mirror of
https://github.com/deadcxap/init_scripts.git
synced 2026-07-02 05:43:40 +03:00
переработали скрипты
подогнали роль ноды под актуал почти готово для использования
This commit is contained in:
@@ -1,14 +0,0 @@
|
|||||||
APP_PORT=
|
|
||||||
SSL_CERT=
|
|
||||||
NODE_DOMAIN=
|
|
||||||
|
|
||||||
TZ=Europe/Moscow
|
|
||||||
CW_CLIENT_FILE_UPDATE_TIME_START='04:30'
|
|
||||||
CW_CLIENT_FILE_UPDATE_TIME_END='05:45'
|
|
||||||
CW_CLIENT_FILE_UPDATE_DAYS_OF_WEEK='Wed Thu'
|
|
||||||
CW_CLIENT_RESTART_DOCKER_CONTAINER0='remnawave-nginx'
|
|
||||||
CW_CLIENT_SERVER_ADDRESS='https://cert.realy.nothing.help'
|
|
||||||
|
|
||||||
CW_CLIENT_AES_KEY_BASE64=
|
|
||||||
CW_CLIENT_KEY_APIKEY=
|
|
||||||
CW_CLIENT_CERT_APIKEY=
|
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
### APP ###
|
||||||
|
NODE_PORT=2222
|
||||||
|
|
||||||
|
### XRAY ###
|
||||||
|
SECRET_KEY=""
|
||||||
|
|
||||||
|
TZ=Europe/Moscow
|
||||||
|
CW_CLIENT_FILE_UPDATE_TIME_START='04:30'
|
||||||
|
CW_CLIENT_FILE_UPDATE_TIME_END='05:45'
|
||||||
|
CW_CLIENT_FILE_UPDATE_DAYS_OF_WEEK='Wed Thu'
|
||||||
|
CW_CLIENT_RESTART_DOCKER_CONTAINER0='remnawave-nginx'
|
||||||
|
CW_CLIENT_AES_KEY_BASE64=''
|
||||||
|
CW_CLIENT_SERVER_ADDRESS='https://cert.vrbee.shop'
|
||||||
|
CW_CLIENT_KEY_NAME='.notfunny.pics'
|
||||||
|
CW_CLIENT_KEY_APIKEY=''
|
||||||
|
CW_CLIENT_CERT_NAME='.notfunny.pics'
|
||||||
|
CW_CLIENT_CERT_APIKEY=''
|
||||||
@@ -0,0 +1,20 @@
|
|||||||
|
нужно заполнить:
|
||||||
|
1. `server_name` в `nginx.conf`
|
||||||
|
2. `SECRET_KEY`, `CW_CLIENT_AES_KEY_BASE64`, `CW_CLIENT_KEY_NAME`, `CW_CLIENT_KEY_APIKEY`, `CW_CLIENT_CERT_NAME`, `CW_CLIENT_CERT_APIKEY`
|
||||||
|
3. положить шаблон сайта в `/var/www/html/`
|
||||||
|
4. создать `/etc/certwardenclient` и `/var/log/remnanode`
|
||||||
|
5. запустить логротейт
|
||||||
|
`nano /etc/logrotate.d/remnanode`
|
||||||
|
```
|
||||||
|
/var/log/remnanode/*.log {
|
||||||
|
size 50M
|
||||||
|
rotate 5
|
||||||
|
compress
|
||||||
|
missingok
|
||||||
|
notifempty
|
||||||
|
copytruncate
|
||||||
|
}```
|
||||||
|
`logrotate -vf /etc/logrotate.d/remnanode`
|
||||||
|
6. открыть фаервол для панели `ufw allow from 100.111.х.х to any port 2222 proto tcp && ufw reload && ufw status verbose`
|
||||||
|
7. поднять только серты `docker compose up -d certwardenclient && docker compose logs -f -t`
|
||||||
|
8. поднять весь стек `docker compose up -d && docker compose logs -f -t`
|
||||||
@@ -6,12 +6,12 @@ services:
|
|||||||
restart: always
|
restart: always
|
||||||
volumes:
|
volumes:
|
||||||
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
|
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
|
||||||
- /etc/certwardenclient/certchain.pem:/etc/nginx/ssl/node/fullchain.pem:ro
|
- /etc/certwardenclient/certchain.pem:/etc/nginx/ssl/site/fullchain.pem:ro
|
||||||
- /etc/certwardenclient/key.pem:/etc/nginx/ssl/node/privkey.pem:ro
|
- /etc/certwardenclient/key.pem:/etc/nginx/ssl/site/privkey.pem:ro
|
||||||
- /dev/shm:/dev/shm:rw
|
- /dev/shm:/dev/shm:rw
|
||||||
- /var/www/html:/var/www/html:ro
|
- /var/www/html:/var/www/html:ro
|
||||||
command: sh -c 'rm -f /dev/shm/nginx.sock && nginx -g "daemon off;"'
|
command: sh -c 'rm -f /dev/shm/nginx.sock && nginx -g "daemon off;"'
|
||||||
networks: [node]
|
network_mode: host
|
||||||
depends_on:
|
depends_on:
|
||||||
- remnanode
|
- remnanode
|
||||||
logging:
|
logging:
|
||||||
@@ -25,15 +25,16 @@ services:
|
|||||||
container_name: remnanode
|
container_name: remnanode
|
||||||
hostname: remnanode
|
hostname: remnanode
|
||||||
restart: always
|
restart: always
|
||||||
networks: [node]
|
network_mode: host
|
||||||
ports:
|
|
||||||
- "443:443"
|
|
||||||
- "443:443/udp" # HTTP/3
|
|
||||||
env_file:
|
env_file:
|
||||||
- .env
|
- path: /opt/remnawave/.env-node
|
||||||
volumes:
|
volumes:
|
||||||
- /dev/shm:/dev/shm:rw
|
- /dev/shm:/dev/shm:rw
|
||||||
- /var/log/remnanode:/var/log/remnanode
|
- /var/log/remnanode:/var/log/remnanode
|
||||||
|
ulimits:
|
||||||
|
nofile:
|
||||||
|
soft: 1048576
|
||||||
|
hard: 1048576
|
||||||
logging:
|
logging:
|
||||||
driver: 'json-file'
|
driver: 'json-file'
|
||||||
options:
|
options:
|
||||||
@@ -45,14 +46,9 @@ services:
|
|||||||
container_name: certwardenclient
|
container_name: certwardenclient
|
||||||
hostname: certwardenclient
|
hostname: certwardenclient
|
||||||
restart: always
|
restart: always
|
||||||
networks: [node]
|
network_mode: host
|
||||||
ports:
|
|
||||||
- "5055:5055"
|
|
||||||
env_file:
|
env_file:
|
||||||
- .env
|
- .env-node
|
||||||
environment:
|
|
||||||
- CW_CLIENT_CERT_NAME=${NODE_DOMAIN}
|
|
||||||
- CW_CLIENT_KEY_NAME=${NODE_DOMAIN}
|
|
||||||
volumes:
|
volumes:
|
||||||
- /etc/certwardenclient:/opt/certwarden/certs
|
- /etc/certwardenclient:/opt/certwarden/certs
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
@@ -61,7 +57,3 @@ services:
|
|||||||
options:
|
options:
|
||||||
max-size: '30m'
|
max-size: '30m'
|
||||||
max-file: '5'
|
max-file: '5'
|
||||||
|
|
||||||
networks:
|
|
||||||
node:
|
|
||||||
external: true
|
|
||||||
@@ -9,12 +9,15 @@
|
|||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
|
SELF_PATH="$(readlink -f "$0" 2>/dev/null || realpath "$0" 2>/dev/null || printf '%s\n' "$0")"
|
||||||
|
|
||||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||||
COMPOSE_FILE="$SCRIPT_DIR/docker-compose.yml"
|
COMPOSE_FILE="$SCRIPT_DIR/docker-compose.yml"
|
||||||
|
|
||||||
# --- Шаг 1: загрузка случайного шаблона сайта ---
|
# --- Шаг 1: загрузка случайного шаблона сайта ---
|
||||||
TMP_DIR=$(mktemp -d)
|
TMP_DIR=$(mktemp -d)
|
||||||
git clone --depth 1 https://github.com/SmallPoppa/sni-templates "$TMP_DIR" >/dev/null 2>&1
|
trap 'rm -rf "$TMP_DIR"' EXIT
|
||||||
|
git clone --depth 1 https://github.com/distillium/sni-templates "$TMP_DIR" >/dev/null 2>&1
|
||||||
TEMPLATE_DIR=$(find "$TMP_DIR" -mindepth 1 -maxdepth 1 -type d ! -name '.git' | shuf -n 1)
|
TEMPLATE_DIR=$(find "$TMP_DIR" -mindepth 1 -maxdepth 1 -type d ! -name '.git' | shuf -n 1)
|
||||||
|
|
||||||
if [ -d /var/www/html ] && [ "$(ls -A /var/www/html 2>/dev/null)" ]; then
|
if [ -d /var/www/html ] && [ "$(ls -A /var/www/html 2>/dev/null)" ]; then
|
||||||
@@ -25,21 +28,21 @@ else
|
|||||||
fi
|
fi
|
||||||
mkdir -p /var/www/html
|
mkdir -p /var/www/html
|
||||||
cp -R "$TEMPLATE_DIR"/. /var/www/html/
|
cp -R "$TEMPLATE_DIR"/. /var/www/html/
|
||||||
rm -rf /var/www/html/.git "$TMP_DIR"
|
rm -rf /var/www/html/.git
|
||||||
|
|
||||||
# --- Шаг 2: создание докер-сети ---
|
# --- Шаг 2: создание докер-сети ---
|
||||||
N=$(awk '/^networks:/,/^[^[:space:]]/{if($1=="name:"){print $2; exit}}' "$COMPOSE_FILE"); N=${N:-proxy}
|
# N=$(awk '/^networks:/,/^[^[:space:]]/{if($1=="name:"){print $2; exit}}' "$COMPOSE_FILE"); N=${N:-proxy}
|
||||||
docker network inspect "$N" >/dev/null 2>&1 || docker network create --driver bridge --attachable "$N"
|
# docker network inspect "$N" >/dev/null 2>&1 || docker network create --driver bridge --attachable "$N"
|
||||||
|
|
||||||
# --- Шаг 3: запрос параметров ---
|
# --- Шаг 3: запрос параметров ---
|
||||||
read -rp "APP_PORT: " APP_PORT
|
read -rp "NODE_PORT: " NODE_PORT
|
||||||
read -rp "SSL_CERT: " SSL_CERT
|
read -rp "SECRET_KEY: " SECRET_KEY
|
||||||
read -rp "NODE_DOMAIN: " NODE_DOMAIN
|
read -rp "NODE_DOMAIN: " NODE_DOMAIN
|
||||||
read -rp "CW_CLIENT_AES_KEY_BASE64: " CW_CLIENT_AES_KEY_BASE64
|
read -rp "CW_CLIENT_AES_KEY_BASE64: " CW_CLIENT_AES_KEY_BASE64
|
||||||
read -rp "CW_CLIENT_KEY_APIKEY: " CW_CLIENT_KEY_APIKEY
|
read -rp "CW_CLIENT_KEY_APIKEY: " CW_CLIENT_KEY_APIKEY
|
||||||
read -rp "CW_CLIENT_CERT_APIKEY: " CW_CLIENT_CERT_APIKEY
|
read -rp "CW_CLIENT_CERT_APIKEY: " CW_CLIENT_CERT_APIKEY
|
||||||
|
|
||||||
ENV_FILE="$SCRIPT_DIR/.env"
|
ENV_FILE="$SCRIPT_DIR/.env-node"
|
||||||
touch "$ENV_FILE"
|
touch "$ENV_FILE"
|
||||||
|
|
||||||
update_env_var() {
|
update_env_var() {
|
||||||
@@ -49,21 +52,57 @@ update_env_var() {
|
|||||||
printf '%s="%s"\n' "$key" "$value" >> "$ENV_FILE"
|
printf '%s="%s"\n' "$key" "$value" >> "$ENV_FILE"
|
||||||
}
|
}
|
||||||
|
|
||||||
update_env_var APP_PORT "$APP_PORT"
|
update_env_var NODE_PORT "$NODE_PORT"
|
||||||
update_env_var SSL_CERT "$SSL_CERT"
|
update_env_var SECRET_KEY "$SECRET_KEY"
|
||||||
update_env_var NODE_DOMAIN "$NODE_DOMAIN"
|
update_env_var CW_CLIENT_KEY_NAME "$NODE_DOMAIN"
|
||||||
|
update_env_var CW_CLIENT_CERT_NAME "$NODE_DOMAIN"
|
||||||
update_env_var CW_CLIENT_AES_KEY_BASE64 "$CW_CLIENT_AES_KEY_BASE64"
|
update_env_var CW_CLIENT_AES_KEY_BASE64 "$CW_CLIENT_AES_KEY_BASE64"
|
||||||
update_env_var CW_CLIENT_KEY_APIKEY "$CW_CLIENT_KEY_APIKEY"
|
update_env_var CW_CLIENT_KEY_APIKEY "$CW_CLIENT_KEY_APIKEY"
|
||||||
update_env_var CW_CLIENT_CERT_APIKEY "$CW_CLIENT_CERT_APIKEY"
|
update_env_var CW_CLIENT_CERT_APIKEY "$CW_CLIENT_CERT_APIKEY"
|
||||||
|
|
||||||
|
NGINX_TEMPLATE="$SCRIPT_DIR/nginx.conf.template"
|
||||||
|
NGINX_CONF="$SCRIPT_DIR/nginx.conf"
|
||||||
|
sed \
|
||||||
|
-e "s|__NODE_DOMAIN__|$NODE_DOMAIN|g" \
|
||||||
|
"$NGINX_TEMPLATE" > "$NGINX_CONF"
|
||||||
|
|
||||||
# --- Шаг 4: открытие порта только для центрального сервера ---
|
# --- Шаг 4: открытие порта только для центрального сервера ---
|
||||||
read -rp "IP или домен центрального сервера: " CENTRAL_HOST
|
read -rp "IP или домен центрального сервера: " CENTRAL_HOST
|
||||||
CENTRAL_IP=$(getent ahosts "$CENTRAL_HOST" | awk '{print $1; exit}')
|
CENTRAL_IP=$(getent ahosts "$CENTRAL_HOST" | awk '{print $1; exit}')
|
||||||
if [ -n "$CENTRAL_IP" ]; then
|
if [ -n "$CENTRAL_IP" ]; then
|
||||||
iptables -C INPUT -p tcp -s "$CENTRAL_IP" --dport "$APP_PORT" -j ACCEPT 2>/dev/null \
|
# iptables -C INPUT -p tcp -s "$CENTRAL_IP" --dport "$NODE_PORT" -j ACCEPT 2>/dev/null \
|
||||||
|| iptables -I INPUT -p tcp -s "$CENTRAL_IP" --dport "$APP_PORT" -j ACCEPT
|
# || iptables -I INPUT -p tcp -s "$CENTRAL_IP" --dport "$NODE_PORT" -j ACCEPT
|
||||||
|
ufw allow from "$CENTRAL_IP" to any port "$NODE_PORT" proto tcp comment "PANEL" && ufw reload
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# --- Шаг 5: запуск docker compose ---
|
# --- Шаг 5: запуск docker compose ---
|
||||||
docker compose -f "$COMPOSE_FILE" up -d
|
docker compose -f "$COMPOSE_FILE" up -d certwardenclient
|
||||||
|
|
||||||
|
CERT_DIR="/etc/certwardenclient"
|
||||||
|
CERT_FILE="$CERT_DIR/certchain.pem"
|
||||||
|
KEY_FILE="$CERT_DIR/key.pem"
|
||||||
|
|
||||||
|
echo "Ждём появления сертификатов..."
|
||||||
|
|
||||||
|
for i in {1..120}; do
|
||||||
|
if [ -s "$CERT_FILE" ] && [ -s "$KEY_FILE" ]; then
|
||||||
|
if openssl x509 -in "$CERT_FILE" -checkend 60 -noout >/dev/null 2>&1; then
|
||||||
|
if openssl pkey -in "$KEY_FILE" -noout >/dev/null 2>&1; then
|
||||||
|
echo "Сертификаты готовы!"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
sleep 2
|
||||||
|
done
|
||||||
|
|
||||||
|
if ! openssl x509 -in "$CERT_FILE" -checkend 60 -noout >/dev/null 2>&1; then
|
||||||
|
echo "ОШИБКА: Сертификаты не получены"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
docker compose -f "$COMPOSE_FILE" up -d
|
||||||
|
|
||||||
|
echo "Инициализация завершена успешно"
|
||||||
|
rm -f -- "$SELF_PATH"
|
||||||
@@ -12,13 +12,13 @@ ssl_session_cache shared:MozSSL:10m;
|
|||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
server_name app.cxap.quest;
|
server_name __NODE_DOMAIN__;
|
||||||
listen unix:/dev/shm/nginx.sock ssl proxy_protocol;
|
listen unix:/dev/shm/nginx.sock ssl proxy_protocol;
|
||||||
http2 on;
|
http2 on;
|
||||||
|
|
||||||
ssl_certificate "/etc/nginx/ssl/node/fullchain.pem";
|
ssl_certificate "/etc/nginx/ssl/site/fullchain.pem";
|
||||||
ssl_certificate_key "/etc/nginx/ssl/node/privkey.pem";
|
ssl_certificate_key "/etc/nginx/ssl/site/privkey.pem";
|
||||||
ssl_trusted_certificate "/etc/nginx/ssl/node/fullchain.pem";
|
ssl_trusted_certificate "/etc/nginx/ssl/site/fullchain.pem";
|
||||||
|
|
||||||
root /var/www/html;
|
root /var/www/html;
|
||||||
index index.html;
|
index index.html;
|
||||||
Reference in New Issue
Block a user