mirror of
https://github.com/deadcxap/init_scripts.git
synced 2026-07-02 05:43:40 +03:00
rename node->remnanode
This commit is contained in:
@@ -0,0 +1,14 @@
|
||||
APP_PORT=
|
||||
SSL_CERT=
|
||||
NODE_DOMAIN=
|
||||
|
||||
TZ=Europe/Moscow
|
||||
CW_CLIENT_FILE_UPDATE_TIME_START='04:30'
|
||||
CW_CLIENT_FILE_UPDATE_TIME_END='05:45'
|
||||
CW_CLIENT_FILE_UPDATE_DAYS_OF_WEEK='Wed Thu'
|
||||
CW_CLIENT_RESTART_DOCKER_CONTAINER0='remnawave-nginx'
|
||||
CW_CLIENT_SERVER_ADDRESS='https://cert.realy.nothing.help'
|
||||
|
||||
CW_CLIENT_AES_KEY_BASE64=
|
||||
CW_CLIENT_KEY_APIKEY=
|
||||
CW_CLIENT_CERT_APIKEY=
|
||||
@@ -0,0 +1,67 @@
|
||||
services:
|
||||
remnawave-nginx:
|
||||
image: nginx:1.26
|
||||
container_name: remnawave-nginx
|
||||
hostname: remnawave-nginx
|
||||
restart: always
|
||||
volumes:
|
||||
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
|
||||
- /etc/certwardenclient/certchain.pem:/etc/nginx/ssl/node/fullchain.pem:ro
|
||||
- /etc/certwardenclient/key.pem:/etc/nginx/ssl/node/privkey.pem:ro
|
||||
- /dev/shm:/dev/shm:rw
|
||||
- /var/www/html:/var/www/html:ro
|
||||
command: sh -c 'rm -f /dev/shm/nginx.sock && nginx -g "daemon off;"'
|
||||
networks: [node]
|
||||
depends_on:
|
||||
- remnanode
|
||||
logging:
|
||||
driver: 'json-file'
|
||||
options:
|
||||
max-size: '30m'
|
||||
max-file: '5'
|
||||
|
||||
remnanode:
|
||||
image: remnawave/node:latest
|
||||
container_name: remnanode
|
||||
hostname: remnanode
|
||||
restart: always
|
||||
networks: [node]
|
||||
ports:
|
||||
- "443:443"
|
||||
- "443:443/udp" # HTTP/3
|
||||
env_file:
|
||||
- .env
|
||||
volumes:
|
||||
- /dev/shm:/dev/shm:rw
|
||||
- /var/log/remnanode:/var/log/remnanode
|
||||
logging:
|
||||
driver: 'json-file'
|
||||
options:
|
||||
max-size: '30m'
|
||||
max-file: '5'
|
||||
|
||||
certwardenclient:
|
||||
image: ghcr.io/gregtwallace/certwarden-client:latest
|
||||
container_name: certwardenclient
|
||||
hostname: certwardenclient
|
||||
restart: always
|
||||
networks: [node]
|
||||
ports:
|
||||
- "5055:5055"
|
||||
env_file:
|
||||
- .env
|
||||
environment:
|
||||
- CW_CLIENT_CERT_NAME=${NODE_DOMAIN}
|
||||
- CW_CLIENT_KEY_NAME=${NODE_DOMAIN}
|
||||
volumes:
|
||||
- /etc/certwardenclient:/opt/certwarden/certs
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
logging:
|
||||
driver: 'json-file'
|
||||
options:
|
||||
max-size: '30m'
|
||||
max-file: '5'
|
||||
|
||||
networks:
|
||||
node:
|
||||
external: true
|
||||
@@ -0,0 +1,67 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Скрипт инициализации ноды.
|
||||
# 1. Скачивает случайный шаблон сайта и разворачивает его в /var/www/html.
|
||||
# 2. Создаёт докер-сеть, указанную в docker-compose.yml.
|
||||
# 3. Запрашивает необходимые параметры у пользователя и записывает их в .env.
|
||||
# 4. Открывает порт панели только для центрального сервера.
|
||||
# 5. Запускает docker compose.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# --- Шаг 1: загрузка случайного шаблона сайта ---
|
||||
TMP_DIR=$(mktemp -d)
|
||||
git clone --depth 1 https://github.com/SmallPoppa/sni-templates "$TMP_DIR" >/dev/null 2>&1
|
||||
TEMPLATE_DIR=$(find "$TMP_DIR" -mindepth 1 -maxdepth 1 -type d ! -name '.git' | shuf -n 1)
|
||||
|
||||
if [ -d /var/www/html ] && [ "$(ls -A /var/www/html 2>/dev/null)" ]; then
|
||||
rm -rf /var/www/html_bac
|
||||
mv /var/www/html /var/www/html_bac
|
||||
else
|
||||
rm -rf /var/www/html
|
||||
fi
|
||||
mkdir -p /var/www/html
|
||||
cp -R "$TEMPLATE_DIR"/. /var/www/html/
|
||||
rm -rf /var/www/html/.git "$TMP_DIR"
|
||||
|
||||
# --- Шаг 2: создание докер-сети ---
|
||||
N=$(awk '/^networks:/,/^[^[:space:]]/{if($1=="name:"){print $2; exit}}' docker-compose.yml); N=${N:-proxy}
|
||||
docker network inspect "$N" >/dev/null 2>&1 || docker network create --driver bridge --attachable "$N"
|
||||
|
||||
# --- Шаг 3: запрос параметров ---
|
||||
read -rp "APP_PORT: " APP_PORT
|
||||
read -rp "SSL_CERT: " SSL_CERT
|
||||
read -rp "NODE_DOMAIN: " NODE_DOMAIN
|
||||
read -rp "CW_CLIENT_AES_KEY_BASE64: " CW_CLIENT_AES_KEY_BASE64
|
||||
read -rp "CW_CLIENT_KEY_APIKEY: " CW_CLIENT_KEY_APIKEY
|
||||
read -rp "CW_CLIENT_CERT_APIKEY: " CW_CLIENT_CERT_APIKEY
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
ENV_FILE="$SCRIPT_DIR/.env"
|
||||
touch "$ENV_FILE"
|
||||
|
||||
update_env_var() {
|
||||
local key="$1"
|
||||
local value="$2"
|
||||
sed -i "/^${key}=.*/d" "$ENV_FILE"
|
||||
printf '%s="%s"\n' "$key" "$value" >> "$ENV_FILE"
|
||||
}
|
||||
|
||||
update_env_var APP_PORT "$APP_PORT"
|
||||
update_env_var SSL_CERT "$SSL_CERT"
|
||||
update_env_var NODE_DOMAIN "$NODE_DOMAIN"
|
||||
update_env_var CW_CLIENT_AES_KEY_BASE64 "$CW_CLIENT_AES_KEY_BASE64"
|
||||
update_env_var CW_CLIENT_KEY_APIKEY "$CW_CLIENT_KEY_APIKEY"
|
||||
update_env_var CW_CLIENT_CERT_APIKEY "$CW_CLIENT_CERT_APIKEY"
|
||||
|
||||
# --- Шаг 4: открытие порта только для центрального сервера ---
|
||||
read -rp "IP или домен центрального сервера: " CENTRAL_HOST
|
||||
CENTRAL_IP=$(getent ahosts "$CENTRAL_HOST" | awk '{print $1; exit}')
|
||||
if [ -n "$CENTRAL_IP" ]; then
|
||||
iptables -C INPUT -p tcp -s "$CENTRAL_IP" --dport "$APP_PORT" -j ACCEPT 2>/dev/null \
|
||||
|| iptables -I INPUT -p tcp -s "$CENTRAL_IP" --dport "$APP_PORT" -j ACCEPT
|
||||
fi
|
||||
|
||||
# --- Шаг 5: запуск docker compose ---
|
||||
docker compose up -d
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
"" close;
|
||||
}
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ecdh_curve X25519:prime256v1:secp384r1;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
server {
|
||||
server_name app.cxap.quest;
|
||||
listen unix:/dev/shm/nginx.sock ssl proxy_protocol;
|
||||
http2 on;
|
||||
|
||||
ssl_certificate "/etc/nginx/ssl/node/fullchain.pem";
|
||||
ssl_certificate_key "/etc/nginx/ssl/node/privkey.pem";
|
||||
ssl_trusted_certificate "/etc/nginx/ssl/node/fullchain.pem";
|
||||
|
||||
root /var/www/html;
|
||||
index index.html;
|
||||
}
|
||||
|
||||
server {
|
||||
listen unix:/dev/shm/nginx.sock ssl proxy_protocol default_server;
|
||||
server_name _;
|
||||
ssl_reject_handshake on;
|
||||
return 444;
|
||||
}
|
||||
Reference in New Issue
Block a user