переработали скрипты

подогнали роль ноды под актуал
почти готово для использования
This commit is contained in:
2026-03-13 00:44:36 +03:00
parent 2be0c71e62
commit 0b672822fa
6 changed files with 104 additions and 50 deletions
+17
View File
@@ -0,0 +1,17 @@
### APP ###
NODE_PORT=2222
### XRAY ###
SECRET_KEY=""
TZ=Europe/Moscow
CW_CLIENT_FILE_UPDATE_TIME_START='04:30'
CW_CLIENT_FILE_UPDATE_TIME_END='05:45'
CW_CLIENT_FILE_UPDATE_DAYS_OF_WEEK='Wed Thu'
CW_CLIENT_RESTART_DOCKER_CONTAINER0='remnawave-nginx'
CW_CLIENT_AES_KEY_BASE64=''
CW_CLIENT_SERVER_ADDRESS='https://cert.vrbee.shop'
CW_CLIENT_KEY_NAME='.notfunny.pics'
CW_CLIENT_KEY_APIKEY=''
CW_CLIENT_CERT_NAME='.notfunny.pics'
CW_CLIENT_CERT_APIKEY=''
+20
View File
@@ -0,0 +1,20 @@
нужно заполнить:
1. `server_name` в `nginx.conf`
2. `SECRET_KEY`, `CW_CLIENT_AES_KEY_BASE64`, `CW_CLIENT_KEY_NAME`, `CW_CLIENT_KEY_APIKEY`, `CW_CLIENT_CERT_NAME`, `CW_CLIENT_CERT_APIKEY`
3. положить шаблон сайта в `/var/www/html/`
4. создать `/etc/certwardenclient` и `/var/log/remnanode`
5. запустить логротейт
`nano /etc/logrotate.d/remnanode`
```
/var/log/remnanode/*.log {
size 50M
rotate 5
compress
missingok
notifempty
copytruncate
}```
`logrotate -vf /etc/logrotate.d/remnanode`
6. открыть фаервол для панели `ufw allow from 100.111.х.х to any port 2222 proto tcp && ufw reload && ufw status verbose`
7. поднять только серты `docker compose up -d certwardenclient && docker compose logs -f -t`
8. поднять весь стек `docker compose up -d && docker compose logs -f -t`
+59
View File
@@ -0,0 +1,59 @@
services:
remnawave-nginx:
image: nginx:1.26
container_name: remnawave-nginx
hostname: remnawave-nginx
restart: always
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
- /etc/certwardenclient/certchain.pem:/etc/nginx/ssl/site/fullchain.pem:ro
- /etc/certwardenclient/key.pem:/etc/nginx/ssl/site/privkey.pem:ro
- /dev/shm:/dev/shm:rw
- /var/www/html:/var/www/html:ro
command: sh -c 'rm -f /dev/shm/nginx.sock && nginx -g "daemon off;"'
network_mode: host
depends_on:
- remnanode
logging:
driver: 'json-file'
options:
max-size: '30m'
max-file: '5'
remnanode:
image: remnawave/node:latest
container_name: remnanode
hostname: remnanode
restart: always
network_mode: host
env_file:
- path: /opt/remnawave/.env-node
volumes:
- /dev/shm:/dev/shm:rw
- /var/log/remnanode:/var/log/remnanode
ulimits:
nofile:
soft: 1048576
hard: 1048576
logging:
driver: 'json-file'
options:
max-size: '30m'
max-file: '5'
certwardenclient:
image: ghcr.io/gregtwallace/certwarden-client:latest
container_name: certwardenclient
hostname: certwardenclient
restart: always
network_mode: host
env_file:
- .env-node
volumes:
- /etc/certwardenclient:/opt/certwarden/certs
- /var/run/docker.sock:/var/run/docker.sock
logging:
driver: 'json-file'
options:
max-size: '30m'
max-file: '5'
+108
View File
@@ -0,0 +1,108 @@
#!/usr/bin/env bash
# Скрипт инициализации ноды.
# 1. Скачивает случайный шаблон сайта и разворачивает его в /var/www/html.
# 2. Создаёт докер-сеть, указанную в docker-compose.yml.
# 3. Запрашивает необходимые параметры у пользователя и записывает их в .env.
# 4. Открывает порт панели только для центрального сервера.
# 5. Запускает docker compose.
set -euo pipefail
SELF_PATH="$(readlink -f "$0" 2>/dev/null || realpath "$0" 2>/dev/null || printf '%s\n' "$0")"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
COMPOSE_FILE="$SCRIPT_DIR/docker-compose.yml"
# --- Шаг 1: загрузка случайного шаблона сайта ---
TMP_DIR=$(mktemp -d)
trap 'rm -rf "$TMP_DIR"' EXIT
git clone --depth 1 https://github.com/distillium/sni-templates "$TMP_DIR" >/dev/null 2>&1
TEMPLATE_DIR=$(find "$TMP_DIR" -mindepth 1 -maxdepth 1 -type d ! -name '.git' | shuf -n 1)
if [ -d /var/www/html ] && [ "$(ls -A /var/www/html 2>/dev/null)" ]; then
rm -rf /var/www/html_bac
mv /var/www/html /var/www/html_bac
else
rm -rf /var/www/html
fi
mkdir -p /var/www/html
cp -R "$TEMPLATE_DIR"/. /var/www/html/
rm -rf /var/www/html/.git
# --- Шаг 2: создание докер-сети ---
# N=$(awk '/^networks:/,/^[^[:space:]]/{if($1=="name:"){print $2; exit}}' "$COMPOSE_FILE"); N=${N:-proxy}
# docker network inspect "$N" >/dev/null 2>&1 || docker network create --driver bridge --attachable "$N"
# --- Шаг 3: запрос параметров ---
read -rp "NODE_PORT: " NODE_PORT
read -rp "SECRET_KEY: " SECRET_KEY
read -rp "NODE_DOMAIN: " NODE_DOMAIN
read -rp "CW_CLIENT_AES_KEY_BASE64: " CW_CLIENT_AES_KEY_BASE64
read -rp "CW_CLIENT_KEY_APIKEY: " CW_CLIENT_KEY_APIKEY
read -rp "CW_CLIENT_CERT_APIKEY: " CW_CLIENT_CERT_APIKEY
ENV_FILE="$SCRIPT_DIR/.env-node"
touch "$ENV_FILE"
update_env_var() {
local key="$1"
local value="$2"
sed -i "/^${key}=.*/d" "$ENV_FILE"
printf '%s="%s"\n' "$key" "$value" >> "$ENV_FILE"
}
update_env_var NODE_PORT "$NODE_PORT"
update_env_var SECRET_KEY "$SECRET_KEY"
update_env_var CW_CLIENT_KEY_NAME "$NODE_DOMAIN"
update_env_var CW_CLIENT_CERT_NAME "$NODE_DOMAIN"
update_env_var CW_CLIENT_AES_KEY_BASE64 "$CW_CLIENT_AES_KEY_BASE64"
update_env_var CW_CLIENT_KEY_APIKEY "$CW_CLIENT_KEY_APIKEY"
update_env_var CW_CLIENT_CERT_APIKEY "$CW_CLIENT_CERT_APIKEY"
NGINX_TEMPLATE="$SCRIPT_DIR/nginx.conf.template"
NGINX_CONF="$SCRIPT_DIR/nginx.conf"
sed \
-e "s|__NODE_DOMAIN__|$NODE_DOMAIN|g" \
"$NGINX_TEMPLATE" > "$NGINX_CONF"
# --- Шаг 4: открытие порта только для центрального сервера ---
read -rp "IP или домен центрального сервера: " CENTRAL_HOST
CENTRAL_IP=$(getent ahosts "$CENTRAL_HOST" | awk '{print $1; exit}')
if [ -n "$CENTRAL_IP" ]; then
# iptables -C INPUT -p tcp -s "$CENTRAL_IP" --dport "$NODE_PORT" -j ACCEPT 2>/dev/null \
# || iptables -I INPUT -p tcp -s "$CENTRAL_IP" --dport "$NODE_PORT" -j ACCEPT
ufw allow from "$CENTRAL_IP" to any port "$NODE_PORT" proto tcp comment "PANEL" && ufw reload
fi
# --- Шаг 5: запуск docker compose ---
docker compose -f "$COMPOSE_FILE" up -d certwardenclient
CERT_DIR="/etc/certwardenclient"
CERT_FILE="$CERT_DIR/certchain.pem"
KEY_FILE="$CERT_DIR/key.pem"
echo "Ждём появления сертификатов..."
for i in {1..120}; do
if [ -s "$CERT_FILE" ] && [ -s "$KEY_FILE" ]; then
if openssl x509 -in "$CERT_FILE" -checkend 60 -noout >/dev/null 2>&1; then
if openssl pkey -in "$KEY_FILE" -noout >/dev/null 2>&1; then
echo "Сертификаты готовы!"
break
fi
fi
fi
sleep 2
done
if ! openssl x509 -in "$CERT_FILE" -checkend 60 -noout >/dev/null 2>&1; then
echo "ОШИБКА: Сертификаты не получены"
exit 1
fi
docker compose -f "$COMPOSE_FILE" up -d
echo "Инициализация завершена успешно"
rm -f -- "$SELF_PATH"
+32
View File
@@ -0,0 +1,32 @@
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
server {
server_name __NODE_DOMAIN__;
listen unix:/dev/shm/nginx.sock ssl proxy_protocol;
http2 on;
ssl_certificate "/etc/nginx/ssl/site/fullchain.pem";
ssl_certificate_key "/etc/nginx/ssl/site/privkey.pem";
ssl_trusted_certificate "/etc/nginx/ssl/site/fullchain.pem";
root /var/www/html;
index index.html;
}
server {
listen unix:/dev/shm/nginx.sock ssl proxy_protocol default_server;
server_name _;
ssl_reject_handshake on;
return 444;
}