ADVERTISE_ADDR:-$(get_ip)}"
|
|
formatted_addr=$(format_ip_for_url "$public_ip")
|
|
echo ""
|
|
printf "${GREEN}Congratulations, Dokploy is installed!${NC}\n"
|
|
printf "${BLUE}Wait 15 seconds for the server to start${NC}\n"
|
|
printf "${YELLOW}Please go to http://${formatted_addr}:3000${NC}\n\n"
|
|
}
|
|
|
|
update_dokploy() {
|
|
# Detect version tag
|
|
VERSION_TAG=$(detect_version)
|
|
DOCKER_IMAGE="dokploy/dokploy:${VERSION_TAG}"
|
|
|
|
echo "Updating Dokploy to version: ${VERSION_TAG}"
|
|
|
|
# Pull the image
|
|
docker pull $DOCKER_IMAGE
|
|
|
|
# Update the service
|
|
docker service update --image $DOCKER_IMAGE dokploy
|
|
|
|
echo "Dokploy has been updated to version: ${VERSION_TAG}"
|
|
}
|
|
|
|
# Main script execution
|
|
if [ "$1" = "update" ]; then
|
|
update_dokploy
|
|
else
|
|
install_dokploy
|
|
fi |