vpn

2026-02-09 20:42:24 +03:00
parent 0a8f11397d
commit a6d2623802
38 changed files with 2198 additions and 1 deletions
--- a/roles/xray-vps-setup/tasks/bbr.yml
+++ b/roles/xray-vps-setup/tasks/bbr.yml
@@ -0,0 +1,10 @@
+- name: Set BBR
+  ansible.posix.sysctl:
+    name: net.core.default_qdisc
+    value: "fq"
+    state: present
+- name: Set queue
+  ansible.posix.sysctl:
+    name: net.ipv4.tcp_congestion_control
+    value: "bbr"
+    state: present
--- a/roles/xray-vps-setup/tasks/end_xray.yml
+++ b/roles/xray-vps-setup/tasks/end_xray.yml
@@ -0,0 +1,63 @@
+- name: Print clipboard string
+  debug:
+    msg: "vless://{{ xray_uuid.stdout }}@{{ vless.domain }}:443?type=tcp&security=reality&pbk={{ x25519_pbk.stdout }}&fp=chrome&sni={{ vless.domain }}&sid={{ short_id.stdout }}&spx=%2F&flow=xtls-rprx-vision"
+- name: XRay outbound config 
+  debug:
+    msg: |
+          {
+            "tag": "default",
+            "protocol": "vless",
+            "settings": {
+              "vnext": [
+                {
+                  "address": "{{ vless.domain }}",
+                  "port": 443,
+                  "users": [
+                    {
+                      "id": "{{ xray_uuid.stdout }}",
+                      "encryption": "none",
+                      "flow": "xtls-rprx-vision"
+                    }
+                  ]
+                }
+              ]
+            },
+            "streamSettings": {
+              "network": "tcp",
+              "security": "reality",
+              "realitySettings": {
+                "serverName": "{{ vless.domain }}",
+                "fingerprint": "chrome",
+                "publicKey": "{{ x25519_pbk.stdout }}",
+                "shortId": "{{ short_id.stdout }}",
+                "spiderX": ""
+              }
+            }
+          }
+- name: Sing-box outbound config
+  debug:
+    msg: |
+          {
+              "type": "vless",
+              "server": "{{ vless.domain }}",
+              "server_port": 443,
+              "uuid": "{{ xray_uuid.stdout }}",
+              "flow": "xtls-rprx-vision",
+              "tls": {
+                  "enabled": true,
+                  "insecure": false,
+                  "server_name": "{{ vless.domain }}",
+                  "utls": {
+                      "enabled": true,
+                      "fingerprint": "chrome"
+                  },
+                  "reality": {
+                      "enabled": true,
+                      "public_key": "{{ x25519_pbk.stdout }}",
+                      "short_id": "{{ short_id.stdout }}"
+                  }
+              }
+          }
+- name: Print PBK, SID and UUID to connect to server.
+  debug:
+    msg: "UUID: {{ xray_uuid.stdout }}, SID: {{ short_id.stdout }}, PBK: {{ x25519_pbk.stdout }}"
--- a/roles/xray-vps-setup/tasks/install_docker.yml
+++ b/roles/xray-vps-setup/tasks/install_docker.yml
@@ -0,0 +1,13 @@
+- name: Add Docker GPG apt Key
+  ansible.builtin.apt_key:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    state: present
+- name: Add Docker Repository
+  ansible.builtin.apt_repository:
+    repo: deb https://download.docker.com/linux/ubuntu focal stable
+    state: present
+- name: Update install docker-ce
+  ansible.builtin.apt:
+    name: docker-ce
+    state: latest
+    update_cache: true
--- a/roles/xray-vps-setup/tasks/install_marzban.yml
+++ b/roles/xray-vps-setup/tasks/install_marzban.yml
@@ -0,0 +1,31 @@
+- name: Generate marzban specific values
+  block:
+    - name: Generate marzban password
+      set_fact:
+        MARZBAN_PASS: "{{ lookup('password', '/dev/null length=13 chars=ascii_letters') }}"
+    - name: Generate marzban password
+      set_fact:
+        MARZBAN_PATH: "{{ lookup('password', '/dev/null length=8 chars=ascii_letters') }}"
+    - name: Generate marzban password
+      set_fact:
+        MARZBAN_SUB_PATH: "{{ lookup('password', '/dev/null length=8 chars=ascii_letters') }}"
+- name: Create dirs
+  file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /opt/xray-vps-setup/caddy
+    - /opt/xray-vps-setup/marzban
+    - /opt/xray-vps-setup/marzban/templates/home
+- name: Copy config files
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  loop:
+    - { src: "caddyfile.j2", dest: "/opt/xray-vps-setup/caddy/Caddyfile" }
+    - { src: "xray.json.j2", dest: "/opt/xray-vps-setup/marzban/xray_config.json" }
+    - { src: "marzban.j2", dest: "/opt/xray-vps-setup/marzban/.env" }
+    - { src: "confluence.j2", dest: "/opt/xray-vps-setup/marzban/templates/home/index.html" }
+    - { src: "marzban_docker.j2", dest: "/opt/xray-vps-setup/docker-compose.yml" }
+- debug:
+    msg: "Marzban password: {{ MARZBAN_PASS }}, marzban path: {{ MARZBAN_PATH }}"
--- a/roles/xray-vps-setup/tasks/install_xray.yml
+++ b/roles/xray-vps-setup/tasks/install_xray.yml
@@ -0,0 +1,16 @@
+- name: Create dirs
+  file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /opt/xray-vps-setup/caddy/templates
+    - /opt/xray-vps-setup/xray
+- name: Copy config files
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  loop:
+    - { src: "caddyfile.j2", dest: "/opt/xray-vps-setup/caddy/Caddyfile" }
+    - { src: "confluence.j2", dest: "/opt/xray-vps-setup/caddy/templates/index.html" }
+    - { src: "xray.json.j2", dest: "/opt/xray-vps-setup/xray/config.json" }
+    - { src: "xray_docker.j2", dest: "/opt/xray-vps-setup/docker-compose.yml" }
--- a/roles/xray-vps-setup/tasks/install_yq.yml
+++ b/roles/xray-vps-setup/tasks/install_yq.yml
@@ -0,0 +1,5 @@
+- name: Download yq
+  ansible.builtin.get_url:
+    url: https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+    dest: /usr/bin/yq
+    mode: '0755'
--- a/roles/xray-vps-setup/tasks/iptables.yml
+++ b/roles/xray-vps-setup/tasks/iptables.yml
@@ -0,0 +1,46 @@
+- name: IPTables rules
+  block:
+    - name: Install netfilter-persistent
+      apt:
+        name: netfilter-persistent
+        state: present
+    - name: Allow related and established connections
+      ansible.builtin.iptables:
+        chain: INPUT
+        ctstate: ESTABLISHED,RELATED
+        jump: ACCEPT
+      become: yes
+    - name: Allow new incoming SYN packets on specified port
+      ansible.builtin.iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_port: "{{ SSH_PORT }}"
+        ctstate: NEW
+        syn: match
+        jump: ACCEPT
+    - name: Allow ICMP 
+      ansible.builtin.iptables:
+        chain: INPUT
+        protocol: icmp
+        jump: ACCEPT
+    - name: Allow 80, 443 connections
+      ansible.builtin.iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_ports:
+          - "80"
+          - "443"
+        jump: ACCEPT
+    - name: Allow loopback in
+      shell:
+        cmd: iptables -A INPUT -i lo -j ACCEPT
+    - name: Allow loopback out
+      shell:
+        cmd: iptables -A OUTPUT -o lo -j ACCEPT
+    - name: INPUT DROP
+      ansible.builtin.iptables:
+        chain: INPUT
+        policy: DROP
+    - name: Save iptables rules
+      shell:
+        cmd: netfilter-persistent save
--- a/roles/xray-vps-setup/tasks/main.yml
+++ b/roles/xray-vps-setup/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+- name: Populate service facts
+  ansible.builtin.service_facts:
+- name: Enable BBR
+  include_tasks: bbr.yml
+- name: Install docker
+  include_tasks: install_docker.yml
+  when: ansible_facts.services['docker'] is undefined
+- name: Install/update yq
+  include_tasks: install_yq.yml
+- name: Security block
+  block:
+    - name: Edit SSHD config
+      include_tasks: ssh.yml
+    - name: Edit iptables
+      include_tasks: iptables.yml
+    - name: Add user
+      include_tasks: user.yml
+  when: configure_security|default(false)|bool == true
+- name: Generate values
+  block:
+    - name: Generate x25519 PIK 
+      shell:
+        cmd: docker run --rm ghcr.io/xtls/xray-core x25519 | head -n1 | cut -d' ' -f 3
+      register: x25519_pik
+    - name: Generate x25519 PBK 
+      shell:
+        cmd: docker run --rm ghcr.io/xtls/xray-core x25519 -i {{ x25519_pik.stdout }} | tail -1 | cut -d' ' -f 3
+      register: x25519_pbk
+    - name: Generate SID
+      shell:
+        cmd: openssl rand -hex 8
+      register: short_id
+    - name: Generate default user
+      shell:
+        cmd: docker run --rm ghcr.io/xtls/xray-core uuid
+      register: xray_uuid
+- name: Install marzban
+  include_tasks: install_marzban.yml
+  when: setup_variant == "marzban"
+- name: Install xray
+  include_tasks: install_xray.yml
+  when: setup_variant == "xray"
+- name: Install warp
+  include_tasks: setup_warp.yml
+  when: setup_warp|default(false)|bool == true
+- name: Start proxy
+  community.docker.docker_compose_v2:
+    project_src: /opt/xray-vps-setup
+    files:
+    - docker-compose.yml
+- name: End xray
+  include_tasks: end_xray.yml
+  when: setup_variant == "xray"
--- a/roles/xray-vps-setup/tasks/setup_warp.yml
+++ b/roles/xray-vps-setup/tasks/setup_warp.yml
@@ -0,0 +1,61 @@
+#- name: Add WARP GPG key
+#  ansible.builtin.get_url:
+#    url: https://pkg.cloudflareclient.com/pubkey.gpg
+#    dest: /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
+#    mode: '0644'
+#    force: true
+- name: Add WARP GPG key
+  ansible.builtin.shell:
+    cmd: curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg | gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
+- name: Add WARP repo
+  ansible.builtin.apt_repository:
+    filename: cloudflare-client
+    repo: "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ {{ ansible_facts['distribution_release'] }} main"
+- name:
+  apt:
+    name: cloudflare-warp
+    state: present
+    update_cache: yes
+- name: Register WARP
+  shell:
+    cmd: echo "y" | warp-cli registration new
+- shell:
+    cmd: warp-cli mode proxy
+- shell:
+    cmd: warp-cli proxy port 40000
+- shell:
+    cmd: warp-cli connect
+- name: Edit xray config
+  block:
+    - command:
+        argv:
+          - yq
+          - eval
+          - '.outbounds += {"tag": "warp","protocol": "socks","settings": {"servers": [{"address": "127.0.0.1","port": 40000}]}}'
+          - -i
+          - /opt/xray-vps-setup/xray/config.json
+    - command:
+        argv:
+          - yq
+          - eval
+          - '.routing.rules += {"outboundTag": "warp", "domain": ["geosite:category-ru", "regexp:.*\\.xn--$", "regexp:.*\\.ru$", "regexp:.*\\.su$"]}'
+          - -i
+          - /opt/xray-vps-setup/xray/config.json
+  when: setup_variant == "xray"
+- name: Edit marzban config
+  block:
+    - command:
+        argv: 
+          - yq
+          - eval
+          - '.outbounds += {"tag": "warp","protocol": "socks","settings": {"servers": [{"address": "127.0.0.1","port": 40000}]}}'
+          - -i
+          - /opt/xray-vps-setup/marzban/xray_config.json
+    - command:
+        argv:
+          - yq
+          - eval
+          - '.routing.rules += {"outboundTag": "warp", "domain": ["geosite:category-ru", "regexp:.*\\.xn--$", "regexp:.*\\.ru$", "regexp:.*\\.su$"]}'
+          - -i
+          - /opt/xray-vps-setup/marzban/xray_config.json
+  when: setup_variant == "marzban"
--- a/roles/xray-vps-setup/tasks/ssh.yml
+++ b/roles/xray-vps-setup/tasks/ssh.yml
@@ -0,0 +1,14 @@
+- name: Change SSH port
+  shell:
+    cmd: grep -r Port /etc/ssh -l | xargs -n 1 sed -i -e "/Port /c\Port {{ SSH_PORT }}"
+- name: Disable password login
+  shell:
+    cmd: grep -r PasswordAuthentication /etc/ssh -l | xargs -n 1 sed -i -e "/PasswordAuthentication /c\PasswordAuthentication no"
+- name: Disable root login
+  shell:
+    cmd: grep -r PermitRootLogin /etc/ssh -l | xargs -n 1 sed -i -e "/PermitRootLogin /c\PermitRootLogin no"
+- name: Restart ssh
+  service:
+    name: ssh
+    state: restarted
+    daemon_reload: true
--- a/roles/xray-vps-setup/tasks/user.yml
+++ b/roles/xray-vps-setup/tasks/user.yml
@@ -0,0 +1,14 @@
+- name: Add user
+  ansible.builtin.user:
+    name: "{{ user_to_create }}"
+    shell: /bin/bash
+    groups: sudo,docker
+    password: "{{ user_password | password_hash('sha512') }}"
+    append: yes
+    update_password: on_create
+  register: "xray_user"
+- name: Add ssh_pbk to user
+  ansible.posix.authorized_key:
+    user: "{{ user_to_create }}"
+    state: "present"
+    key: "{{ ssh_public_key }}"