From 0b672822fa9f113422485ea2f66d750c26aa4801 Mon Sep 17 00:00:00 2001 From: deadcxap Date: Fri, 13 Mar 2026 00:44:36 +0300 Subject: [PATCH] =?UTF-8?q?=D0=BF=D0=B5=D1=80=D0=B5=D1=80=D0=B0=D0=B1?= =?UTF-8?q?=D0=BE=D1=82=D0=B0=D0=BB=D0=B8=20=D1=81=D0=BA=D1=80=D0=B8=D0=BF?= =?UTF-8?q?=D1=82=D1=8B=20=D0=BF=D0=BE=D0=B4=D0=BE=D0=B3=D0=BD=D0=B0=D0=BB?= =?UTF-8?q?=D0=B8=20=D1=80=D0=BE=D0=BB=D1=8C=20=D0=BD=D0=BE=D0=B4=D1=8B=20?= =?UTF-8?q?=D0=BF=D0=BE=D0=B4=20=D0=B0=D0=BA=D1=82=D1=83=D0=B0=D0=BB=20?= =?UTF-8?q?=D0=BF=D0=BE=D1=87=D1=82=D0=B8=20=D0=B3=D0=BE=D1=82=D0=BE=D0=B2?= =?UTF-8?q?=D0=BE=20=D0=B4=D0=BB=D1=8F=20=D0=B8=D1=81=D0=BF=D0=BE=D0=BB?= =?UTF-8?q?=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D0=BD=D0=B8=D1=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- node/remnanode/.env | 14 ---- node/remnawave/.env-node | 17 +++++ node/remnawave/README.MD | 20 ++++++ .../docker-compose.yml | 30 ++++----- node/{remnanode => remnawave}/init.sh | 65 +++++++++++++++---- .../nginx.conf.template} | 8 +-- 6 files changed, 104 insertions(+), 50 deletions(-) delete mode 100644 node/remnanode/.env create mode 100644 node/remnawave/.env-node create mode 100644 node/remnawave/README.MD rename node/{remnanode => remnawave}/docker-compose.yml (72%) rename node/{remnanode => remnawave}/init.sh (52%) rename node/{remnanode/nginx.conf => remnawave/nginx.conf.template} (79%) diff --git a/node/remnanode/.env b/node/remnanode/.env deleted file mode 100644 index 9d322cf..0000000 --- a/node/remnanode/.env +++ /dev/null @@ -1,14 +0,0 @@ -APP_PORT= -SSL_CERT= -NODE_DOMAIN= - -TZ=Europe/Moscow -CW_CLIENT_FILE_UPDATE_TIME_START='04:30' -CW_CLIENT_FILE_UPDATE_TIME_END='05:45' -CW_CLIENT_FILE_UPDATE_DAYS_OF_WEEK='Wed Thu' -CW_CLIENT_RESTART_DOCKER_CONTAINER0='remnawave-nginx' -CW_CLIENT_SERVER_ADDRESS='https://cert.realy.nothing.help' - -CW_CLIENT_AES_KEY_BASE64= -CW_CLIENT_KEY_APIKEY= -CW_CLIENT_CERT_APIKEY= \ No newline at end of file diff --git a/node/remnawave/.env-node b/node/remnawave/.env-node new file mode 100644 index 0000000..2daf21d --- /dev/null +++ b/node/remnawave/.env-node @@ -0,0 +1,17 @@ +### APP ### +NODE_PORT=2222 + +### XRAY ### +SECRET_KEY="" + +TZ=Europe/Moscow +CW_CLIENT_FILE_UPDATE_TIME_START='04:30' +CW_CLIENT_FILE_UPDATE_TIME_END='05:45' +CW_CLIENT_FILE_UPDATE_DAYS_OF_WEEK='Wed Thu' +CW_CLIENT_RESTART_DOCKER_CONTAINER0='remnawave-nginx' +CW_CLIENT_AES_KEY_BASE64='' +CW_CLIENT_SERVER_ADDRESS='https://cert.vrbee.shop' +CW_CLIENT_KEY_NAME='.notfunny.pics' +CW_CLIENT_KEY_APIKEY='' +CW_CLIENT_CERT_NAME='.notfunny.pics' +CW_CLIENT_CERT_APIKEY='' \ No newline at end of file diff --git a/node/remnawave/README.MD b/node/remnawave/README.MD new file mode 100644 index 0000000..fcdad72 --- /dev/null +++ b/node/remnawave/README.MD @@ -0,0 +1,20 @@ +нужно заполнить: +1. `server_name` в `nginx.conf` +2. `SECRET_KEY`, `CW_CLIENT_AES_KEY_BASE64`, `CW_CLIENT_KEY_NAME`, `CW_CLIENT_KEY_APIKEY`, `CW_CLIENT_CERT_NAME`, `CW_CLIENT_CERT_APIKEY` +3. положить шаблон сайта в `/var/www/html/` +4. создать `/etc/certwardenclient` и `/var/log/remnanode` +5. запустить логротейт +`nano /etc/logrotate.d/remnanode` +``` +/var/log/remnanode/*.log { + size 50M + rotate 5 + compress + missingok + notifempty + copytruncate + }``` +`logrotate -vf /etc/logrotate.d/remnanode` +6. открыть фаервол для панели `ufw allow from 100.111.х.х to any port 2222 proto tcp && ufw reload && ufw status verbose` +7. поднять только серты `docker compose up -d certwardenclient && docker compose logs -f -t` +8. поднять весь стек `docker compose up -d && docker compose logs -f -t` \ No newline at end of file diff --git a/node/remnanode/docker-compose.yml b/node/remnawave/docker-compose.yml similarity index 72% rename from node/remnanode/docker-compose.yml rename to node/remnawave/docker-compose.yml index 38d45be..5808a22 100644 --- a/node/remnanode/docker-compose.yml +++ b/node/remnawave/docker-compose.yml @@ -6,12 +6,12 @@ services: restart: always volumes: - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro - - /etc/certwardenclient/certchain.pem:/etc/nginx/ssl/node/fullchain.pem:ro - - /etc/certwardenclient/key.pem:/etc/nginx/ssl/node/privkey.pem:ro + - /etc/certwardenclient/certchain.pem:/etc/nginx/ssl/site/fullchain.pem:ro + - /etc/certwardenclient/key.pem:/etc/nginx/ssl/site/privkey.pem:ro - /dev/shm:/dev/shm:rw - /var/www/html:/var/www/html:ro command: sh -c 'rm -f /dev/shm/nginx.sock && nginx -g "daemon off;"' - networks: [node] + network_mode: host depends_on: - remnanode logging: @@ -25,15 +25,16 @@ services: container_name: remnanode hostname: remnanode restart: always - networks: [node] - ports: - - "443:443" - - "443:443/udp" # HTTP/3 + network_mode: host env_file: - - .env + - path: /opt/remnawave/.env-node volumes: - /dev/shm:/dev/shm:rw - /var/log/remnanode:/var/log/remnanode + ulimits: + nofile: + soft: 1048576 + hard: 1048576 logging: driver: 'json-file' options: @@ -45,14 +46,9 @@ services: container_name: certwardenclient hostname: certwardenclient restart: always - networks: [node] - ports: - - "5055:5055" + network_mode: host env_file: - - .env - environment: - - CW_CLIENT_CERT_NAME=${NODE_DOMAIN} - - CW_CLIENT_KEY_NAME=${NODE_DOMAIN} + - .env-node volumes: - /etc/certwardenclient:/opt/certwarden/certs - /var/run/docker.sock:/var/run/docker.sock @@ -61,7 +57,3 @@ services: options: max-size: '30m' max-file: '5' - -networks: - node: - external: true \ No newline at end of file diff --git a/node/remnanode/init.sh b/node/remnawave/init.sh similarity index 52% rename from node/remnanode/init.sh rename to node/remnawave/init.sh index 97a9b53..fc99f4b 100644 --- a/node/remnanode/init.sh +++ b/node/remnawave/init.sh @@ -9,12 +9,15 @@ set -euo pipefail +SELF_PATH="$(readlink -f "$0" 2>/dev/null || realpath "$0" 2>/dev/null || printf '%s\n' "$0")" + SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" COMPOSE_FILE="$SCRIPT_DIR/docker-compose.yml" # --- Шаг 1: загрузка случайного шаблона сайта --- TMP_DIR=$(mktemp -d) -git clone --depth 1 https://github.com/SmallPoppa/sni-templates "$TMP_DIR" >/dev/null 2>&1 +trap 'rm -rf "$TMP_DIR"' EXIT +git clone --depth 1 https://github.com/distillium/sni-templates "$TMP_DIR" >/dev/null 2>&1 TEMPLATE_DIR=$(find "$TMP_DIR" -mindepth 1 -maxdepth 1 -type d ! -name '.git' | shuf -n 1) if [ -d /var/www/html ] && [ "$(ls -A /var/www/html 2>/dev/null)" ]; then @@ -25,21 +28,21 @@ else fi mkdir -p /var/www/html cp -R "$TEMPLATE_DIR"/. /var/www/html/ -rm -rf /var/www/html/.git "$TMP_DIR" +rm -rf /var/www/html/.git # --- Шаг 2: создание докер-сети --- -N=$(awk '/^networks:/,/^[^[:space:]]/{if($1=="name:"){print $2; exit}}' "$COMPOSE_FILE"); N=${N:-proxy} -docker network inspect "$N" >/dev/null 2>&1 || docker network create --driver bridge --attachable "$N" +# N=$(awk '/^networks:/,/^[^[:space:]]/{if($1=="name:"){print $2; exit}}' "$COMPOSE_FILE"); N=${N:-proxy} +# docker network inspect "$N" >/dev/null 2>&1 || docker network create --driver bridge --attachable "$N" # --- Шаг 3: запрос параметров --- -read -rp "APP_PORT: " APP_PORT -read -rp "SSL_CERT: " SSL_CERT +read -rp "NODE_PORT: " NODE_PORT +read -rp "SECRET_KEY: " SECRET_KEY read -rp "NODE_DOMAIN: " NODE_DOMAIN read -rp "CW_CLIENT_AES_KEY_BASE64: " CW_CLIENT_AES_KEY_BASE64 read -rp "CW_CLIENT_KEY_APIKEY: " CW_CLIENT_KEY_APIKEY read -rp "CW_CLIENT_CERT_APIKEY: " CW_CLIENT_CERT_APIKEY -ENV_FILE="$SCRIPT_DIR/.env" +ENV_FILE="$SCRIPT_DIR/.env-node" touch "$ENV_FILE" update_env_var() { @@ -49,21 +52,57 @@ update_env_var() { printf '%s="%s"\n' "$key" "$value" >> "$ENV_FILE" } -update_env_var APP_PORT "$APP_PORT" -update_env_var SSL_CERT "$SSL_CERT" -update_env_var NODE_DOMAIN "$NODE_DOMAIN" +update_env_var NODE_PORT "$NODE_PORT" +update_env_var SECRET_KEY "$SECRET_KEY" +update_env_var CW_CLIENT_KEY_NAME "$NODE_DOMAIN" +update_env_var CW_CLIENT_CERT_NAME "$NODE_DOMAIN" update_env_var CW_CLIENT_AES_KEY_BASE64 "$CW_CLIENT_AES_KEY_BASE64" update_env_var CW_CLIENT_KEY_APIKEY "$CW_CLIENT_KEY_APIKEY" update_env_var CW_CLIENT_CERT_APIKEY "$CW_CLIENT_CERT_APIKEY" +NGINX_TEMPLATE="$SCRIPT_DIR/nginx.conf.template" +NGINX_CONF="$SCRIPT_DIR/nginx.conf" +sed \ + -e "s|__NODE_DOMAIN__|$NODE_DOMAIN|g" \ + "$NGINX_TEMPLATE" > "$NGINX_CONF" + # --- Шаг 4: открытие порта только для центрального сервера --- read -rp "IP или домен центрального сервера: " CENTRAL_HOST CENTRAL_IP=$(getent ahosts "$CENTRAL_HOST" | awk '{print $1; exit}') if [ -n "$CENTRAL_IP" ]; then - iptables -C INPUT -p tcp -s "$CENTRAL_IP" --dport "$APP_PORT" -j ACCEPT 2>/dev/null \ - || iptables -I INPUT -p tcp -s "$CENTRAL_IP" --dport "$APP_PORT" -j ACCEPT +# iptables -C INPUT -p tcp -s "$CENTRAL_IP" --dport "$NODE_PORT" -j ACCEPT 2>/dev/null \ +# || iptables -I INPUT -p tcp -s "$CENTRAL_IP" --dport "$NODE_PORT" -j ACCEPT + ufw allow from "$CENTRAL_IP" to any port "$NODE_PORT" proto tcp comment "PANEL" && ufw reload fi # --- Шаг 5: запуск docker compose --- -docker compose -f "$COMPOSE_FILE" up -d +docker compose -f "$COMPOSE_FILE" up -d certwardenclient +CERT_DIR="/etc/certwardenclient" +CERT_FILE="$CERT_DIR/certchain.pem" +KEY_FILE="$CERT_DIR/key.pem" + +echo "Ждём появления сертификатов..." + +for i in {1..120}; do + if [ -s "$CERT_FILE" ] && [ -s "$KEY_FILE" ]; then + if openssl x509 -in "$CERT_FILE" -checkend 60 -noout >/dev/null 2>&1; then + if openssl pkey -in "$KEY_FILE" -noout >/dev/null 2>&1; then + echo "Сертификаты готовы!" + break + fi + fi + fi + + sleep 2 +done + +if ! openssl x509 -in "$CERT_FILE" -checkend 60 -noout >/dev/null 2>&1; then + echo "ОШИБКА: Сертификаты не получены" + exit 1 +fi + +docker compose -f "$COMPOSE_FILE" up -d + +echo "Инициализация завершена успешно" +rm -f -- "$SELF_PATH" \ No newline at end of file diff --git a/node/remnanode/nginx.conf b/node/remnawave/nginx.conf.template similarity index 79% rename from node/remnanode/nginx.conf rename to node/remnawave/nginx.conf.template index a2b66d8..12779ae 100644 --- a/node/remnanode/nginx.conf +++ b/node/remnawave/nginx.conf.template @@ -12,13 +12,13 @@ ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; server { - server_name app.cxap.quest; + server_name __NODE_DOMAIN__; listen unix:/dev/shm/nginx.sock ssl proxy_protocol; http2 on; - ssl_certificate "/etc/nginx/ssl/node/fullchain.pem"; - ssl_certificate_key "/etc/nginx/ssl/node/privkey.pem"; - ssl_trusted_certificate "/etc/nginx/ssl/node/fullchain.pem"; + ssl_certificate "/etc/nginx/ssl/site/fullchain.pem"; + ssl_certificate_key "/etc/nginx/ssl/site/privkey.pem"; + ssl_trusted_certificate "/etc/nginx/ssl/site/fullchain.pem"; root /var/www/html; index index.html;