Telegram-Market/telegram-shop
1
1
Fork 0
Code Issues 40 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
49945d9d816d5517a95f4ecbb77dfd88cc0751b1
telegram-shop/wg/start.sh
NW ba80784ae7 security(docker): remove privileged mode, SYS_MODULE; harden WireGuard (#49 #50) 
- Removed privileged: true from docker-compose.yml
- Removed SYS_MODULE cap_add (kept NET_ADMIN for WireGuard)
- Removed source code bind mounts (./src, package.json)
- Removed wg0.conf and resolv.conf bind mounts (now generated from env)
- Added resource limits: mem_limit 512m, cpus 1.0
- Added healthcheck with curl
- Added non-root user appuser:appgroup in Dockerfile
- wg0.conf now generated from env vars at container startup (WG_PRIVATE_KEY, etc.)
- resolv.conf generated from WG_DNS env var
- Rotated wg0.conf — private key removed from file
- Added WG_ALLOWED_IPS to .env.example

SECURITY: Rotate WireGuard keys on server if previously used in production
2026-06-22 01:26:35 +01:00

184 lines
5.5 KiB
Bash
Raw Blame History

#!/bin/sh
# Функция для отображения разделителя
print_separator() {
echo "════════════════════════════════════════════════════════════════════════════════"
}
# Функция для отображения заголовка этапа
print_stage() {
echo "║ 🚀 $1"
print_separator
}
# Функция для отображения результата
print_result() {
local status=$?
local message=$1
local action=$2
if [ -n "$action" ]; then
case "$action" in
"created")
echo "║ 🆕 $message"
;;
"exists")
echo "║ ✅ $message"
;;
*)
if [ $status -eq 0 ]; then
echo "║ ✅ $message"
else
echo "║ ❌ $message"
fi
;;
esac
else
if [ $status -eq 0 ]; then
echo "║ ✅ $message"
else
echo "║ ❌ $message"
fi
fi
print_separator
}
# ============================================================
# WireGuard: полное отключение
# ============================================================
if [ "$WG_ENABLED" = "false" ]; then
print_stage "WireGuard is disabled"
print_result "Skipping WireGuard setup"
print_stage "Starting application"
echo "║ Application is starting..."
exec node src/index.js
exit 0
fi
# ============================================================
# WireGuard: включён, но нет приватного ключа — warn и skip
# ============================================================
if [ -z "$WG_PRIVATE_KEY" ]; then
print_stage "WireGuard misconfiguration"
echo "║ ⚠️ WG_ENABLED=true but WG_PRIVATE_KEY is empty"
echo "║ ⚠️ Skipping WireGuard setup. Set WG_PRIVATE_KEY or set WG_ENABLED=false"
print_result "WireGuard skipped (missing private key)"
print_stage "Starting application"
echo "║ Application is starting without VPN..."
exec node src/index.js
exit 0
fi
# ============================================================
# Генерация /etc/resolv.conf из WG_DNS
# ============================================================
print_stage "Configuring /etc/resolv.conf"
if [ -n "$WG_DNS" ]; then
echo "║ Using DNS from env WG_DNS: $WG_DNS"
echo "nameserver $WG_DNS" > /etc/resolv.conf
else
echo "║ WG_DNS empty — using fallback DNS: 1.1.1.1, 8.8.8.8"
echo "nameserver 1.1.1.1" > /etc/resolv.conf
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
fi
print_result "/etc/resolv.conf configured." "created"
# ============================================================
# Генерация /etc/wireguard/wg0.conf из env vars
# ============================================================
print_stage "Generating /etc/wireguard/wg0.conf from environment"
cat > /etc/wireguard/wg0.conf <<EOF
# Generated from environment variables at container start.
# DO NOT commit real keys to the repository.
[Interface]
PrivateKey = ${WG_PRIVATE_KEY}
Address = ${WG_ADDRESS}
DNS = ${WG_DNS}
[Peer]
PublicKey = ${WG_PUBLIC_KEY}
PresharedKey = ${WG_PRESHARED_KEY}
AllowedIPs = ${WG_ALLOWED_IPS:-0.0.0.0/0,::/0}
PersistentKeepalive = 0
Endpoint = ${WG_ENDPOINT}
EOF
chmod 600 /etc/wireguard/wg0.conf
print_result "wg0.conf generated with mode 0600." "created"
# ============================================================
# Проверка сети ДО включения WireGuard
# ============================================================
print_stage "Testing connectivity BEFORE WireGuard"
echo "║ Pinging 1.1.1.1..."
ping -c 4 1.1.1.1 > /tmp/ping.log 2>&1
if [ $? -eq 0 ]; then
echo "║ Ping successful."
cat /tmp/ping.log | sed 's/^/║ /'
else
echo "║ Ping failed."
fi
print_separator
# ============================================================
# Запуск WireGuard
# ============================================================
print_stage "Starting WireGuard"
wg-quick up wg0 2>&1 | tee /tmp/wg.log
wg_status=$?
if [ $wg_status -eq 0 ]; then
echo "║ WireGuard started successfully."
print_result "WireGuard interface activated successfully."
else
echo "║ WireGuard failed to start. Logs:"
cat /tmp/wg.log | sed 's/^/║ /'
print_result "Failed to start WireGuard interface!"
exit 1
fi
# Проверка маршрутизации после запуска WireGuard
print_stage "Routing table AFTER WireGuard"
ip route | sed 's/^/║ /'
print_separator
# Проверка сети ПОСЛЕ включения WireGuard
print_stage "Testing connectivity AFTER WireGuard"
echo "║ Pinging 1.1.1.1..."
ping -c 4 1.1.1.1 > /tmp/ping.log 2>&1
if [ $? -eq 0 ]; then
echo "║ Ping successful."
cat /tmp/ping.log | sed 's/^/║ /'
else
echo "║ Ping failed."
fi
print_separator
# Проверка DNS
print_stage "Testing DNS"
nslookup api.ipify.org > /tmp/dns.log 2>&1
if [ $? -eq 0 ]; then
echo "║ DNS lookup successful."
cat /tmp/dns.log | sed 's/^/║ /'
else
echo "║ DNS lookup failed."
fi
print_separator
# Проверка подключения через icanhazip.com
print_stage "Testing external connectivity (icanhazip.com)"
echo "║ Fetching external IP..."
curl -s https://icanhazip.com > /tmp/curl.log 2>&1
if [ $? -eq 0 ]; then
echo "║ Connection successful."
echo "║ External IP: $(cat /tmp/curl.log)"
else
echo "║ Connection failed."
fi
print_separator
# Запуск приложения
print_stage "Starting application"
echo "║ Application is starting..."
exec node src/index.js
Reference in New Issue View Git Blame Copy Permalink