From 1eae889c2b002587ff067c59ecffd400ae528cb4 Mon Sep 17 00:00:00 2001 From: Ed Asriyan Date: Sat, 30 Nov 2024 01:43:30 -0600 Subject: [PATCH] Switch to xray (test) --- .github/workflows/CD-production.yml | 2 +- config/hosts.example.yml | 4 +- config/servers.example.yml | 62 +++---- proxies.yml | 8 +- roles/nginx/README.md | 12 -- roles/nginx/tasks/main.yml | 43 ----- roles/node-exporter/README.md | 5 - roles/node-exporter/defaults/main.yml | 2 - roles/node-exporter/tasks/main.yml | 63 -------- .../templates/node_exporter.service.j2 | 11 -- roles/node-exporter/vars/main.yml | 19 --- roles/prometheus/README.md | 6 - roles/prometheus/defaults/main.yml | 23 --- roles/prometheus/tasks/main.yml | 137 ---------------- roles/prometheus/templates/config.yml.j2 | 35 ---- .../templates/prometheus.service.j2 | 12 -- roles/prometheus/templates/web-config.yml.j2 | 6 - roles/prometheus/vars/main.yml | 23 --- roles/shadowsocks-gateway/README.md | 3 - roles/shadowsocks-gateway/defaults/main.yml | 6 - roles/shadowsocks-gateway/meta/main.yml | 14 -- roles/shadowsocks-gateway/tasks/main.yml | 87 ---------- .../templates/nginx.conf.j2 | 111 ------------- .../templates/shadowsocks-gateway.service.j2 | 11 -- roles/shadowsocks-gateway/vars/main.yml | 36 ----- roles/shadowsocks/defaults/main.yml | 12 -- roles/shadowsocks/meta/main.yml | 2 - roles/shadowsocks/tasks/main.yml | 83 ---------- roles/shadowsocks/templates/config.yml.j2 | 14 -- .../templates/shadowsocks.service.j2 | 12 -- roles/shadowsocks/vars/main.yml | 18 --- roles/users-configs/files/guide.html | 108 +++---------- roles/users-configs/tasks/main.yml | 27 ++-- roles/users-configs/templates/config.json.j2 | 38 +---- roles/users-configs/templates/index.html.j2 | 7 +- .../users-configs/templates/redirect.json.j2 | 3 + roles/users-csv/defaults/main.yml | 1 - roles/{shadowsocks => xray}/README.md | 0 roles/xray/defaults/main.yml | 6 + roles/xray/meta/main.yml | 2 + roles/xray/tasks/main.yml | 104 ++++++++++++ roles/xray/templates/config.json.j2 | 151 ++++++++++++++++++ roles/xray/templates/xray.service.j2 | 12 ++ roles/xray/vars/main.yml | 18 +++ 44 files changed, 364 insertions(+), 995 deletions(-) delete mode 100644 roles/nginx/README.md delete mode 100644 roles/nginx/tasks/main.yml delete mode 100644 roles/node-exporter/README.md delete mode 100644 roles/node-exporter/defaults/main.yml delete mode 100644 roles/node-exporter/tasks/main.yml delete mode 100644 roles/node-exporter/templates/node_exporter.service.j2 delete mode 100644 roles/node-exporter/vars/main.yml delete mode 100644 roles/prometheus/README.md delete mode 100644 roles/prometheus/defaults/main.yml delete mode 100644 roles/prometheus/tasks/main.yml delete mode 100644 roles/prometheus/templates/config.yml.j2 delete mode 100644 roles/prometheus/templates/prometheus.service.j2 delete mode 100644 roles/prometheus/templates/web-config.yml.j2 delete mode 100644 roles/prometheus/vars/main.yml delete mode 100644 roles/shadowsocks-gateway/README.md delete mode 100644 roles/shadowsocks-gateway/defaults/main.yml delete mode 100644 roles/shadowsocks-gateway/meta/main.yml delete mode 100644 roles/shadowsocks-gateway/tasks/main.yml delete mode 100644 roles/shadowsocks-gateway/templates/nginx.conf.j2 delete mode 100644 roles/shadowsocks-gateway/templates/shadowsocks-gateway.service.j2 delete mode 100644 roles/shadowsocks-gateway/vars/main.yml delete mode 100644 roles/shadowsocks/defaults/main.yml delete mode 100644 roles/shadowsocks/meta/main.yml delete mode 100644 roles/shadowsocks/tasks/main.yml delete mode 100644 roles/shadowsocks/templates/config.yml.j2 delete mode 100644 roles/shadowsocks/templates/shadowsocks.service.j2 delete mode 100644 roles/shadowsocks/vars/main.yml create mode 100644 roles/users-configs/templates/redirect.json.j2 rename roles/{shadowsocks => xray}/README.md (100%) create mode 100644 roles/xray/defaults/main.yml create mode 100644 roles/xray/meta/main.yml create mode 100644 roles/xray/tasks/main.yml create mode 100644 roles/xray/templates/config.json.j2 create mode 100644 roles/xray/templates/xray.service.j2 create mode 100644 roles/xray/vars/main.yml diff --git a/.github/workflows/CD-production.yml b/.github/workflows/CD-production.yml index afb34fd..7ff6396 100644 --- a/.github/workflows/CD-production.yml +++ b/.github/workflows/CD-production.yml @@ -22,7 +22,7 @@ jobs: strategy: matrix: task: - - deploy_metrics + # - deploy_metrics - deploy_proxies with: tasks: ${{ matrix.task }} diff --git a/config/hosts.example.yml b/config/hosts.example.yml index 893ed46..585de12 100644 --- a/config/hosts.example.yml +++ b/config/hosts.example.yml @@ -6,9 +6,9 @@ all: # linux user to connect to ssh to the server as ansible_user: proxy1: - # uuid of the shadowsocks server that should be deployed (from config/servers.yml) + # uuid of the xray server that should be deployed (from config/servers.yml) hosts_server_uuid: - # public domain or IP where shadowsocks should be deployed (if ssh and shadowsocks are on the same IP, it should be equal to config_servers[hosts_server_uuid].host value) + # public domain or IP where xray should be deployed (if ssh and xray are on the same IP, it should be equal to config_servers[hosts_server_uuid].host value) ansible_host: # linux user to connect to ssh to the server as ansible_user: diff --git a/config/servers.example.yml b/config/servers.example.yml index ef19d42..fa119e2 100644 --- a/config/servers.example.yml +++ b/config/servers.example.yml @@ -1,55 +1,31 @@ config_servers: server1-uuid: + flow: + # private key. generate with ./xray x25519 + private_key: + # public key. generate with ./xray x25519 + public_key: + # where regular https requests proxy to + sni: # domain of server that will be put into config host: # description or name of server remarks: # port of shadowsocks to be exposed and used publicly port: - # cipher to use in shadowsocks - method: - # secret (any random string) to be used for generating client passwords - secret: - # prefix to use. read more: https://www.reddit.com/r/outlinevpn/wiki/index/prefixing - prefix: - # where regular https requests (non-shadowsocks requests) proxy to - fallback_proxy_target: - # if you don't want to install prometheus on the server, replace yaml object to boolean false: - # prometheus_metrics: false - prometheus_metrics: - # port where prometheus metrics endpoints should be exposed - port: - # content of self-signed cert and keys (SSL pem format) - tls: - certificate: | - -----BEGIN CERTIFICATE----- - .... - -----END CERTIFICATE----- - key: | - -----BEGIN PRIVATE KEY----- - .... - -----END PRIVATE KEY----- - shadowsocks: - # any random URL-valid string starting with "/" - url_path: - node_exporter: - # any random URL-valid string starting with "/" - url_path: + # second server (for instance) server2-uuid: + flow: + # private key. generate with ./xray x25519 + private_key: + # public key. generate with ./xray x25519 + public_key: + # where regular https requests proxy to + sni: + # domain of server that will be put into config host: + # description or name of server remarks: - port: - method: - secret: - prefix: - fallback_proxy_target: - prometheus_metrics: - port: - tls: - certificate_path: - key_path: - shadowsocks: - url_path: - node_exporter: - url_path: + # port of shadowsocks to be exposed and used publicly + port: \ No newline at end of file diff --git a/proxies.yml b/proxies.yml index 27aa08a..609f640 100644 --- a/proxies.yml +++ b/proxies.yml @@ -5,8 +5,8 @@ - ./config/users.yml - ./config/servers.yml roles: - - role: shadowsocks-gateway + - role: xray vars: - shadowsocks_gateway_server_uuid: "{{ hosts_server_uuid }}" - shadowsocks_gateway_server: "{{ config_servers[shadowsocks_gateway_server_uuid] }}" - shadowsocks_gateway_users: "{{ config_users }}" + xray_server_uuid: "{{ hosts_server_uuid }}" + xray_server: "{{ config_servers[xray_server_uuid] }}" + xray_users: "{{ config_users }}" diff --git a/roles/nginx/README.md b/roles/nginx/README.md deleted file mode 100644 index fdef477..0000000 --- a/roles/nginx/README.md +++ /dev/null @@ -1,12 +0,0 @@ -# nginx -This role installs and configures the NGINX web server. - -## Tasks -The following tasks are included in this role: - -1. Install nginx and required libraries -2. Set CAP_NET_BIND_SERVICE capability for nginx executable so it listen any port regardless what user executes the executable -3. Ensures that the default nginx systemd service is not running - -## Mandatory and optional variables -No diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml deleted file mode 100644 index 447840c..0000000 --- a/roles/nginx/tasks/main.yml +++ /dev/null @@ -1,43 +0,0 @@ -# http://nginx.org/en/linux_packages.html#Debian - -- name: Check if nginx is installed - shell: nginx -v - register: nginx_installed - ignore_errors: yes - -- name: Install the prerequisites - with_items: - - curl - - gnupg2 - - ca-certificates - - lsb-release - - debian-archive-keyring - package: - name: "{{ item }}" - state: present - when: nginx_installed.failed - -- name: Import an official nginx signing key so apt could verify the packages authenticity - command: bash -c "curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg > /dev/null" - when: nginx_installed.failed - -- name: Set up the apt repository for stable nginx packages - command: bash -c "echo 'deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian `lsb_release -cs` nginx' | tee /etc/apt/sources.list.d/nginx.list" - when: nginx_installed.failed - -- name: Install nginx - package: - name: nginx - state: present - when: nginx_installed.failed - -- name: Stop nginx - systemd: - name: nginx.service - state: stopped - enabled: false - -# https://superuser.com/a/892391 -- name: Set CAP_NET_BIND_SERVICE capability for nginx - command: setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx - when: nginx_installed.failed diff --git a/roles/node-exporter/README.md b/roles/node-exporter/README.md deleted file mode 100644 index 85e98d9..0000000 --- a/roles/node-exporter/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# node-exporter -The `node-exporter` role installs and configures the [Prometheus Node Exporter](https://github.com/prometheus/node_exporter). - -## Mandatory and optional variables -Find them in [./defaults/main.yml](./defaults/main.yml). Empty variables in the file are mandatory, pre-filled variables are optional. diff --git a/roles/node-exporter/defaults/main.yml b/roles/node-exporter/defaults/main.yml deleted file mode 100644 index 4761ae6..0000000 --- a/roles/node-exporter/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -# the port node_exporter should locally (localhost) export http metrics on -node_exporter_port: 9092 diff --git a/roles/node-exporter/tasks/main.yml b/roles/node-exporter/tasks/main.yml deleted file mode 100644 index edfcd6b..0000000 --- a/roles/node-exporter/tasks/main.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: Ensure required variables are defined - assert: - that: - - node_exporter_port is number - -- name: Create user - user: name={{ node_exporter_user }} - -- name: Get MD5 checksum of node-exporter executable - stat: - path: "/home/{{ node_exporter_user }}/{{ node_exporter_executable_name }}" - checksum_algorithm: md5 - register: file_stat - -- name: Detect arch - command: uname -m - check_mode: no - register: arch - -- name: Know if the directory exists - stat: - path: "/home/{{ node_exporter_user }}/{{ node_exporter_downloads[arch.stdout].directory }}" - register: file_stat - -- name: Download & extract node-exporter - when: "file_stat.stat.exists == false" - unarchive: - src: "{{ node_exporter_downloads[arch.stdout].url }}" - dest: "/home/{{ node_exporter_user }}" - remote_src: yes - register: download - -- name: Set node-exporter ownership, group and permissions - file: - path: "/home/{{ node_exporter_user }}/{{ node_exporter_downloads[arch.stdout].directory }}/{{ node_exporter_executable_name }}" - group: "{{ node_exporter_user }}" - owner: "{{ node_exporter_user }}" - mode: "700" - -- name: Remove unexpected files in home - include_tasks: tasks/remove-unexpected-files.yml - vars: - directory: "/home/{{ node_exporter_user }}" - files: - - "{{ node_exporter_downloads[arch.stdout].directory }}" - -- name: Render systemd service config - template: - src: node_exporter.service.j2 - dest: /etc/systemd/system/node_exporter.service - register: systemd - -- name: Reload daemon - systemd: - daemon_reload: yes - when: systemd.changed - -- name: Restart systemd app service - systemd: - name: node_exporter.service - state: restarted - enabled: yes - when: systemd.changed or download.changed diff --git a/roles/node-exporter/templates/node_exporter.service.j2 b/roles/node-exporter/templates/node_exporter.service.j2 deleted file mode 100644 index 70f5c91..0000000 --- a/roles/node-exporter/templates/node_exporter.service.j2 +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=node_exporter - -[Service] -User={{ node_exporter_user }} -WorkingDirectory=/home/{{ node_exporter_user }} -ExecStart=/home/{{ node_exporter_user }}/{{ node_exporter_downloads[arch.stdout].directory }}/{{ node_exporter_executable_name }} --web.listen-address=:{{ node_exporter_port }} -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/roles/node-exporter/vars/main.yml b/roles/node-exporter/vars/main.yml deleted file mode 100644 index 8c11e4c..0000000 --- a/roles/node-exporter/vars/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -# linus user to run node-exporter as -node_exporter_user: node_exporter - -# URL to download outline from -node_exporter_downloads: - x86_64: - url: https://github.com/prometheus/node_exporter/releases/download/v1.7.0/node_exporter-1.7.0.linux-amd64.tar.gz - md5: 94194e281f7d67de9a06838ea1dd7d7e - directory: node_exporter-1.7.0.linux-amd64 - arm64: - url: https://github.com/prometheus/node_exporter/releases/download/v1.7.0/node_exporter-1.7.0.linux-arm64.tar.gz - md5: 8f51c78b3b2b0d732c38edbf684e579b - directory: node_exporter-1.7.0.linux-arm64 - armv7l: - url: https://github.com/prometheus/node_exporter/releases/download/v1.7.0/node_exporter-1.7.0.linux-armv7.tar.gz - md5: b5c74984325b6b84d20a16daf24b0ee3 - directory: node_exporter-1.7.0.linux-armv7 -# name of node-exporter executable file -node_exporter_executable_name: node_exporter diff --git a/roles/prometheus/README.md b/roles/prometheus/README.md deleted file mode 100644 index d89df17..0000000 --- a/roles/prometheus/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# prometheus -This role installs and configures Prometheus. It sets up the Prometheus server, configures scrape targets from proxy -servers, and ensures that Prometheus is running as a systemd service. - -## Mandatory and optional variables -Find them in [./defaults/main.yml](./defaults/main.yml). Empty variables in the file are mandatory, pre-filled variables are optional. diff --git a/roles/prometheus/defaults/main.yml b/roles/prometheus/defaults/main.yml deleted file mode 100644 index ecf96e6..0000000 --- a/roles/prometheus/defaults/main.yml +++ /dev/null @@ -1,23 +0,0 @@ - -# username for admin authentication -prometheus_username: -# bcrypt'ed admin password for authentication -prometheus_password_bcrypt: - -# how long prometheus should store metrics data -prometheus_retention: - -# port of prometheus to be exposed and used publicly -prometheus_port: - -# parameters for https://prometheus.io/docs/practices/remote_write -prometheus_remote: - url: - username: - password: - -# servers object as described in /servers-example.yml -prometheus_servers: - -# extrnal public domain of the host prometheus is running on -prometheus_domain: diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml deleted file mode 100644 index 3d0bcc2..0000000 --- a/roles/prometheus/tasks/main.yml +++ /dev/null @@ -1,137 +0,0 @@ -- name: Ensure required variables are defined - assert: - that: - - prometheus_username is string - - prometheus_password_bcrypt is string - - prometheus_retention is string - - prometheus_port is number - - prometheus_remote is mapping - - prometheus_remote.url is string - - prometheus_remote.username is string - - prometheus_remote.password is string - - prometheus_domain is string - -- name: Ensure prometheus_servers is defined correctly - include_tasks: tasks/assert-servers.yml - vars: - servers: "{{ prometheus_servers }}" - -- name: Create user - user: name={{ prometheus_user }} - -- name: Detect arch - command: uname -m - check_mode: no - register: arch - -- name: Know if the directory exists - stat: - path: "/home/{{ prometheus_user }}/{{ prometheus_downloads[arch.stdout].directory }}" - register: file_stat - -- name: Download & extract prometheus - when: "file_stat.stat.exists == false" - unarchive: - src: "{{ prometheus_downloads[arch.stdout].url }}" - dest: "/home/{{ prometheus_user }}" - remote_src: yes - register: download - -- name: Set prometheus ownership, group and permissions - file: - path: "/home/{{ prometheus_user }}/{{ prometheus_downloads[arch.stdout].directory }}/{{ prometheus_executable_name }}" - group: "{{ prometheus_user }}" - owner: "{{ prometheus_user }}" - mode: "700" - -- name: Copy SSL key - copy: - content: "{{ prometheus_key }}" - dest: "{{ prometheus_ssl_key_path }}" - group: "{{ prometheus_user }}" - owner: "{{ prometheus_user }}" - mode: "600" - register: ssl_private - -- name: Copy SSL certificate - copy: - content: "{{ prometheus_certificate }}" - dest: "{{ prometheus_ssl_cert_path }}" - group: "{{ prometheus_user }}" - owner: "{{ prometheus_user }}" - mode: "600" - register: ssl_cert - -- name: Create directory for scrape targets certs - file: - path: "/home/{{ prometheus_user }}/{{ prometheus_scrape_ssl_certs_dir_name }}" - group: "{{ prometheus_user }}" - owner: "{{ prometheus_user }}" - mode: "700" - state: directory - -- name: Copy scrape targets SSL certificates - copy: - content: "{{ item.value.prometheus_metrics.tls.certificate }}" - dest: "/home/{{ prometheus_user }}/{{ prometheus_scrape_ssl_certs_dir_name }}/{{ item.key }}-{{ prometheus_scrape_ssl_cert_filename_suffix }}" - group: "{{ prometheus_user }}" - owner: "{{ prometheus_user }}" - mode: "600" - with_dict: "{{ prometheus_servers }}" - when: item.value.prometheus_metrics is mapping - register: ssl_scrape_cert - -- name: Remove unexpected files in directory for scrape targets certs - include_tasks: tasks/remove-unexpected-files.yml - vars: - directory: "/home/{{ prometheus_user }}/{{ prometheus_scrape_ssl_certs_dir_name }}" - files: "{{ prometheus_servers | dict2items | map(attribute='key') | map('regex_replace', '^(.*)$', '\\1-' + prometheus_scrape_ssl_cert_filename_suffix) | list }}" - -- name: Render prometheus config - template: - src: config.yml.j2 - dest: "/home/{{ prometheus_user }}/config.yml" - group: "{{ prometheus_user }}" - owner: "{{ prometheus_user }}" - mode: "600" - register: config - -- name: Render web config - template: - src: web-config.yml.j2 - dest: "/home/{{ prometheus_user }}/web-config.yml" - group: "{{ prometheus_user }}" - owner: "{{ prometheus_user }}" - mode: "600" - register: web - -- name: Remove unexpected files in home - include_tasks: tasks/remove-unexpected-files.yml - vars: - directory: "/home/{{ prometheus_user }}" - files: - - web-config.yml - - config.yml - - "{{ prometheus_ssl_cert_filename }}" - - "{{ prometheus_ssl_key_filename }}" - - "{{ prometheus_scrape_ssl_certs_dir_name }}" - - "{{ prometheus_downloads[arch.stdout].directory }}" - - data - -- name: Render systemd service config - template: - src: prometheus.service.j2 - dest: /etc/systemd/system/prometheus.service - register: systemd - -- name: Reload daemon - systemd: - daemon_reload: yes - when: systemd.changed - -- name: Restart systemd app service - systemd: - name: prometheus.service - state: restarted - enabled: yes - when: systemd.changed or download.changed or config.changed or web.changed or ssl_private.changed or ssl_cert.changed or ssl_scrape_cert.changed diff --git a/roles/prometheus/templates/config.yml.j2 b/roles/prometheus/templates/config.yml.j2 deleted file mode 100644 index 4f53f1e..0000000 --- a/roles/prometheus/templates/config.yml.j2 +++ /dev/null @@ -1,35 +0,0 @@ -global: - scrape_interval: 1m -scrape_configs: -{% for server_item in prometheus_servers | dict2items %} -{% set server = server_item.value %} -{% set server_uuid = server_item.key %} -{% if server.prometheus_metrics is mapping %} - - job_name: 'shadowsocks-{{ server.host }}' - scheme: https - tls_config: - ca_file: '/home/{{ prometheus_user }}/{{ prometheus_scrape_ssl_certs_dir_name }}/{{ server_uuid }}-{{ prometheus_scrape_ssl_cert_filename_suffix }}' - metrics_path: '{{ server.prometheus_metrics.shadowsocks.url_path }}' - static_configs: - - targets: - - '{{ server.host }}:{{ server.prometheus_metrics.port }}' - labels: - instance: '{{ server.host }}' - - job_name: 'node-exporter-{{ server.host }}' - scheme: https - tls_config: - ca_file: '/home/{{ prometheus_user }}/{{ prometheus_scrape_ssl_certs_dir_name }}/{{ server_uuid }}-{{ prometheus_scrape_ssl_cert_filename_suffix }}' - metrics_path: '{{ server.prometheus_metrics.node_exporter.url_path }}' - static_configs: - - targets: - - '{{ server.host }}:{{ server.prometheus_metrics.port }}' - labels: - instance: '{{ server.host }}' -{% endif %} -{% endfor %} - -remote_write: - - url: {{ prometheus_remote.url }} - basic_auth: - username: {{ prometheus_remote.username }} - password: {{ prometheus_remote.password }} diff --git a/roles/prometheus/templates/prometheus.service.j2 b/roles/prometheus/templates/prometheus.service.j2 deleted file mode 100644 index b32176e..0000000 --- a/roles/prometheus/templates/prometheus.service.j2 +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=prometheus -After=outline.service - -[Service] -User={{ prometheus_user }} -WorkingDirectory=/home/{{ prometheus_user }} -ExecStart=/home/{{ prometheus_user }}/{{ prometheus_downloads[arch.stdout].directory }}/{{ prometheus_executable_name }} --config.file /home/{{ prometheus_user }}/config.yml --web.listen-address 0.0.0.0:{{ prometheus_port }} --web.external-url https://{{ prometheus_domain }}:{{ prometheus_port }} --web.config.file /home/{{ prometheus_user }}/web-config.yml --storage.tsdb.retention.time {{ prometheus_retention }} -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/roles/prometheus/templates/web-config.yml.j2 b/roles/prometheus/templates/web-config.yml.j2 deleted file mode 100644 index 06d9a75..0000000 --- a/roles/prometheus/templates/web-config.yml.j2 +++ /dev/null @@ -1,6 +0,0 @@ -tls_server_config: - cert_file: {{ prometheus_ssl_cert_path }} - key_file: {{ prometheus_ssl_key_path }} - -basic_auth_users: - {{ prometheus_username }}: {{ prometheus_password_bcrypt }} diff --git a/roles/prometheus/vars/main.yml b/roles/prometheus/vars/main.yml deleted file mode 100644 index 02b7511..0000000 --- a/roles/prometheus/vars/main.yml +++ /dev/null @@ -1,23 +0,0 @@ -# linus user to run prometheus as -prometheus_user: prometheus -# URL to download prometheus from -prometheus_downloads: - x86_64: - url: https://github.com/prometheus/prometheus/releases/download/v2.46.0/prometheus-2.46.0.linux-amd64.tar.gz - directory: prometheus-2.46.0.linux-amd64 - arm64: - url: https://github.com/prometheus/prometheus/releases/download/v2.46.0/prometheus-2.46.0.linux-arm64.tar.gz - directory: prometheus-2.46.0.linux-arm64 - armv7l: - url: https://github.com/prometheus/prometheus/releases/download/v2.47.2/prometheus-2.47.2.linux-armv7.tar.gz - directory: prometheus-2.47.2.linux-armv7 -prometheus_executable_name: prometheus - -prometheus_ssl_cert_filename: cert.pem -prometheus_ssl_key_filename: key.pem -prometheus_scrape_ssl_cert_filename_suffix: scrape_cert.pem -prometheus_scrape_ssl_certs_dir_name: certs - -prometheus_ssl_cert_path: /home/{{ prometheus_user }}/{{ prometheus_ssl_cert_filename }} -prometheus_ssl_key_path: /home/{{ prometheus_user }}/{{ prometheus_ssl_key_filename }} -prometheus_scrape_ssl_cert_path: /home/{{ prometheus_user }}/{{ prometheus_scrape_ssl_cert_filename }} diff --git a/roles/shadowsocks-gateway/README.md b/roles/shadowsocks-gateway/README.md deleted file mode 100644 index 2971195..0000000 --- a/roles/shadowsocks-gateway/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# shadowsocks-gateway -## Mandatory and optional variables -Find them in [./defaults/main.yml](./defaults/main.yml). Empty variables in the file are mandatory, pre-filled variables are optional. diff --git a/roles/shadowsocks-gateway/defaults/main.yml b/roles/shadowsocks-gateway/defaults/main.yml deleted file mode 100644 index a38e38c..0000000 --- a/roles/shadowsocks-gateway/defaults/main.yml +++ /dev/null @@ -1,6 +0,0 @@ -# server uuid as in /servers-example.yml -shadowsocks_server_uuid: -# one(!) server item as secribed in /servers-example.yml -shadowsocks_server: -# users as described in /users-example.yml -shadowsocks_users: diff --git a/roles/shadowsocks-gateway/meta/main.yml b/roles/shadowsocks-gateway/meta/main.yml deleted file mode 100644 index ce34493..0000000 --- a/roles/shadowsocks-gateway/meta/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -dependencies: - - role: nginx - - role: shadowsocks - vars: - shadowsocks_listen_address: 127.0.0.1 - shadowsocks_port: "{{ shadowsocks_gateway_shadowsocks_port }}" - shadowsocks_metrics_port: "{{ shadowsocks_gateway_shadowsocks_metrics_port }}" - shadowsocks_server_uuid: "{{ shadowsocks_gateway_server_uuid }}" - shadowsocks_server: "{{ shadowsocks_gateway_server }}" - shadowsocks_users: "{{ shadowsocks_gateway_users }}" - - role: node-exporter - when: shadowsocks_gateway_server.prometheus_metrics is mapping - vars: - node_exporter_port: "{{ shadowsocks_gateway_node_exporter_port }}" diff --git a/roles/shadowsocks-gateway/tasks/main.yml b/roles/shadowsocks-gateway/tasks/main.yml deleted file mode 100644 index 4516dc9..0000000 --- a/roles/shadowsocks-gateway/tasks/main.yml +++ /dev/null @@ -1,87 +0,0 @@ -- name: Ensure required variables are defined - assert: - that: - - shadowsocks_gateway_server_uuid is string - -- name: Ensure shadowsocks_gateway_users is defined correctly - include_tasks: tasks/assert-users.yml - vars: - users: "{{ shadowsocks_gateway_users }}" - -- name: Ensure shadowsocks_gateway_server is defined correctly - include_tasks: tasks/assert-server.yml - vars: - server: "{{ shadowsocks_gateway_server }}" - -- name: Install libnginx-mod-stream - package: - name: libnginx-mod-stream - state: present - -- name: Create user - user: name={{ shadowsocks_gateway_user }} - -- name: Render nginx config - template: - src: nginx.conf.j2 - dest: "/home/{{ shadowsocks_gateway_user }}/nginx.conf" - group: "{{ shadowsocks_gateway_user }}" - owner: "{{ shadowsocks_gateway_user }}" - mode: "600" - register: config - -- name: Copy SSL key - copy: - content: "{{ shadowsocks_gateway_server.prometheus_metrics.tls.key }}" - dest: "{{ shadowsocks_gateway_key_path }}" - group: "{{ shadowsocks_gateway_user }}" - owner: "{{ shadowsocks_gateway_user }}" - mode: "600" - when: shadowsocks_gateway_server.prometheus_metrics is mapping - register: ssl_key - -- name: Copy SSL certificate - copy: - content: "{{ shadowsocks_gateway_server.prometheus_metrics.tls.certificate }}" - dest: "{{ shadowsocks_gateway_certificate_path }}" - group: "{{ shadowsocks_gateway_user }}" - owner: "{{ shadowsocks_gateway_user }}" - mode: "600" - when: shadowsocks_gateway_server.prometheus_metrics is mapping - register: ssl_cert - -- name: Remove unexpected files in home - include_tasks: tasks/remove-unexpected-files.yml - vars: - directory: "/home/{{ shadowsocks_gateway_user }}" - files: - - nginx.conf - - "{{ shadowsocks_gateway_certificate_filename }}" - - "{{ shadowsocks_gateway_key_filename }}" - - "{{ shadowsocks_gateway_pid_filename }}" - - "{{ shadowsocks_gateway_nginx_conf_filename }}" - - "{{ shadowsocks_gateway_http_access_log_filename }}" - - "{{ shadowsocks_gateway_http_error_log_filename }}" - - "{{ shadowsocks_gateway_tls_access_log_filename }}" - - "{{ shadowsocks_gateway_tcp_error_log_filename }}" - - "{{ shadowsocks_gateway_udp_error_log_filename }}" - - "{{ shadowsocks_gateway_prometheus_access_log_filename }}" - - "{{ shadowsocks_gateway_prometheus_error_log_filename }}" - -- name: Render systemd service config - template: - src: shadowsocks-gateway.service.j2 - dest: /etc/systemd/system/shadowsocks-gateway.service - register: systemd - -- name: Reload daemon - systemd: - daemon_reload: yes - when: systemd.changed - -- name: Restart systemd app service - systemd: - name: shadowsocks-gateway.service - state: restarted - enabled: yes - when: systemd.changed or config.changed or ssl_key.changed or ssl_cert.changed diff --git a/roles/shadowsocks-gateway/templates/nginx.conf.j2 b/roles/shadowsocks-gateway/templates/nginx.conf.j2 deleted file mode 100644 index be05d23..0000000 --- a/roles/shadowsocks-gateway/templates/nginx.conf.j2 +++ /dev/null @@ -1,111 +0,0 @@ -load_module /usr/lib/nginx/modules/ngx_stream_module.so; -daemon off; -worker_processes auto; - -# https://www.cyberciti.biz/faq/linux-unix-nginx-too-many-open-files -worker_rlimit_nofile {{ shadowsocks_gateway_worker_rlimit_nofile }}; -pid {{ shadowsocks_gateway_pid_path }}; - -events { - worker_connections {{ shadowsocks_gateway_worker_connections }}; -} - -http { - server { - access_log {{ shadowsocks_gateway_http_access_log_path }}; - error_log {{ shadowsocks_gateway_http_error_log_path }}; - - listen *:80; - listen [::]:80; - server_name _; - return 301 https://{{ shadowsocks_gateway_server.fallback_proxy_target }}; - } - -{% if shadowsocks_gateway_server.prometheus_metrics is mapping %} - server { - access_log {{ shadowsocks_gateway_prometheus_access_log_path }}; - error_log {{ shadowsocks_gateway_prometheus_error_log_path }}; - - listen *:{{ shadowsocks_gateway_server.prometheus_metrics.port }} ssl http2; - listen [::]:{{ shadowsocks_gateway_server.prometheus_metrics.port }} ssl http2; - - ssl_certificate {{ shadowsocks_gateway_certificate_path }}; - ssl_certificate_key {{ shadowsocks_gateway_key_path }}; - ssl_protocols TLSv1.2 TLSv1.3; - - location {{ shadowsocks_gateway_server.prometheus_metrics.shadowsocks.url_path }} { - proxy_pass http://127.0.0.1:{{ shadowsocks_gateway_shadowsocks_metrics_port }}/metrics; - } - - location {{ shadowsocks_gateway_server.prometheus_metrics.node_exporter.url_path }} { - proxy_pass http://127.0.0.1:{{ shadowsocks_gateway_node_exporter_port }}/metrics; - } - - location / { - return 444; - } - - error_page 404 = @redirect; - - location @redirect { - return 444; - } - } -{% endif %} -} - -stream { - log_format basic '{' - '"time":"$time_iso8601"' - ',"remote_addr":"$remote_addr"' - ',"protocol":"$protocol"' - ',"status":"$status"' - ',"bytes_sent":"$bytes_sent"' - ',"bytes_received":"$bytes_received"' - ',"session_time":"$session_time"' - ',"upstream_addr":"$upstream_addr"' - ',"upstream_bytes_sent":"$upstream_bytes_sent"' - ',"upstream_bytes_received":"$upstream_bytes_received"' - ',"upstream_connect_time":"$upstream_connect_time"' - '}'; - - map $ssl_preread_protocol $backend { - default shadowsocks_backend; - "TLSv1.0" https_backend; - "TLSv1.2" https_backend; - "TLSv1.3" https_backend; - } - - map $ssl_preread_protocol $access_log_file { - default ../../../dev/null; - "TLSv1.0" ../../..{{ shadowsocks_gateway_tls_access_log_path }}; - "TLSv1.2" ../../..{{ shadowsocks_gateway_tls_access_log_path }}; - "TLSv1.3" ../../..{{ shadowsocks_gateway_tls_access_log_path }}; - } - - upstream https_backend { - server {{ shadowsocks_gateway_server.fallback_proxy_target }}; - } - - upstream shadowsocks_backend { - server 127.0.0.1:{{ shadowsocks_gateway_shadowsocks_port }}; - } - - server { - listen *:{{ shadowsocks_gateway_server.port }}; - proxy_timeout 5s; - ssl_preread on; - - access_log $access_log_file basic; - error_log ../../..{{ shadowsocks_gateway_tcp_error_log_path }}; - proxy_pass $backend; - } - - server { - listen *:{{ shadowsocks_gateway_server.port }} udp; - - access_log off; - error_log ../../..{{ shadowsocks_gateway_udp_error_log_path }}; - proxy_pass shadowsocks_backend; - } -} diff --git a/roles/shadowsocks-gateway/templates/shadowsocks-gateway.service.j2 b/roles/shadowsocks-gateway/templates/shadowsocks-gateway.service.j2 deleted file mode 100644 index 4c1efc1..0000000 --- a/roles/shadowsocks-gateway/templates/shadowsocks-gateway.service.j2 +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=shadowsocks-gateway -After=shadowsocks.service - -[Service] -User={{ shadowsocks_gateway_user }} -ExecStart=/usr/sbin/nginx -c {{ shadowsocks_gateway_nginx_conf_path }} -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/roles/shadowsocks-gateway/vars/main.yml b/roles/shadowsocks-gateway/vars/main.yml deleted file mode 100644 index 1d5016a..0000000 --- a/roles/shadowsocks-gateway/vars/main.yml +++ /dev/null @@ -1,36 +0,0 @@ -# linux user to run shadowsocks-gateway as -shadowsocks_gateway_user: shadowsocks-gateway -# number of worker_connections in nginx -shadowsocks_gateway_worker_connections: 65536 -# number of worker_rlimit_nofile in nginx -shadowsocks_gateway_worker_rlimit_nofile: 65536 -# port node_exporter to run on -shadowsocks_gateway_node_exporter_port: 47354 -# port shadowsocks-metrics to run on -shadowsocks_gateway_shadowsocks_metrics_port: 27364 -# port shadowsocks to run on locally -shadowsocks_gateway_shadowsocks_port: 52539 - -shadowsocks_gateway_nginx_conf_filename: nginx.conf -shadowsocks_gateway_certificate_filename: cert.pem -shadowsocks_gateway_key_filename: key.pem -shadowsocks_gateway_http_access_log_filename: http_access.log -shadowsocks_gateway_http_error_log_filename: http_error.log -shadowsocks_gateway_tls_access_log_filename: tls_access.log -shadowsocks_gateway_tcp_error_log_filename: tcp_error.log -shadowsocks_gateway_udp_error_log_filename: udp_error.log -shadowsocks_gateway_prometheus_access_log_filename: prometheus_access.log -shadowsocks_gateway_prometheus_error_log_filename: prometheus_error.log -shadowsocks_gateway_pid_filename: nginx.pid - -shadowsocks_gateway_nginx_conf_path: /home/{{ shadowsocks_gateway_user }}/{{shadowsocks_gateway_nginx_conf_filename }} -shadowsocks_gateway_certificate_path: "/home/{{ shadowsocks_gateway_user }}/{{ shadowsocks_gateway_certificate_filename }}" -shadowsocks_gateway_key_path: "/home/{{ shadowsocks_gateway_user }}/{{ shadowsocks_gateway_key_filename }}" -shadowsocks_gateway_http_access_log_path: "/home/{{ shadowsocks_gateway_user }}/{{ shadowsocks_gateway_http_access_log_filename }}" -shadowsocks_gateway_http_error_log_path: "/home/{{ shadowsocks_gateway_user }}/{{ shadowsocks_gateway_http_error_log_filename }}" -shadowsocks_gateway_tls_access_log_path: "/home/{{ shadowsocks_gateway_user }}/{{ shadowsocks_gateway_tls_access_log_filename }}" -shadowsocks_gateway_tcp_error_log_path: "/home/{{ shadowsocks_gateway_user }}/{{ shadowsocks_gateway_tcp_error_log_filename }}" -shadowsocks_gateway_udp_error_log_path: "/home/{{ shadowsocks_gateway_user }}/{{ shadowsocks_gateway_udp_error_log_filename }}" -shadowsocks_gateway_prometheus_access_log_path: "/home/{{ shadowsocks_gateway_user }}/{{ shadowsocks_gateway_prometheus_access_log_filename }}" -shadowsocks_gateway_prometheus_error_log_path: "/home/{{ shadowsocks_gateway_user }}/{{ shadowsocks_gateway_prometheus_error_log_filename }}" -shadowsocks_gateway_pid_path: "/home/{{ shadowsocks_gateway_user }}/{{ shadowsocks_gateway_pid_filename }}" diff --git a/roles/shadowsocks/defaults/main.yml b/roles/shadowsocks/defaults/main.yml deleted file mode 100644 index 2a45160..0000000 --- a/roles/shadowsocks/defaults/main.yml +++ /dev/null @@ -1,12 +0,0 @@ -# port of metrics for prometheus to be exposed -shadowsocks_metrics_port: -# port of shadowsocks behind gateway -shadowsocks_port: -# shadowsocks listen address -shadowsocks_listen_address: -# users as described in /users-example.yml -shadowsocks_users: -# one(!) server item as secribed in /servers-example.yml -shadowsocks_server: -# server uuid as in /servers-example.yml -shadowsocks_server_uuid: diff --git a/roles/shadowsocks/meta/main.yml b/roles/shadowsocks/meta/main.yml deleted file mode 100644 index ca6bf3d..0000000 --- a/roles/shadowsocks/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: kernel-optimizations diff --git a/roles/shadowsocks/tasks/main.yml b/roles/shadowsocks/tasks/main.yml deleted file mode 100644 index 5cff6e6..0000000 --- a/roles/shadowsocks/tasks/main.yml +++ /dev/null @@ -1,83 +0,0 @@ -- name: Ensure required variables are defined - assert: - that: - - shadowsocks_port is number - - shadowsocks_listen_address is string - - shadowsocks_metrics_port is number - - shadowsocks_server_uuid is string - -- name: Ensure shadowsocks_users is defined correctly - include_tasks: tasks/assert-users.yml - vars: - users: "{{ shadowsocks_users }}" - -- name: Ensure shadowsocks_server is defined correctly - include_tasks: tasks/assert-server.yml - vars: - server: "{{ shadowsocks_server }}" - -- name: Create user - user: name={{ shadowsocks_user }} - -- name: Get MD5 checksum of outline executable - stat: - path: "/home/{{ shadowsocks_user }}/{{ shadowsocks_executable_name }}" - checksum_algorithm: md5 - register: file_stat - -- name: Detect arch - command: uname -m - check_mode: no - register: arch - -- name: Download & extract outline executable - when: "file_stat.stat.exists == false or file_stat.stat.checksum != shadowsocks_downloads[arch.stdout].md5" - unarchive: - src: "{{ shadowsocks_downloads[arch.stdout].url }}" - dest: "/home/{{ shadowsocks_user }}" - remote_src: yes - extra_opts: - - "{{ shadowsocks_executable_name }}" - register: download - -- name: Set executable ownership, group and permissions - file: - path: "/home/{{ shadowsocks_user }}/{{ shadowsocks_executable_name }}" - group: "{{ shadowsocks_user }}" - owner: "{{ shadowsocks_user }}" - mode: "700" - -- name: Render outline-ss-server config - template: - src: config.yml.j2 - dest: "/home/{{ shadowsocks_user }}/config.yml" - group: "{{ shadowsocks_user }}" - owner: "{{ shadowsocks_user }}" - mode: "600" - register: config - -- name: Remove unexpected files in home - include_tasks: tasks/remove-unexpected-files.yml - vars: - directory: "/home/{{ shadowsocks_user }}" - files: - - config.yml - - "{{ shadowsocks_executable_name }}" - -- name: Render systemd service config - template: - src: shadowsocks.service.j2 - dest: /etc/systemd/system/shadowsocks.service - register: systemd - -- name: Reload daemon - systemd: - daemon_reload: yes - when: systemd.changed - -- name: Restart systemd app service - systemd: - name: shadowsocks.service - state: restarted - enabled: yes - when: systemd.changed or download.changed or config.changed diff --git a/roles/shadowsocks/templates/config.yml.j2 b/roles/shadowsocks/templates/config.yml.j2 deleted file mode 100644 index 9fcff24..0000000 --- a/roles/shadowsocks/templates/config.yml.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# https://github.com/Jigsaw-Code/outline-ss-server/blob/master/cmd/outline-ss-server/config_example.yml - -services: - - listeners: - - type: tcp - address: "{{ shadowsocks_listen_address }}:{{ shadowsocks_port }}" - - type: udp - address: "{{ shadowsocks_listen_address }}:{{ shadowsocks_port }}" - keys: -{% for user in shadowsocks_users | dict2items %} - - cipher: {{ shadowsocks_server.method }} - id: {{ user.value.name }} - secret: {{ (user.key + shadowsocks_server.port | string + shadowsocks_server.method + shadowsocks_server_uuid | string + shadowsocks_server.secret | string) | hash('sha512') }} -{% endfor %} diff --git a/roles/shadowsocks/templates/shadowsocks.service.j2 b/roles/shadowsocks/templates/shadowsocks.service.j2 deleted file mode 100644 index 0389a09..0000000 --- a/roles/shadowsocks/templates/shadowsocks.service.j2 +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=shadowsocks -After=network.service - -[Service] -User={{ shadowsocks_user }} -AmbientCapabilities=CAP_NET_BIND_SERVICE -ExecStart=/home/{{ shadowsocks_user }}/{{ shadowsocks_executable_name }} -replay_history={{ shadowsocks_replay_history }} -config /home/{{ shadowsocks_user }}/config.yml -metrics 127.0.0.1:{{ shadowsocks_metrics_port }} -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/roles/shadowsocks/vars/main.yml b/roles/shadowsocks/vars/main.yml deleted file mode 100644 index 55a6677..0000000 --- a/roles/shadowsocks/vars/main.yml +++ /dev/null @@ -1,18 +0,0 @@ -# linux user to run shadowsocks server as -shadowsocks_user: shadowsocks -# URL to download outline from -shadowsocks_downloads: - x86_64: - url: https://github.com/Jigsaw-Code/outline-ss-server/releases/download/v1.7.0/outline-ss-server_1.7.0_linux_x86_64.tar.gz - md5: 40710b0e291fc8fa7eafbf5fbbf56035 - arm64: - url: https://github.com/Jigsaw-Code/outline-ss-server/releases/download/v1.7.0/outline-ss-server_1.7.0_linux_arm64.tar.gz - md5: 40710b0e291fc8fa7eafbf5fbbf56035 - armv7l: - url: https://github.com/Jigsaw-Code/outline-ss-server/releases/download/v1.7.0/outline-ss-server_1.7.0_linux_armv7.tar.gz - md5: 37cff757d1fbc2ad1e04e71aa4cdbec7 -# name of outline executable file -shadowsocks_executable_name: outline-ss-server -# replay defense; see https://github.com/Jigsaw-Code/outline-ss-server/blob/master/service/PROBES.md for details -shadowsocks_replay_history: 10000 -# port of metrics for prometheus to be exposed diff --git a/roles/users-configs/files/guide.html b/roles/users-configs/files/guide.html index 50bb884..9be621d 100644 --- a/roles/users-configs/files/guide.html +++ b/roles/users-configs/files/guide.html @@ -26,30 +26,19 @@ const quit = function () { window.location.href = '/'; - } - - const getSsConfig = function(hash) { - return fetch('/' + hash) - .then(response => response.json()) - .catch(quit); - } - - const getSsConfUri = function(hash) { - return 'ssconf://' + location.host + '/' + hash; - } + }; - const getSsUri = function(server) { - return `ss://${btoa(`${server.method}:${server.password}`)}@${server.server}:${server['server_port']}?prefix=${server['prefix']}`; - } + const getSubscriptionUrl = function(hash) { + return `http://${location.host}/${hash}`; + }; - const getStraisandUri = function(server) { - return 'streisand://import/' + getSsUri(server); + const getHiddifyUrl = function(hash) { + return `hiddify://import/${getSubscriptionUrl(hash)}`; } const render = function(hash) { - const ssConfUri = getSsConfUri(hash); document.getElementById('connect_vpn').addEventListener('click', () => { - window.location.href = ssConfUri; + window.location.href = getHiddifyUrl(hash); }); document.getElementById('body').style = ` display: block; @@ -58,57 +47,9 @@ background-color: white; padding: 1rem; `; - for (element of document.getElementsByClassName('sip008_uri')) { - element.innerHTML = ssConfUri; + for (element of document.getElementsByClassName('subscription_uri')) { + element.innerHTML = getSubscriptionUrl(hash); }; - - getSsConfig(hash) - .then(renderStaticConfigurations) - .then(html => document.getElementById('nerd').innerHTML = html); - } - - const renderStaticConfigurations = function(config) { - return ` -

Статические конфигурации

-

- Конфигурации ниже временные, пока не обновится динамический конфиг. Когда это произойдёт, впн перестанет работать. - В этом случае нужно будет открыть эту страницу и перенастроить клиент с новыми параметрами. Конфиг обновиться может в любой момент. -

- ${config['servers'].map(renderStaticServerConfig).join('')} - `; - }; - - const renderStaticServerConfig = function (server) { - const streisandUri = getStraisandUri(server); - const ssUri = getSsUri(server); - return ` -
-

${server['remarks']}

-
-

Streisand (iOS & OS X only)

-
- -
- ${streisandUri} -
-
-

Shadowsocks URI

-
- -
- ${ssUri} -
-
-

Ваще ручная настройка

- -
- `; }