ansible/remnanode: роль на основе node_setup.sh + Ansible Vault для секретов
This commit is contained in:
360
ansible/roles/remnanode/files/node_setup.sh
Normal file
360
ansible/roles/remnanode/files/node_setup.sh
Normal file
@@ -0,0 +1,360 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
export LC_ALL=C
|
||||
|
||||
# ======================== НАСТРОЙКИ ==========================
|
||||
SSH_PORT=22 # порт SSH
|
||||
VPN_TCP_PORTS="443" # TCP-порты VPN (через пробел)
|
||||
VPN_UDP_PORTS="443" # UDP-порты VPN (QUIC)
|
||||
NODE_PORT="2345" # порт панели / ноды
|
||||
MY_IP="5.180.253.38" # ВПИШИ СВОЙ IP — crowdsec не забанит
|
||||
SECRET_KEY="eyJub2RlQ2VydFBlbSI6Ii0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLVxuTUlJQmhqQ0NBU3lnQXdJQkFnSUhBWGMxSkVaWFZqQUtCZ2dxaGtqT1BRUURBakF2TVMwd0t3WURWUVFERXlSclxuV0Zkb2R6UkJOSGxrVlRSdU1qTmxkelpMTlVGWlVFNUJjbEoyVWxONWRpMHhiVmt3SGhjTk1qWXdNekUwTWpFMFxuTVRBMVdoY05Namt3TXpFME1qRTBNVEExV2pBcU1TZ3dKZ1lEVlFRREV4OUJUR2gyVkZGRGRFRXhjRkpDV2tKeFxuV2sxa1JIRTVORmh1VVhsTFFYZ3pNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVNUG84Uzl5SFxuK0F2TEFXalhVZENGYk4xdWlkY0xOTEZUZ0lwVUdBcFZBR0xQZUJhY0RvUWI5RTNPT3lOUHZxOCtwUTcwR0ozSlxubnlZRUlUKytEWHdGazZNNE1EWXdEQVlEVlIwVEFRSC9CQUl3QURBT0JnTlZIUThCQWY4RUJBTUNCYUF3RmdZRFxuVlIwbEFRSC9CQXd3Q2dZSUt3WUJCUVVIQXdFd0NnWUlLb1pJemowRUF3SURTQUF3UlFJaEFKc2Y1YnVzd3FvU1xuQTlMeTJLaEUxaUU3THlQTGVKOWRYbW9FT01VeThGblJBaUFROXJXMFJmWVJpdk1JMGdBVGprZ2V6TU9IbWpaQlxuZ0xMSkxmaCt4T0hIdnc9PVxuLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLSIsIm5vZGVLZXlQZW0iOiItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS1cbk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZ044VWVreUtQUEZ2YmQzdDBcbnRUODBMSDNVcS9IU1premU2WG5OclFkYXJzU2hSQU5DQUFRdytqeEwzSWY0QzhzQmFOZFIwSVZzM1c2SjF3czBcbnNWT0FpbFFZQ2xVQVlzOTRGcHdPaEJ2MFRjNDdJMCsrcno2bER2UVluY21mSmdRaFA3NE5mQVdUXG4tLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tIiwiY2FDZXJ0UGVtIjoiLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlCY1RDQ0FSYWdBd0lCQWdJQkFUQUtCZ2dxaGtqT1BRUURBakF2TVMwd0t3WURWUVFERXlScldGZG9kelJCXG5OSGxrVlRSdU1qTmxkelpMTlVGWlVFNUJjbEoyVWxONWRpMHhiVmt3SGhjTk1qWXdNekEwTVRnd05qTXpXaGNOXG5Nell3TXpBME1UZ3dOak16V2pBdk1TMHdLd1lEVlFRREV5UnJXRmRvZHpSQk5IbGtWVFJ1TWpObGR6WkxOVUZaXG5VRTVCY2xKMlVsTjVkaTB4YlZrd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFUMzVxamh6V1NhXG4vdFJxbDRtQXkwanQ0ZXNEWUo2YkdoMUpoY0pmQisxdWRVV2tBS1dqazBLQVd1WnBNR1ZORjZvblNOVVZ0R1RQXG5GU0NlMTlIVElLOXBveU13SVRBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUE0R0ExVWREd0VCL3dRRUF3SUNoREFLXG5CZ2dxaGtqT1BRUURBZ05KQURCR0FpRUF1QS9UZFVyYlZEVG5ORGJycHJlYm83T0VaNHdpTXVzbVpmWjhqSDFBXG5yWWdDSVFEMHVSSnhPeGNPWnFJRTlXMDJVVHcwcHQwRGJId2U0NWJVc1V6dkhpQ3ZwQT09XG4tLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tIiwiand0UHVibGljS2V5IjoiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBMVNLY1ZSR282N01yNXdENGJmQVNcbllCOWdRS0ZsdHg3aFh5dXRpaG13c0x4ZW5vN2xNb1VRWEVqclpJdVNJK1FQU1p6aVQ4b0dlSG1sK2psQWI3SHZcblBNbVN6KzdFdHIwRmVDazhtTENIaGpucG1YSk10ZVY1ZndyZkJwcHdLY1hkMFRzWlhrR0dEcVRMSVA5L29hTjhcblN3UW9reW5iUzNjYUN0LzhPSDJUMWI1anpJYlZXNS9NcFUxY1hIL2cxemdmOW10SGsxYkJSeFA0d1ZYdlVhS0NcblZyWldGalVZZUN2N2hoQjhmNzVRVWJBbERHMEMyaHZxV1h1Tm9Cc0NpVmEvS01RZkh5ZUMvTENaUnd5dWxhemxcblNPQ0pEVU5IUUdoOS9QR0trZ3BGVHFKUS9hbVJpZnZUMDVMclFQLzlsMHZkRTRqNjJOUGF1U1R0UmxWL1NqTGhcbkN3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiJ9" # ВПИШИ SECRET_KEY ноды
|
||||
# =============================================================
|
||||
|
||||
RED='\033[0;31m'; GREEN='\033[0;32m'; YEL='\033[1;33m'; NC='\033[0m'
|
||||
log() { echo -e "${GREEN}[+]${NC} $*"; }
|
||||
warn() { echo -e "${YEL}[!]${NC} $*"; }
|
||||
[ "$(id -u)" -eq 0 ] || { echo "Run as root"; exit 1; }
|
||||
[ -n "$SECRET_KEY" ] || { echo "Впиши SECRET_KEY вверху скрипта"; exit 1; }
|
||||
|
||||
# ============================================================
|
||||
# 1. ОБНОВЛЕНИЕ + ПАКЕТЫ
|
||||
# ============================================================
|
||||
log "1/15 System update..."
|
||||
apt-get update -y && apt-get upgrade -y
|
||||
apt-get install -y sudo curl wget net-tools socat git jq htop \
|
||||
chrony ca-certificates irqbalance zram-tools ufw \
|
||||
unattended-upgrades apt-listchanges
|
||||
|
||||
# ============================================================
|
||||
# 2. DOCKER
|
||||
# ============================================================
|
||||
log "2/15 Installing Docker..."
|
||||
curl -fsSL https://get.docker.com | sh
|
||||
|
||||
# ============================================================
|
||||
# 3. REMNANODE
|
||||
# ============================================================
|
||||
log "3/15 Setting up remnanode..."
|
||||
mkdir -p /opt/remnanode
|
||||
cd /opt/remnanode
|
||||
|
||||
cat > docker-compose.yml << EOF
|
||||
services:
|
||||
remnanode:
|
||||
container_name: remnanode
|
||||
hostname: remnanode
|
||||
image: remnawave/node:latest
|
||||
network_mode: host
|
||||
restart: always
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
volumes:
|
||||
- /var/log/remnanode:/var/log/remnanode
|
||||
ulimits:
|
||||
nofile:
|
||||
soft: 1048576
|
||||
hard: 1048576
|
||||
environment:
|
||||
- NODE_PORT=${NODE_PORT}
|
||||
- SECRET_KEY="${SECRET_KEY}"
|
||||
EOF
|
||||
|
||||
mkdir -p /var/log/remnanode
|
||||
touch /var/log/remnanode/access.log
|
||||
chmod -R 755 /var/log/remnanode
|
||||
|
||||
docker compose up -d
|
||||
log "remnanode started"
|
||||
|
||||
# ============================================================
|
||||
# 4. CHRONY
|
||||
# ============================================================
|
||||
log "4/15 Chrony..."
|
||||
systemctl disable --now systemd-timesyncd 2>/dev/null || true
|
||||
systemctl enable --now chrony
|
||||
chronyc -a makestep 2>/dev/null || true
|
||||
|
||||
# ============================================================
|
||||
# 5. SYSCTL — BBR + ТЮНИНГ ПОД МОБИЛЬНЫЙ VPN
|
||||
# ============================================================
|
||||
log "5/15 Sysctl (BBR + mobile)..."
|
||||
cat > /etc/sysctl.d/90-vpn-tuning.conf << 'SYSCTL'
|
||||
# BBR
|
||||
net.core.default_qdisc = fq
|
||||
net.ipv4.tcp_congestion_control = bbr
|
||||
|
||||
# TCP fast open (client + server)
|
||||
net.ipv4.tcp_fastopen = 3
|
||||
|
||||
# MTU probing (compensate blocked ICMP on path)
|
||||
net.ipv4.tcp_mtu_probing = 1
|
||||
|
||||
# CRITICAL for mobile: dont reset cwnd after idle
|
||||
net.ipv4.tcp_slow_start_after_idle = 0
|
||||
|
||||
# Reduce bufferbloat (critical for mobile latency)
|
||||
net.ipv4.tcp_notsent_lowat = 16384
|
||||
|
||||
# Keepalive (drop dead mobile connections faster)
|
||||
net.ipv4.tcp_keepalive_time = 300
|
||||
net.ipv4.tcp_keepalive_intvl = 30
|
||||
net.ipv4.tcp_keepalive_probes = 5
|
||||
|
||||
# Fast socket recycling
|
||||
net.ipv4.tcp_fin_timeout = 15
|
||||
net.ipv4.tcp_tw_reuse = 1
|
||||
|
||||
# TCP stack
|
||||
net.ipv4.tcp_window_scaling = 1
|
||||
net.ipv4.tcp_timestamps = 1
|
||||
net.ipv4.tcp_sack = 1
|
||||
net.ipv4.tcp_ecn = 2
|
||||
|
||||
# Buffers (balanced for 1-10 Gbit VPS)
|
||||
net.ipv4.tcp_rmem = 4096 262144 16777216
|
||||
net.ipv4.tcp_wmem = 4096 262144 16777216
|
||||
net.core.rmem_max = 16777216
|
||||
net.core.wmem_max = 16777216
|
||||
|
||||
# Backlog / queues
|
||||
net.core.somaxconn = 65535
|
||||
net.core.netdev_max_backlog = 16384
|
||||
net.core.netdev_budget = 600
|
||||
net.core.netdev_budget_usecs = 8000
|
||||
|
||||
# SYN flood protection
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
net.ipv4.tcp_max_syn_backlog = 8192
|
||||
|
||||
# OS limits
|
||||
fs.file-max = 2097152
|
||||
net.ipv4.ip_local_port_range = 10240 65535
|
||||
SYSCTL
|
||||
|
||||
sysctl --system 2>&1 | grep -v "^$" || true
|
||||
sysctl net.ipv4.tcp_congestion_control | grep -q bbr && log "BBR active" || warn "BBR unavailable — need kernel 5.4+"
|
||||
|
||||
# ============================================================
|
||||
# 6. ЛИМИТЫ ФАЙЛОВЫХ ДЕСКРИПТОРОВ
|
||||
# ============================================================
|
||||
log "6/15 File descriptor limits..."
|
||||
cat > /etc/security/limits.d/99-nofile.conf << 'FLIM'
|
||||
* soft nofile 1048576
|
||||
* hard nofile 1048576
|
||||
root soft nofile 1048576
|
||||
root hard nofile 1048576
|
||||
FLIM
|
||||
|
||||
mkdir -p /etc/systemd/system.conf.d
|
||||
cat > /etc/systemd/system.conf.d/99-limits.conf << 'SLIM'
|
||||
[Manager]
|
||||
DefaultLimitNOFILE=1048576
|
||||
DefaultTasksMax=infinity
|
||||
SLIM
|
||||
systemctl daemon-reload
|
||||
|
||||
# ============================================================
|
||||
# 7. CROWDSEC
|
||||
# ============================================================
|
||||
log "7/15 CrowdSec..."
|
||||
|
||||
curl -s https://install.crowdsec.net | sh
|
||||
apt-get install -y crowdsec
|
||||
apt-get install -y crowdsec-firewall-bouncer-iptables
|
||||
|
||||
cscli console enroll cmmrouhcj000u02jpy3b98fsc
|
||||
|
||||
if [ -n "$MY_IP" ]; then
|
||||
log " -> Adding ${MY_IP} to CrowdSec whitelist..."
|
||||
mkdir -p /etc/crowdsec/parsers/s02-enrich
|
||||
cat > /etc/crowdsec/parsers/s02-enrich/myip-whitelist.yaml << WHITELIST
|
||||
name: custom/myip-whitelist
|
||||
description: "Whitelist my personal IP"
|
||||
whitelist:
|
||||
reason: "my personal IP"
|
||||
ip:
|
||||
- "${MY_IP}"
|
||||
WHITELIST
|
||||
fi
|
||||
|
||||
systemctl enable --now crowdsec
|
||||
systemctl restart crowdsec
|
||||
systemctl enable --now crowdsec-firewall-bouncer
|
||||
systemctl restart crowdsec-firewall-bouncer
|
||||
|
||||
log "CrowdSec active"
|
||||
|
||||
# ============================================================
|
||||
# 8. УДАЛЕНИЕ ПОЧТЫ
|
||||
# ============================================================
|
||||
log "8/15 Remove mail stack..."
|
||||
systemctl disable --now postfix sendmail exim4 nullmailer msmtp 2>/dev/null || true
|
||||
systemctl mask postfix sendmail exim4 nullmailer msmtp 2>/dev/null || true
|
||||
apt-get purge -y postfix sendmail sendmail-bin sendmail-base \
|
||||
exim4 exim4-base exim4-config exim4-daemon-light exim4-daemon-heavy \
|
||||
mailutils bsd-mailx s-nail heirloom-mailx msmtp msmtp-mta nullmailer dma ssmtp 2>/dev/null || true
|
||||
apt-get autoremove -y 2>/dev/null || true
|
||||
rm -rf /var/spool/mail/* /var/mail/* /etc/postfix /etc/exim4 2>/dev/null || true
|
||||
|
||||
if [ -f /etc/crontab ]; then
|
||||
grep -qE '^\s*MAILTO=' /etc/crontab \
|
||||
&& sed -i 's/^\s*MAILTO=.*/MAILTO=""/' /etc/crontab \
|
||||
|| printf '\nMAILTO=""\n' >> /etc/crontab
|
||||
fi
|
||||
|
||||
# ============================================================
|
||||
# 9. UFW (единственный файрвол, без ручных iptables)
|
||||
# ============================================================
|
||||
log "9/15 UFW firewall..."
|
||||
ufw --force reset
|
||||
ufw default deny incoming
|
||||
ufw default allow outgoing
|
||||
|
||||
# Входящие
|
||||
ufw allow "${SSH_PORT}/tcp" comment 'SSH'
|
||||
for p in $VPN_TCP_PORTS; do ufw allow "${p}/tcp" comment 'VPN-TCP'; done
|
||||
for p in $VPN_UDP_PORTS; do ufw allow "${p}/udp" comment 'VPN-UDP'; done
|
||||
ufw allow "${NODE_PORT}/tcp" comment 'Panel-Node'
|
||||
ufw allow 6060/tcp comment 'CrowdSec'
|
||||
|
||||
# Блокировка исходящего абьюза (DROP, не REJECT — REGXA-safe)
|
||||
ufw deny out to any port 25 proto tcp comment 'Block-SMTP'
|
||||
ufw deny out to any port 465 proto tcp comment 'Block-SMTPS'
|
||||
ufw deny out to any port 587 proto tcp comment 'Block-Submission'
|
||||
ufw deny out to any port 2525 proto tcp comment 'Block-AltSMTP'
|
||||
ufw deny out to any port 6667 proto tcp comment 'Block-IRC'
|
||||
ufw deny out to any port 6697 proto tcp comment 'Block-IRC-TLS'
|
||||
for tp in 9001 9030 9050 9051 9150; do
|
||||
ufw deny out to any port $tp proto tcp comment 'Block-TOR'
|
||||
done
|
||||
ufw deny out to any port 51413 proto tcp comment 'Block-Torrent'
|
||||
ufw deny out to any port 51413 proto udp comment 'Block-Torrent'
|
||||
|
||||
# ICMP: разрешаем PMTUD (критично для VPN!), блокируем ping
|
||||
BF="/etc/ufw/before.rules"
|
||||
if ! grep -q "CUSTOM-ICMP-RULES" "$BF" 2>/dev/null; then
|
||||
sed -i '/-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT/d' "$BF"
|
||||
sed -i '/^COMMIT/i \
|
||||
# === CUSTOM-ICMP-RULES ===\
|
||||
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT\
|
||||
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT\
|
||||
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT\
|
||||
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP\
|
||||
# === END CUSTOM-ICMP-RULES ===' "$BF"
|
||||
fi
|
||||
|
||||
ufw --force enable
|
||||
log "UFW active"
|
||||
|
||||
# ============================================================
|
||||
# 10. JOURNALD
|
||||
# ============================================================
|
||||
log "10/15 Journald..."
|
||||
mkdir -p /etc/systemd/journald.conf.d
|
||||
cat > /etc/systemd/journald.conf.d/override.conf << 'JRNL'
|
||||
[Journal]
|
||||
SystemMaxUse=200M
|
||||
RuntimeMaxUse=200M
|
||||
Compress=yes
|
||||
Storage=auto
|
||||
JRNL
|
||||
systemctl restart systemd-journald
|
||||
|
||||
# ============================================================
|
||||
# 11. ZRAM
|
||||
# ============================================================
|
||||
log "11/15 Zram..."
|
||||
modprobe zram 2>/dev/null || {
|
||||
apt-get install -y "linux-modules-extra-$(uname -r)" 2>/dev/null || true
|
||||
modprobe zram 2>/dev/null || warn "zram unavailable"
|
||||
}
|
||||
cat > /etc/default/zramswap << 'ZRM'
|
||||
ALGO=lz4
|
||||
PERCENTAGE=50
|
||||
PRIORITY=100
|
||||
ZRM
|
||||
systemctl enable --now zramswap 2>/dev/null || true
|
||||
|
||||
# ============================================================
|
||||
# 12. IRQBALANCE
|
||||
# ============================================================
|
||||
log "12/15 Irqbalance..."
|
||||
systemctl enable --now irqbalance
|
||||
|
||||
# ============================================================
|
||||
# 13. АВТООБНОВЛЕНИЯ БЕЗОПАСНОСТИ
|
||||
# ============================================================
|
||||
log "13/15 Security auto-updates..."
|
||||
cat > /etc/apt/apt.conf.d/20auto-upgrades << 'AUTOUP'
|
||||
APT::Periodic::Update-Package-Lists "1";
|
||||
APT::Periodic::Unattended-Upgrade "1";
|
||||
APT::Periodic::AutocleanInterval "7";
|
||||
AUTOUP
|
||||
|
||||
# ============================================================
|
||||
# 14. OVERRIDE ДЛЯ XRAY / SING-BOX
|
||||
# ============================================================
|
||||
log "14/15 Xray/sing-box override..."
|
||||
for SVC in xray xray-core sing-box; do
|
||||
if systemctl list-unit-files 2>/dev/null | grep -q "^${SVC}.service"; then
|
||||
log " -> override for ${SVC}"
|
||||
mkdir -p "/etc/systemd/system/${SVC}.service.d"
|
||||
cat > "/etc/systemd/system/${SVC}.service.d/override.conf" << XOVER
|
||||
[Service]
|
||||
LimitNOFILE=1048576
|
||||
LimitNPROC=infinity
|
||||
Restart=always
|
||||
RestartSec=3s
|
||||
XOVER
|
||||
systemctl daemon-reload
|
||||
systemctl restart "${SVC}" 2>/dev/null || true
|
||||
fi
|
||||
done
|
||||
|
||||
# ============================================================
|
||||
# 15. SSH HARDENING
|
||||
# ============================================================
|
||||
log "15/15 SSH hardening..."
|
||||
SC="/etc/ssh/sshd_config"
|
||||
[ -s /root/.ssh/authorized_keys ] && \
|
||||
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' "$SC"
|
||||
sed -i 's/^#\?MaxAuthTries.*/MaxAuthTries 3/' "$SC"
|
||||
sed -i 's/^#\?ClientAliveInterval.*/ClientAliveInterval 120/' "$SC"
|
||||
sed -i 's/^#\?ClientAliveCountMax.*/ClientAliveCountMax 3/' "$SC"
|
||||
systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null || true
|
||||
|
||||
# ============================================================
|
||||
# ФИНАЛ
|
||||
# ============================================================
|
||||
echo ""
|
||||
echo "=========================================="
|
||||
echo -e "${GREEN} SETUP COMPLETE${NC}"
|
||||
echo "=========================================="
|
||||
echo ""
|
||||
echo "--- remnanode ---"
|
||||
docker ps | grep remnanode || true
|
||||
echo ""
|
||||
echo "--- BBR ---"
|
||||
sysctl net.ipv4.tcp_congestion_control
|
||||
sysctl net.core.default_qdisc
|
||||
echo ""
|
||||
echo "--- UFW ---"
|
||||
ufw status numbered
|
||||
echo ""
|
||||
echo "--- CrowdSec ---"
|
||||
cscli version 2>/dev/null || true
|
||||
cscli machines list 2>/dev/null || true
|
||||
echo ""
|
||||
echo "--- SMTP check ---"
|
||||
ss -lntp | grep -E ':(25|465|587)\b' || echo " [OK] No SMTP listeners"
|
||||
echo ""
|
||||
echo "--- zram ---"
|
||||
swapon --show 2>/dev/null || true
|
||||
echo ""
|
||||
echo "=========================================="
|
||||
echo -e "${YEL}ПОСЛЕ ЗАПУСКА:${NC}"
|
||||
echo " 1. Подтверди enroll в консоли: https://app.crowdsec.net"
|
||||
echo " 2. reboot"
|
||||
echo "=========================================="
|
||||
Reference in New Issue
Block a user