From 5e2914a1164922570869c5ac9ae629eeb21c6a96 Mon Sep 17 00:00:00 2001
From: Monius <m1105930979@gmail.com>
Date: Tue, 3 Dec 2024 19:24:58 +0800
Subject: [PATCH] add pro version

---
 .github/workflows/build-pro.yml |  62 +++++
 pro/Dockerfile                  |  30 +++
 pro/entrypoint.sh               | 434 ++++++++++++++++++++++++++++++++
 ssh/Dockerfile                  |   2 +-
 ssh/entrypoint.sh               |   4 +-
 5 files changed, 529 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/build-pro.yml
 create mode 100644 pro/Dockerfile
 create mode 100755 pro/entrypoint.sh

diff --git a/.github/workflows/build-pro.yml b/.github/workflows/build-pro.yml
new file mode 100644
index 0000000..135e102
--- /dev/null
+++ b/.github/workflows/build-pro.yml
@@ -0,0 +1,62 @@
+name: build-pro
+
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: ["build-deps"]
+    types:
+      - completed
+  push:
+    branches:
+      - "master"
+    paths:
+      - ".github/workflows/build-pro.yml"
+      - "pro/entrypoint.sh"
+      - "pro/Dockerfile"
+
+jobs:
+  build-pro:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - 
+        name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - 
+        name: Convert tags to lowercase
+        run: |
+          dockerhub_tag="${{ secrets.DOCKERHUB_USERNAME }}"
+          ghcr_tag="ghcr.io/${{ github.repository_owner }}"
+          echo "dockerhub_tag=${dockerhub_tag,,}" >> $GITHUB_ENV
+          echo "ghcr_tag=${ghcr_tag,,}" >> $GITHUB_ENV
+      -
+        name: Build and push file
+        uses: docker/build-push-action@v6
+        with:
+          context: "{{defaultContext}}:pro"
+          file: Dockerfile
+          push: true
+          platforms: linux/amd64, linux/arm64, linux/s390x, linux/riscv64, linux/arm
+          tags: |
+            ${{ env.dockerhub_tag }}/docker-yarn-dev:pro
+            ${{ env.ghcr_tag }}/docker-yarn-dev:pro
\ No newline at end of file
diff --git a/pro/Dockerfile b/pro/Dockerfile
new file mode 100644
index 0000000..36d2a60
--- /dev/null
+++ b/pro/Dockerfile
@@ -0,0 +1,30 @@
+FROM monius/docker-yarn-dev:deps
+
+LABEL maintainer="M0nius <m0niusplus@gmail.com>" \
+    debian-version="12.8" \
+    org.opencontainers.image.title="Docker-Yarn-Dev" \
+    org.opencontainers.image.description="Modern develop environment, just in box!" \
+    org.opencontainers.image.authors="M0nius <m0niusplus@gmail.com>" \
+    org.opencontainers.image.vendor="M0nius Tech" \
+    org.opencontainers.image.version="1.0.0" \
+    org.opencontainers.image.url="https://hub.docker.com/r/monius/docker-yarn-dev" \
+    org.opencontainers.image.source="https://github.com/Mon-ius/Docker-Yarn-Dev" \
+    org.opencontainers.image.base.name="docker.io/monius/docker-yarn-dev:pro"
+
+ENV APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=DontWarn
+ENV DEBIAN_FRONTEND=noninteractive
+ENV TZ="Europe/London"
+ENV PKG="openssh-server tmux vim zsh"
+
+RUN apt-get -qq update \
+    && apt-get -qq dist-upgrade -y \
+    && apt-get -qq install $PKG \
+    && apt-get -qq autoremove --purge \
+    && apt-get -qq autoclean \
+    && rm -rf /var/lib/apt/lists/* \
+    && rm -rf /tmp/*
+
+COPY entrypoint.sh /run/entrypoint.sh
+ENTRYPOINT ["/run/entrypoint.sh"]
+
+CMD ["dev-cli"]
\ No newline at end of file
diff --git a/pro/entrypoint.sh b/pro/entrypoint.sh
new file mode 100755
index 0000000..6ddfee0
--- /dev/null
+++ b/pro/entrypoint.sh
@@ -0,0 +1,434 @@
+#!/bin/sh
+
+set -e
+
+corepack enable && corepack prepare yarn@stable --activate
+
+sleep 3
+
+
+_X_SERVER=example.com
+_X_PORT=443
+_X_AUTH=passwd
+
+_D_SERVER=127.0.0.1
+_D_PORT=60996
+_D_USER=dev
+_D_PUB_KEY='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQHW0nbmyka727Eg/mJgNzOO0DMKbXOsfS3X6P3Trnw'
+
+X_SERVER="${X_SERVER:-$_X_SERVER}"
+X_PORT="${X_PORT:-$_X_PORT}"
+X_AUTH="${X_AUTH:-$_X_AUTH}"
+
+D_SERVER="${D_SERVER:-$_D_SERVER}"
+D_PORT="${D_PORT:-$_D_PORT}"
+D_USER="${D_USER:-$_D_USER}"
+D_PUB_KEY="${D_PUB_KEY:-$_D_PUB_KEY}"
+
+
+if [ -n "$X_SERVER" ] && [ -n "$X_PORT" ] && [ -n "$X_AUTH" ]; then
+    AUTH_PART=$(cat <<EOF
+        {
+            "tag": "Proxy",
+            "type": "hysteria2",
+            "server": "$X_SERVER",
+            "server_port": $X_PORT,
+            "up_mbps": 1000,
+            "down_mbps": 1000,
+            "password": "$X_AUTH",
+            "connect_timeout": "5s",
+            "tcp_fast_open": true,
+            "tls": {
+                "enabled": true,
+                "server_name": "$X_SERVER",
+                "alpn": [
+                    "h3"
+                ]
+            }
+        }
+EOF
+)
+else
+    AUTH_PART=""
+fi
+
+cat <<EOF | tee /etc/sing-box/config.json
+{
+    "log": {
+        "disabled": false,
+        "level": "info",
+        "timestamp": true
+    },
+    "experimental": {
+        "cache_file": {
+            "enabled": true,
+            "path": "cache.db",
+            "cache_id": "v1",
+            "store_fakeip": true
+        }
+    },
+    "dns": {
+        "servers": [
+            {
+                "tag": "google",
+                "address": "tls://8.8.8.8",
+                "detour": "Proxy"
+            },
+            {
+                "tag": "fallback",
+                "address": "8.8.8.8",
+                "address_resolver": "google",
+                "detour": "Proxy"
+            },
+            {
+                "tag": "local-dns",
+                "address": "223.5.5.5",
+                "detour": "direct"
+            },
+            {
+                "tag": "block-dns",
+                "address": "rcode://success"
+            }
+        ],
+        "rules": [
+            {
+                "outbound": "any",
+                "server": "local-dns"
+            },
+            {
+                "rule_set": [
+                    "Youtube0"
+                ],
+                "server": "fallback"
+            },
+            {
+                "rule_set": [
+                    "Telegram1"
+                ],
+                "server": "fallback"
+            },
+            {
+                "rule_set": [
+                    "Github0"
+                ],
+                "server": "fallback"
+            },
+            {
+                "rule_set": [
+                    "Openai0"
+                ],
+                "server": "fallback"
+            },
+            {
+                "rule_set": [
+                    "Netflix0"
+                ],
+                "server": "fallback"
+            },
+            {
+                "rule_set": [
+                    "Google0"
+                ],
+                "server": "fallback"
+            },
+            {
+                "rule_set": [
+                    "Direct1"
+                ],
+                "server": "local-dns"
+            },
+            {
+                "query_type": [
+                    "A"
+                ],
+                "rewrite_ttl": 1,
+                "server": "fallback"
+            }
+        ],
+        "strategy": "ipv4_only"
+    },
+    "inbounds": [
+        {
+            "type": "tproxy",
+            "listen": "::",
+            "listen_port": 60091,
+            "sniff": true,
+            "udp_fragment": true,
+            "tcp_fast_open": true,
+            "tcp_multi_path": false,
+            "udp_timeout": "5m",
+            "sniff_override_destination": false,
+            "domain_strategy": "prefer_ipv4"
+        }
+    ],
+    "route": {
+        "rule_set": [
+            {
+                "type": "remote",
+                "format": "binary",
+                "download_detour": "Proxy",
+                "tag": "Youtube0",
+                "url": "https://github.com/MetaCubeX/meta-rules-dat/raw/sing/geo/geosite/youtube.srs"
+            },
+            {
+                "type": "remote",
+                "format": "binary",
+                "download_detour": "Proxy",
+                "tag": "Telegram0",
+                "url": "https://github.com/MetaCubeX/meta-rules-dat/raw/sing/geo/geoip/telegram.srs"
+            },
+            {
+                "type": "remote",
+                "format": "binary",
+                "download_detour": "Proxy",
+                "tag": "Telegram1",
+                "url": "https://github.com/MetaCubeX/meta-rules-dat/raw/sing/geo/geosite/telegram.srs"
+            },
+            {
+                "type": "remote",
+                "format": "binary",
+                "download_detour": "Proxy",
+                "tag": "Github0",
+                "url": "https://github.com/MetaCubeX/meta-rules-dat/raw/sing/geo/geosite/github.srs"
+            },
+            {
+                "type": "remote",
+                "format": "binary",
+                "download_detour": "Proxy",
+                "tag": "Openai0",
+                "url": "https://github.com/MetaCubeX/meta-rules-dat/raw/sing/geo/geosite/openai.srs"
+            },
+            {
+                "type": "remote",
+                "format": "binary",
+                "download_detour": "Proxy",
+                "tag": "Netflix0",
+                "url": "https://github.com/MetaCubeX/meta-rules-dat/raw/sing/geo/geosite/netflix.srs"
+            },
+            {
+                "type": "remote",
+                "format": "binary",
+                "download_detour": "Proxy",
+                "tag": "Netflix1",
+                "url": "https://github.com/MetaCubeX/meta-rules-dat/raw/sing/geo-lite/geoip/netflix.srs"
+            },
+            {
+                "type": "remote",
+                "format": "binary",
+                "download_detour": "Proxy",
+                "tag": "Google0",
+                "url": "https://github.com/MetaCubeX/meta-rules-dat/raw/sing/geo/geosite/google.srs"
+            },
+            {
+                "type": "remote",
+                "format": "binary",
+                "download_detour": "Proxy",
+                "tag": "Direct0",
+                "url": "https://github.com/MetaCubeX/meta-rules-dat/raw/sing/geo/geoip/cn.srs"
+            },
+            {
+                "type": "remote",
+                "format": "binary",
+                "download_detour": "Proxy",
+                "tag": "Direct1",
+                "url": "https://github.com/MetaCubeX/meta-rules-dat/raw/sing/geo/geosite/cn.srs"
+            }
+        ],
+        "rules": [
+            {
+                "protocol": "dns",
+                "outbound": "dns-out"
+            },
+            {
+                "port": 53,
+                "outbound": "dns-out"
+            },
+            {
+                "type": "logical",
+                "mode": "or",
+                "rules": [
+                    {
+                        "port": 853
+                    },
+                    {
+                        "network": "udp",
+                        "port": 443
+                    },
+                    {
+                        "protocol": "stun"
+                    }
+                ],
+                "outbound": "block"
+            },
+            {
+                "rule_set": [
+                    "Youtube0"
+                ],
+                "outbound": "Youtube"
+            },
+            {
+                "rule_set": [
+                    "Telegram0",
+                    "Telegram1"
+                ],
+                "outbound": "Telegram"
+            },
+            {
+                "rule_set": [
+                    "Github0"
+                ],
+                "outbound": "Github"
+            },
+            {
+                "rule_set": [
+                    "Openai0"
+                ],
+                "outbound": "Openai"
+            },
+            {
+                "rule_set": [
+                    "Netflix0",
+                    "Netflix1"
+                ],
+                "outbound": "Netflix"
+            },
+            {
+                "rule_set": [
+                    "Google0"
+                ],
+                "outbound": "Google"
+            },
+            {
+                "rule_set": [
+                    "Direct0",
+                    "Direct1"
+                ],
+                "outbound": "direct"
+            },
+            {
+                "ip_is_private": true,
+                "outbound": "direct"
+            }
+        ],
+        "auto_detect_interface": true,
+        "final": "Proxy"
+    },
+    "outbounds": [
+        {
+            "tag": "Youtube",
+            "outbounds": [
+                "Proxy"
+            ],
+            "interrupt_exist_connections": true,
+            "type": "selector"
+        },
+        {
+            "tag": "Telegram",
+            "outbounds": [
+                "Proxy"
+            ],
+            "interrupt_exist_connections": true,
+            "type": "selector"
+        },
+        {
+            "tag": "Github",
+            "outbounds": [
+                "Proxy"
+            ],
+            "interrupt_exist_connections": true,
+            "type": "selector"
+        },
+        {
+            "tag": "Openai",
+            "outbounds": [
+                "Proxy"
+            ],
+            "interrupt_exist_connections": true,
+            "type": "selector"
+        },
+        {
+            "tag": "Netflix",
+            "outbounds": [
+                "Proxy"
+            ],
+            "interrupt_exist_connections": true,
+            "type": "selector"
+        },
+        {
+            "tag": "Google",
+            "outbounds": [
+                "Proxy"
+            ],
+            "interrupt_exist_connections": true,
+            "type": "selector"
+        },
+        {
+            "type": "direct",
+            "tag": "direct"
+        },
+        {
+            "type": "dns",
+            "tag": "dns-out"
+        },
+        {
+            "type": "block",
+            "tag": "block"
+        },
+$AUTH_PART
+    ]
+}
+EOF
+
+if [ -n "$X_SERVER" ] && [ -n "$X_PORT" ] && [ -n "$X_AUTH" ]; then
+    ip rule add fwmark 0x1 lookup 100
+    ip route add local default dev lo table 100
+
+    iptables -t mangle -N DEV
+    iptables -t mangle -A DEV -m mark --mark 0xff -j RETURN
+    iptables -t mangle -A DEV -d 0.0.0.0/8 -j RETURN
+    iptables -t mangle -A DEV -d 10.0.0.0/8 -j RETURN
+    iptables -t mangle -A DEV -d 127.0.0.0/8 -j RETURN
+    iptables -t mangle -A DEV -d 169.254.0.0/16 -j RETURN
+    iptables -t mangle -A DEV -d 172.16.0.0/12 -j RETURN
+    iptables -t mangle -A DEV -d 192.168.0.0/16 -j RETURN
+    iptables -t mangle -A DEV -d 224.0.0.0/4 -j RETURN
+    iptables -t mangle -A DEV -d 240.0.0.0/4 -j RETURN
+    iptables -t mangle -A DEV -d "$D_SERVER/24" -j RETURN
+    iptables -t mangle -A DEV -p tcp -j TPROXY --on-port 60091 --on-ip 127.0.0.1 --tproxy-mark 0x1
+    iptables -t mangle -A DEV -p udp -j TPROXY --on-port 60091 --on-ip 127.0.0.1 --tproxy-mark 0x1 
+    iptables -t mangle -A PREROUTING -j DEV
+
+    iptables -t mangle -N DEV_MASK
+    iptables -t mangle -A DEV_MASK -m mark --mark 0xff -j RETURN
+    iptables -t mangle -A DEV_MASK -d 0.0.0.0/8 -j RETURN
+    iptables -t mangle -A DEV_MASK -d 10.0.0.0/8 -j RETURN
+    iptables -t mangle -A DEV_MASK -d 127.0.0.0/8 -j RETURN
+    iptables -t mangle -A DEV_MASK -d 169.254.0.0/16 -j RETURN
+    iptables -t mangle -A DEV_MASK -d 172.16.0.0/12 -j RETURN
+    iptables -t mangle -A DEV_MASK -d 192.168.0.0/16 -j RETURN
+    iptables -t mangle -A DEV_MASK -d 224.0.0.0/4 -j RETURN
+    iptables -t mangle -A DEV_MASK -d 240.0.0.0/4 -j RETURN
+    iptables -t mangle -A DEV_MASK -d "$D_SERVER/24" -j RETURN
+    iptables -t mangle -A DEV_MASK -p tcp -j MARK --set-mark 0x1
+    iptables -t mangle -A DEV_MASK -p udp -j MARK --set-mark 0x1
+    iptables -t mangle -A OUTPUT -j DEV_MASK
+fi
+
+if [ -e "/root/.ssh/id_ed25519" ] && [ ! -e "/usr/bin/dev-cli" ]; then
+    echo "$D_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a "/etc/sudoers.d/$D_USER"
+    sudo adduser --disabled-password --gecos "" "$D_USER" && echo "$D_USER:$D_PUB_KEY" | sudo chpasswd
+    sudo su "$D_USER" -c "
+        mkdir -p ~/.ssh &&
+        touch ~/.ssh/authorized_keys &&
+        echo $D_PUB_KEY >> ~/.ssh/authorized_keys &&
+        git clone --depth=1 https://github.com/AUTOM77/dotfile ~/.dotfile &&
+        mv ~/.dotfile/.zsh/.*  /home/$D_USER
+        rm -rf ~/.dotfile
+    "
+    sudo chsh -s "$(which zsh)" "${D_USER}"
+
+    echo "ssh -NCf -o GatewayPorts=true -o StrictHostKeyChecking=no -o ExitOnForwardFailure=yes -o ServerAliveInterval=10 -o ServerAliveCountMax=3 -R $D_PORT:127.0.0.1:22 tun@$D_SERVER" > /usr/bin/dev-cli && echo "/usr/sbin/sshd" >> /usr/bin/dev-cli
+    echo "sing-box -c /etc/sing-box/config.json run" >> /usr/bin/dev-cli && chmod +x /usr/bin/dev-cli
+fi
+
+exec "$@"
\ No newline at end of file
diff --git a/ssh/Dockerfile b/ssh/Dockerfile
index af174a2..e12ccc6 100644
--- a/ssh/Dockerfile
+++ b/ssh/Dockerfile
@@ -9,7 +9,7 @@ LABEL maintainer="M0nius <m0niusplus@gmail.com>" \
     org.opencontainers.image.version="1.0.0" \
     org.opencontainers.image.url="https://hub.docker.com/r/monius/docker-yarn-dev" \
     org.opencontainers.image.source="https://github.com/Mon-ius/Docker-Yarn-Dev" \
-    org.opencontainers.image.base.name="docker.io/monius/docker-yarn-dev"
+    org.opencontainers.image.base.name="docker.io/monius/docker-yarn-dev:ssh"
 
 ENV APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=DontWarn
 ENV DEBIAN_FRONTEND=noninteractive
diff --git a/ssh/entrypoint.sh b/ssh/entrypoint.sh
index 37e7019..4a8e9e7 100755
--- a/ssh/entrypoint.sh
+++ b/ssh/entrypoint.sh
@@ -4,10 +4,10 @@ set -e
 
 sleep 3
 
-_D_SERVER=example.com
+_D_SERVER=127.0.0.1
 _D_PORT=62222
 _D_USER=dev
-_D_PUB_KEY='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEi7rFoMjiucmU4g4pgTi1rTYsqgVi5wOs8KzDc0UZSE'
+_D_PUB_KEY='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQHW0nbmyka727Eg/mJgNzOO0DMKbXOsfS3X6P3Trnw'
 
 D_SERVER="${D_SERVER:-$_D_SERVER}"
 D_PORT="${D_PORT:-$_D_PORT}"