⚡ goacme/lego

.env

@@ -1,7 +1,18 @@
-PANEL_TYPE=NewV2board
-API_HOST=https://api.host.com
-API_KEY=88888888
-NODE_ID=8
-NODE_TYPE=V2ray
-CERT_MODE=none
-CERT_DOMAIN=cert.domain.com
+XBOARD_API_HOST=https://api.host.com
+XBOARD_API_KEY=88888888
+
+XRAYR_PANEL_TYPE=NewV2board
+XRAYR_NODE_TYPE=V2ray
+
+XRAYR_NODE_ID=8
+HYSTERIA_NODE_ID=8
+
+LEGO_DNS=rfc2136
+LEGO_DOMAIN=
+LEGO_EMAIL=hi@gmail.com
+
+RFC2136_NAMESERVER=ns1.dynv6.com
+RFC2136_TSIG_ALGORITHM=hmac-sha512 
+RFC2136_TSIG_KEY=
+RFC2136_TSIG_SECRET=
+RFC2136_TTL=60

Dockerfile

@@ -1,9 +1,60 @@
-FROM ghcr.io/xrayr-project/xrayr:v0.9.2
+FROM ghcr.io/cedar2025/hysteria:v1.0.7 AS hysteria
+FROM ghcr.io/wyx2685/xrayr:master AS xrayr
+FROM goacme/lego:v4.15 AS lego
 
-WORKDIR /
+FROM alpine
 
-COPY scripts/xrayr.sh .
+ARG SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v0.2.29/supercronic-linux-amd64 \
+    OVERMIND_URL=https://github.com/DarthSim/overmind/releases/download/v2.4.0/overmind-v2.4.0-linux-amd64.gz
 
-RUN chmod +x /xrayr.sh
+ENV OVERMIND_CAN_DIE=lego,hysteria,xrayr \
+    OVERMIND_PROCFILE=/Procfile \
 
-ENTRYPOINT [ "/xrayr.sh" ]
+    XBOARD_API_HOST=https://api.host.com \
+    XBOARD_API_KEY=88888888 \
+
+    HYSTERIA_NODE_ID= \
+    XRAYR_NODE_ID= \
+
+    LEGO_DNS=rfc2136 \
+    LEGO_DOMAIN= \
+    LEGO_EMAIL=hi@gmail.com \
+
+    RFC2136_NAMESERVER=ns1.dynv6.com \
+    RFC2136_TSIG_ALGORITHM=hmac-sha512 \ 
+    RFC2136_TSIG_KEY= \
+    RFC2136_TSIG_SECRET= \
+    RFC2136_TTL=60
+
+COPY --from=lego /lego /usr/local/bin/lego
+COPY --from=hysteria /usr/local/bin/hysteria /usr/local/bin/hysteria
+COPY --from=xrayr /usr/local/bin/XrayR /usr/local/bin/XrayR
+
+COPY config/crontab \
+     config/Procfile \
+     scripts/lego.sh \
+     scripts/hysteria.sh \
+     scripts/xrayr.sh \
+     /
+
+RUN apk add --no-cache \
+        curl \
+        ca-certificates \
+        tzdata \
+        tmux \
+
+        && rm -rf /var/cache/apk/* \
+        && curl -fsSL "$SUPERCRONIC_URL" -o /usr/local/bin/supercronic \
+        && curl -fsSL "$OVERMIND_URL" | gunzip -c - > /usr/local/bin/overmind \
+
+        && chmod +x /usr/local/bin/lego \
+        && chmod +x /usr/local/bin/supercronic \
+        && chmod +x /usr/local/bin/overmind \
+        && chmod +x /usr/local/bin/hysteria \
+        && chmod +x /usr/local/bin/XrayR \
+
+        && chmod +x /lego.sh \
+        && chmod +x /hysteria.sh \
+        && chmod +x /xrayr.sh
+
+ENTRYPOINT [ "overmind", "start" ]

config/Procfile

@@ -0,0 +1,4 @@
+lego: /lego.sh
+xrayr: /xrayr.sh
+hysteria: /hysteria.sh
+crontab: supercronic /crontab

config/crontab

@@ -0,0 +1 @@
+@daily echo "TEST"

scripts/hysteria.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+if [ -z "$HYSTERIA_NODE_ID" ]; then
+  exit 1
+fi
+
+TLS_MODE=none
+
+if [ -n "$LEGO_DOMAIN" ]; then
+  while [ ! -f "/.lego/certificates/${LEGO_DOMAIN}.crt" ]; do
+      sleep 5
+  done
+  TLS_MODE=tls
+fi
+
+cat > /hysteria.yaml <<EOF
+v2board:
+  apiHost: $XBOARD_API_HOST
+  apiKey: $XBOARD_API_KEY
+  nodeID: $HYSTERIA_NODE_ID
+auth:
+  type: v2board
+${TLS_MODE}:
+  cert: /.lego/certificates/${LEGO_DOMAIN}.crt
+  key: /.lego/certificates/${LEGO_DOMAIN}.key
+acl: 
+  inline: 
+    - reject(10.0.0.0/8)
+    - reject(172.16.0.0/12)
+    - reject(192.168.0.0/16)
+    - reject(127.0.0.0/8)
+    - reject(fc00::/7)
+EOF
+
+hysteria server -c /hysteria.yaml

scripts/lego.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+if [ -z "$LEGO_DOMAIN" ]; then
+  exit 1
+fi
+
+lego \
+    --accept-tos \
+    --dns $LEGO_DNS \
+    --dns.resolvers 8.8.8.8:53 \
+    --domains $LEGO_DOMAIN \
+    --email $LEGO_EMAIL \
+    run

scripts/xrayr.sh

@@ -1,14 +1,22 @@
 #!/bin/sh
 
-PANEL_TYPE=${PANEL_TYPE:-NewV2board}
-API_HOST=${API_HOST:-https://api.host.com}
-API_KEY=${API_KEY:-88888888}
-NODE_ID=${NODE_ID:-8}
-NODE_TYPE=${NODE_TYPE:-V2ray}
-CERT_MODE=${CERT_MODE:-none}
-CERT_DOMAIN=${CERT_DOMAIN:-cert.domain.com}
+if [ -z "$XRAYR_NODE_ID" ]; then
+  exit 1
+fi
 
-cat > /etc/XrayR/config.yml <<EOF
+CERT_MODE=none
+
+if [ -n "$LEGO_DOMAIN" ]; then
+  while [ ! -f "/.lego/certificates/${LEGO_DOMAIN}.crt" ]; do
+      sleep 5
+  done
+  CERT_MODE=file
+fi
+
+XRAYR_PANEL_TYPE=${XRAYR_PANEL_TYPE:-NewV2board}
+XRAYR_NODE_TYPE=${XRAYR_NODE_TYPE:-V2ray}
+
+cat > /xrayr.yml <<EOF
 Log:
   Level: none                              # 日志级别：none, error, warning, info, debug
   AccessPath:                              # 访问日志路径：/etc/XrayR/access.Log
@@ -24,12 +32,12 @@ ConnectionConfig:
   DownlinkOnly: 4                          # 当连接上行线路关闭后的时间限制，秒
   BufferSize: 64                           # 每个连接的内部缓存大小，kB
 Nodes:
-  - PanelType: $PANEL_TYPE                 # 面板类型：SSpanel, NewV2board, V2board, PMpanel, Proxypanel
+  - PanelType: $XRAYR_PANEL_TYPE           # 面板类型：SSpanel, NewV2board, V2board, PMpanel, Proxypanel
     ApiConfig:
-      ApiHost: $API_HOST
-      ApiKey: $API_KEY
-      NodeID: $NODE_ID
-      NodeType: $NODE_TYPE                 # 节点类型：V2ray, Trojan, Shadowsocks, Shadowsocks-Plugin
+      ApiHost: $XBOARD_API_HOST
+      ApiKey: $XBOARD_API_KEY
+      NodeID: $XRAYR_NODE_ID
+      NodeType: $XRAYR_NODE_TYPE           # 节点类型：V2ray, Trojan, Shadowsocks, Shadowsocks-Plugin
       Timeout: 10                          # API请求超时时间
       EnableVless: false                   # 是否启用Vless（仅适用于V2ray类型）
       EnableXTLS: false                    # 是否启用XTLS（适用于V2ray和Trojan类型）
@@ -67,9 +75,10 @@ Nodes:
           Dest: 80                         # 必填，备用服务器的目标，详细信息请参考 https://xtls.github.io/config/fallback/
           ProxyProtocolVer: 0              # 发送的PROXY协议版本，设置为0表示禁用
       CertConfig:
-        CertMode: $CERT_MODE               # 获取证书的选项：none, file, http, dns。选择"none"将强制禁用TLS配置。
-        RejectUnknownSni: true             # 拒绝未知的sni
-        CertDomain: $CERT_DOMAIN           # 需要证书的域名
+        CertMode: ${CERT_MODE}
+        CertDomain: ${LEGO_DOMAIN}
+        CertFile: /.lego/certificates/${LEGO_DOMAIN}.crt
+        KeyFile: /.lego/certificates/${LEGO_DOMAIN}.key
 EOF
 
-XrayR --config /etc/XrayR/config.yml
+XrayR --config /xrayr.yml