fix: create sing-box service before acme install-cert reload

Move install-cert after systemd unit creation so reloadcmd succeeds.
Add finish-install.sh to recover partial deployments when cert exists.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
dekun
2026-06-16 08:42:59 +08:00
parent 2653afa287
commit 9293e242be
2 changed files with 107 additions and 6 deletions
+96
View File
@@ -0,0 +1,96 @@
#!/usr/bin/env bash
# 证书已申请但 sing-box 未安装完成时,执行本脚本补全部署
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(dirname "$SCRIPT_DIR")"
ENV_FILE="${ROOT_DIR}/.env"
[[ $EUID -eq 0 ]] || { echo "请使用 root 运行"; exit 1; }
[[ -f "$ENV_FILE" ]] || { echo "缺少 .env"; exit 1; }
# shellcheck disable=SC1090
source "$ENV_FILE"
: "${DOMAIN:?}"
: "${UUID:?}"
: "${REALITY_PRIVATE_KEY:?}"
: "${REALITY_SHORT_ID:?}"
: "${HY2_PASSWORD:?}"
: "${REALITY_PUBLIC_KEY:?}"
if ! command -v sing-box &>/dev/null; then
echo "sing-box 未安装,请先运行: bash scripts/install.sh"
exit 1
fi
mkdir -p /etc/sing-box/certs
if [[ ! -f /etc/sing-box/certs/fullchain.pem ]]; then
echo "安装证书..."
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
--key-file /etc/sing-box/certs/privkey.pem \
--fullchain-file /etc/sing-box/certs/fullchain.pem \
--reloadcmd "systemctl restart sing-box || true"
fi
echo "生成 sing-box 配置..."
sed -e "s|\${UUID}|${UUID}|g" \
-e "s|\${REALITY_SERVER_NAME}|${REALITY_SERVER_NAME:-www.microsoft.com}|g" \
-e "s|\${REALITY_PRIVATE_KEY}|${REALITY_PRIVATE_KEY}|g" \
-e "s|\${REALITY_SHORT_ID}|${REALITY_SHORT_ID}|g" \
-e "s|\${HY2_PASSWORD}|${HY2_PASSWORD}|g" \
-e "s|\${DOMAIN}|${DOMAIN}|g" \
"$ROOT_DIR/server/sing-box.json.template" > /etc/sing-box/config.json
sing-box check -c /etc/sing-box/config.json
cat > /etc/systemd/system/sing-box.service <<'UNIT'
[Unit]
Description=sing-box service
After=network-online.target nginx.service
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/bin/sing-box run -c /etc/sing-box/config.json
Restart=on-failure
RestartSec=5
LimitNOFILE=1048576
[Install]
WantedBy=multi-user.target
UNIT
systemctl daemon-reload
systemctl enable sing-box
systemctl restart sing-box
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
--key-file /etc/sing-box/certs/privkey.pem \
--fullchain-file /etc/sing-box/certs/fullchain.pem \
--reloadcmd "systemctl restart sing-box"
CLIENT_DIR="${ROOT_DIR}/client/generated"
mkdir -p "$CLIENT_DIR"
sed -e "s|\${VPS_IP}|${VPS_IP}|g" \
-e "s|\${DOMAIN}|${DOMAIN}|g" \
-e "s|\${UUID}|${UUID}|g" \
-e "s|\${REALITY_SERVER_NAME}|${REALITY_SERVER_NAME:-www.microsoft.com}|g" \
-e "s|\${REALITY_PUBLIC_KEY}|${REALITY_PUBLIC_KEY}|g" \
-e "s|\${REALITY_SHORT_ID}|${REALITY_SHORT_ID}|g" \
-e "s|\${HY2_PASSWORD}|${HY2_PASSWORD}|g" \
"$ROOT_DIR/client/sing-box-client.json.template" > "$CLIENT_DIR/sing-box-client.json"
cat > "$CLIENT_DIR/share-links.txt" <<EOF
========== VLESS + Reality (主力) ==========
vless://${UUID}@${VPS_IP}:443?encryption=none&flow=xtls-rprx-vision&security=reality&sni=${REALITY_SERVER_NAME:-www.microsoft.com}&fp=chrome&pbk=${REALITY_PUBLIC_KEY}&sid=${REALITY_SHORT_ID}&type=tcp#Reality-Main
========== Hysteria2 (备用) ==========
hy2://${HY2_PASSWORD}@${DOMAIN}:8443?sni=${DOMAIN}#Hysteria2-Backup
EOF
echo ""
echo "完成!sing-box 状态:"
systemctl status sing-box --no-pager
echo ""
cat "$CLIENT_DIR/share-links.txt"
+11 -6
View File
@@ -97,14 +97,12 @@ if [[ "$CURRENT_IP" != "$VPS_IP" ]]; then
fi
/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt
/root/.acme.sh/acme.sh --issue -d "$DOMAIN" -w /var/www/acme --force
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
--key-file /etc/sing-box/certs/privkey.pem \
--fullchain-file /etc/sing-box/certs/fullchain.pem \
--reloadcmd "systemctl restart sing-box"
if [[ ! -f "/root/.acme.sh/${DOMAIN}_ecc/fullchain.cer" ]]; then
/root/.acme.sh/acme.sh --issue -d "$DOMAIN" -w /var/www/acme --force
fi
log "生成 sing-box 服务端配置 ..."
mkdir -p /etc/sing-box
mkdir -p /etc/sing-box/certs
sed -e "s|\${UUID}|${UUID}|g" \
-e "s|\${REALITY_SERVER_NAME}|${REALITY_SERVER_NAME}|g" \
-e "s|\${REALITY_PRIVATE_KEY}|${REALITY_PRIVATE_KEY}|g" \
@@ -135,6 +133,13 @@ UNIT
systemctl daemon-reload
systemctl enable sing-box
log "安装 TLS 证书到 sing-box ..."
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
--key-file /etc/sing-box/certs/privkey.pem \
--fullchain-file /etc/sing-box/certs/fullchain.pem \
--reloadcmd "systemctl restart sing-box"
systemctl restart sing-box
log "生成客户端配置 ..."