fix: create sing-box service before acme install-cert reload
Move install-cert after systemd unit creation so reloadcmd succeeds. Add finish-install.sh to recover partial deployments when cert exists. Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
@@ -0,0 +1,96 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
# 证书已申请但 sing-box 未安装完成时,执行本脚本补全部署
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||||
|
ROOT_DIR="$(dirname "$SCRIPT_DIR")"
|
||||||
|
ENV_FILE="${ROOT_DIR}/.env"
|
||||||
|
|
||||||
|
[[ $EUID -eq 0 ]] || { echo "请使用 root 运行"; exit 1; }
|
||||||
|
[[ -f "$ENV_FILE" ]] || { echo "缺少 .env"; exit 1; }
|
||||||
|
# shellcheck disable=SC1090
|
||||||
|
source "$ENV_FILE"
|
||||||
|
|
||||||
|
: "${DOMAIN:?}"
|
||||||
|
: "${UUID:?}"
|
||||||
|
: "${REALITY_PRIVATE_KEY:?}"
|
||||||
|
: "${REALITY_SHORT_ID:?}"
|
||||||
|
: "${HY2_PASSWORD:?}"
|
||||||
|
: "${REALITY_PUBLIC_KEY:?}"
|
||||||
|
|
||||||
|
if ! command -v sing-box &>/dev/null; then
|
||||||
|
echo "sing-box 未安装,请先运行: bash scripts/install.sh"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
mkdir -p /etc/sing-box/certs
|
||||||
|
|
||||||
|
if [[ ! -f /etc/sing-box/certs/fullchain.pem ]]; then
|
||||||
|
echo "安装证书..."
|
||||||
|
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
|
||||||
|
--key-file /etc/sing-box/certs/privkey.pem \
|
||||||
|
--fullchain-file /etc/sing-box/certs/fullchain.pem \
|
||||||
|
--reloadcmd "systemctl restart sing-box || true"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "生成 sing-box 配置..."
|
||||||
|
sed -e "s|\${UUID}|${UUID}|g" \
|
||||||
|
-e "s|\${REALITY_SERVER_NAME}|${REALITY_SERVER_NAME:-www.microsoft.com}|g" \
|
||||||
|
-e "s|\${REALITY_PRIVATE_KEY}|${REALITY_PRIVATE_KEY}|g" \
|
||||||
|
-e "s|\${REALITY_SHORT_ID}|${REALITY_SHORT_ID}|g" \
|
||||||
|
-e "s|\${HY2_PASSWORD}|${HY2_PASSWORD}|g" \
|
||||||
|
-e "s|\${DOMAIN}|${DOMAIN}|g" \
|
||||||
|
"$ROOT_DIR/server/sing-box.json.template" > /etc/sing-box/config.json
|
||||||
|
|
||||||
|
sing-box check -c /etc/sing-box/config.json
|
||||||
|
|
||||||
|
cat > /etc/systemd/system/sing-box.service <<'UNIT'
|
||||||
|
[Unit]
|
||||||
|
Description=sing-box service
|
||||||
|
After=network-online.target nginx.service
|
||||||
|
Wants=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/usr/local/bin/sing-box run -c /etc/sing-box/config.json
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=5
|
||||||
|
LimitNOFILE=1048576
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
UNIT
|
||||||
|
|
||||||
|
systemctl daemon-reload
|
||||||
|
systemctl enable sing-box
|
||||||
|
systemctl restart sing-box
|
||||||
|
|
||||||
|
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
|
||||||
|
--key-file /etc/sing-box/certs/privkey.pem \
|
||||||
|
--fullchain-file /etc/sing-box/certs/fullchain.pem \
|
||||||
|
--reloadcmd "systemctl restart sing-box"
|
||||||
|
|
||||||
|
CLIENT_DIR="${ROOT_DIR}/client/generated"
|
||||||
|
mkdir -p "$CLIENT_DIR"
|
||||||
|
sed -e "s|\${VPS_IP}|${VPS_IP}|g" \
|
||||||
|
-e "s|\${DOMAIN}|${DOMAIN}|g" \
|
||||||
|
-e "s|\${UUID}|${UUID}|g" \
|
||||||
|
-e "s|\${REALITY_SERVER_NAME}|${REALITY_SERVER_NAME:-www.microsoft.com}|g" \
|
||||||
|
-e "s|\${REALITY_PUBLIC_KEY}|${REALITY_PUBLIC_KEY}|g" \
|
||||||
|
-e "s|\${REALITY_SHORT_ID}|${REALITY_SHORT_ID}|g" \
|
||||||
|
-e "s|\${HY2_PASSWORD}|${HY2_PASSWORD}|g" \
|
||||||
|
"$ROOT_DIR/client/sing-box-client.json.template" > "$CLIENT_DIR/sing-box-client.json"
|
||||||
|
|
||||||
|
cat > "$CLIENT_DIR/share-links.txt" <<EOF
|
||||||
|
========== VLESS + Reality (主力) ==========
|
||||||
|
vless://${UUID}@${VPS_IP}:443?encryption=none&flow=xtls-rprx-vision&security=reality&sni=${REALITY_SERVER_NAME:-www.microsoft.com}&fp=chrome&pbk=${REALITY_PUBLIC_KEY}&sid=${REALITY_SHORT_ID}&type=tcp#Reality-Main
|
||||||
|
|
||||||
|
========== Hysteria2 (备用) ==========
|
||||||
|
hy2://${HY2_PASSWORD}@${DOMAIN}:8443?sni=${DOMAIN}#Hysteria2-Backup
|
||||||
|
EOF
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "完成!sing-box 状态:"
|
||||||
|
systemctl status sing-box --no-pager
|
||||||
|
echo ""
|
||||||
|
cat "$CLIENT_DIR/share-links.txt"
|
||||||
+10
-5
@@ -97,14 +97,12 @@ if [[ "$CURRENT_IP" != "$VPS_IP" ]]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt
|
/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt
|
||||||
|
if [[ ! -f "/root/.acme.sh/${DOMAIN}_ecc/fullchain.cer" ]]; then
|
||||||
/root/.acme.sh/acme.sh --issue -d "$DOMAIN" -w /var/www/acme --force
|
/root/.acme.sh/acme.sh --issue -d "$DOMAIN" -w /var/www/acme --force
|
||||||
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
|
fi
|
||||||
--key-file /etc/sing-box/certs/privkey.pem \
|
|
||||||
--fullchain-file /etc/sing-box/certs/fullchain.pem \
|
|
||||||
--reloadcmd "systemctl restart sing-box"
|
|
||||||
|
|
||||||
log "生成 sing-box 服务端配置 ..."
|
log "生成 sing-box 服务端配置 ..."
|
||||||
mkdir -p /etc/sing-box
|
mkdir -p /etc/sing-box/certs
|
||||||
sed -e "s|\${UUID}|${UUID}|g" \
|
sed -e "s|\${UUID}|${UUID}|g" \
|
||||||
-e "s|\${REALITY_SERVER_NAME}|${REALITY_SERVER_NAME}|g" \
|
-e "s|\${REALITY_SERVER_NAME}|${REALITY_SERVER_NAME}|g" \
|
||||||
-e "s|\${REALITY_PRIVATE_KEY}|${REALITY_PRIVATE_KEY}|g" \
|
-e "s|\${REALITY_PRIVATE_KEY}|${REALITY_PRIVATE_KEY}|g" \
|
||||||
@@ -135,6 +133,13 @@ UNIT
|
|||||||
|
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
systemctl enable sing-box
|
systemctl enable sing-box
|
||||||
|
|
||||||
|
log "安装 TLS 证书到 sing-box ..."
|
||||||
|
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
|
||||||
|
--key-file /etc/sing-box/certs/privkey.pem \
|
||||||
|
--fullchain-file /etc/sing-box/certs/fullchain.pem \
|
||||||
|
--reloadcmd "systemctl restart sing-box"
|
||||||
|
|
||||||
systemctl restart sing-box
|
systemctl restart sing-box
|
||||||
|
|
||||||
log "生成客户端配置 ..."
|
log "生成客户端配置 ..."
|
||||||
|
|||||||
Reference in New Issue
Block a user