fix: create sing-box service before acme install-cert reload
Move install-cert after systemd unit creation so reloadcmd succeeds. Add finish-install.sh to recover partial deployments when cert exists. Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
@@ -0,0 +1,96 @@
|
||||
#!/usr/bin/env bash
|
||||
# 证书已申请但 sing-box 未安装完成时,执行本脚本补全部署
|
||||
set -euo pipefail
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
ROOT_DIR="$(dirname "$SCRIPT_DIR")"
|
||||
ENV_FILE="${ROOT_DIR}/.env"
|
||||
|
||||
[[ $EUID -eq 0 ]] || { echo "请使用 root 运行"; exit 1; }
|
||||
[[ -f "$ENV_FILE" ]] || { echo "缺少 .env"; exit 1; }
|
||||
# shellcheck disable=SC1090
|
||||
source "$ENV_FILE"
|
||||
|
||||
: "${DOMAIN:?}"
|
||||
: "${UUID:?}"
|
||||
: "${REALITY_PRIVATE_KEY:?}"
|
||||
: "${REALITY_SHORT_ID:?}"
|
||||
: "${HY2_PASSWORD:?}"
|
||||
: "${REALITY_PUBLIC_KEY:?}"
|
||||
|
||||
if ! command -v sing-box &>/dev/null; then
|
||||
echo "sing-box 未安装,请先运行: bash scripts/install.sh"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mkdir -p /etc/sing-box/certs
|
||||
|
||||
if [[ ! -f /etc/sing-box/certs/fullchain.pem ]]; then
|
||||
echo "安装证书..."
|
||||
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
|
||||
--key-file /etc/sing-box/certs/privkey.pem \
|
||||
--fullchain-file /etc/sing-box/certs/fullchain.pem \
|
||||
--reloadcmd "systemctl restart sing-box || true"
|
||||
fi
|
||||
|
||||
echo "生成 sing-box 配置..."
|
||||
sed -e "s|\${UUID}|${UUID}|g" \
|
||||
-e "s|\${REALITY_SERVER_NAME}|${REALITY_SERVER_NAME:-www.microsoft.com}|g" \
|
||||
-e "s|\${REALITY_PRIVATE_KEY}|${REALITY_PRIVATE_KEY}|g" \
|
||||
-e "s|\${REALITY_SHORT_ID}|${REALITY_SHORT_ID}|g" \
|
||||
-e "s|\${HY2_PASSWORD}|${HY2_PASSWORD}|g" \
|
||||
-e "s|\${DOMAIN}|${DOMAIN}|g" \
|
||||
"$ROOT_DIR/server/sing-box.json.template" > /etc/sing-box/config.json
|
||||
|
||||
sing-box check -c /etc/sing-box/config.json
|
||||
|
||||
cat > /etc/systemd/system/sing-box.service <<'UNIT'
|
||||
[Unit]
|
||||
Description=sing-box service
|
||||
After=network-online.target nginx.service
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/local/bin/sing-box run -c /etc/sing-box/config.json
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
LimitNOFILE=1048576
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
UNIT
|
||||
|
||||
systemctl daemon-reload
|
||||
systemctl enable sing-box
|
||||
systemctl restart sing-box
|
||||
|
||||
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
|
||||
--key-file /etc/sing-box/certs/privkey.pem \
|
||||
--fullchain-file /etc/sing-box/certs/fullchain.pem \
|
||||
--reloadcmd "systemctl restart sing-box"
|
||||
|
||||
CLIENT_DIR="${ROOT_DIR}/client/generated"
|
||||
mkdir -p "$CLIENT_DIR"
|
||||
sed -e "s|\${VPS_IP}|${VPS_IP}|g" \
|
||||
-e "s|\${DOMAIN}|${DOMAIN}|g" \
|
||||
-e "s|\${UUID}|${UUID}|g" \
|
||||
-e "s|\${REALITY_SERVER_NAME}|${REALITY_SERVER_NAME:-www.microsoft.com}|g" \
|
||||
-e "s|\${REALITY_PUBLIC_KEY}|${REALITY_PUBLIC_KEY}|g" \
|
||||
-e "s|\${REALITY_SHORT_ID}|${REALITY_SHORT_ID}|g" \
|
||||
-e "s|\${HY2_PASSWORD}|${HY2_PASSWORD}|g" \
|
||||
"$ROOT_DIR/client/sing-box-client.json.template" > "$CLIENT_DIR/sing-box-client.json"
|
||||
|
||||
cat > "$CLIENT_DIR/share-links.txt" <<EOF
|
||||
========== VLESS + Reality (主力) ==========
|
||||
vless://${UUID}@${VPS_IP}:443?encryption=none&flow=xtls-rprx-vision&security=reality&sni=${REALITY_SERVER_NAME:-www.microsoft.com}&fp=chrome&pbk=${REALITY_PUBLIC_KEY}&sid=${REALITY_SHORT_ID}&type=tcp#Reality-Main
|
||||
|
||||
========== Hysteria2 (备用) ==========
|
||||
hy2://${HY2_PASSWORD}@${DOMAIN}:8443?sni=${DOMAIN}#Hysteria2-Backup
|
||||
EOF
|
||||
|
||||
echo ""
|
||||
echo "完成!sing-box 状态:"
|
||||
systemctl status sing-box --no-pager
|
||||
echo ""
|
||||
cat "$CLIENT_DIR/share-links.txt"
|
||||
+11
-6
@@ -97,14 +97,12 @@ if [[ "$CURRENT_IP" != "$VPS_IP" ]]; then
|
||||
fi
|
||||
|
||||
/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt
|
||||
/root/.acme.sh/acme.sh --issue -d "$DOMAIN" -w /var/www/acme --force
|
||||
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
|
||||
--key-file /etc/sing-box/certs/privkey.pem \
|
||||
--fullchain-file /etc/sing-box/certs/fullchain.pem \
|
||||
--reloadcmd "systemctl restart sing-box"
|
||||
if [[ ! -f "/root/.acme.sh/${DOMAIN}_ecc/fullchain.cer" ]]; then
|
||||
/root/.acme.sh/acme.sh --issue -d "$DOMAIN" -w /var/www/acme --force
|
||||
fi
|
||||
|
||||
log "生成 sing-box 服务端配置 ..."
|
||||
mkdir -p /etc/sing-box
|
||||
mkdir -p /etc/sing-box/certs
|
||||
sed -e "s|\${UUID}|${UUID}|g" \
|
||||
-e "s|\${REALITY_SERVER_NAME}|${REALITY_SERVER_NAME}|g" \
|
||||
-e "s|\${REALITY_PRIVATE_KEY}|${REALITY_PRIVATE_KEY}|g" \
|
||||
@@ -135,6 +133,13 @@ UNIT
|
||||
|
||||
systemctl daemon-reload
|
||||
systemctl enable sing-box
|
||||
|
||||
log "安装 TLS 证书到 sing-box ..."
|
||||
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
|
||||
--key-file /etc/sing-box/certs/privkey.pem \
|
||||
--fullchain-file /etc/sing-box/certs/fullchain.pem \
|
||||
--reloadcmd "systemctl restart sing-box"
|
||||
|
||||
systemctl restart sing-box
|
||||
|
||||
log "生成客户端配置 ..."
|
||||
|
||||
Reference in New Issue
Block a user