├── .gitignore ├── LICENSE ├── README.md ├── consul └── run.sh ├── elasticsearch ├── 3-nodes-cluster │ ├── .gitignore │ ├── es.sh │ ├── kibana.yml │ └── readme.md └── single-node │ ├── .gitignore │ ├── elasticsearch.yml │ ├── es.sh │ ├── kibana.yml │ └── readme.md ├── gitlab-arm64 ├── .gitignore ├── nginx.conf ├── readme.md ├── run_gitlab.sh └── stop_gitlab.sh ├── grafana ├── .gitignore ├── nginx.conf ├── start.sh └── stop.sh ├── jenkins ├── nginx.conf ├── readme.md ├── start_jenkins.sh └── stop.sh ├── kafka ├── .gitignore └── start.sh ├── mysql ├── .env.example ├── .gitignore ├── config │ └── my.cnf ├── init_sql │ └── 1.sql ├── mysql_client.sh ├── mysql_dump.sh └── run_mysql_server.sh ├── nginx ├── .gitignore ├── README.md ├── conf.d │ ├── .gitignore │ ├── .gitkeep │ └── README.md ├── fail2ban │ ├── filter.d │ │ ├── nginx-http-cc.conf │ │ └── nginx-stream-cc.conf │ ├── jail.d │ │ ├── nginx-http-cc.conf │ │ └── nginx-stream-cc.conf │ ├── readme.md │ └── set_fail2ban.sh ├── nginx.conf ├── reload_nginx.sh ├── run_nginx.sh ├── ssl │ └── .gitignore ├── stop_nginx.sh └── stream.d │ ├── .gitignore │ └── .gitkeep ├── public ├── add_config_to_nginx.sh └── docker-network.sh ├── redis ├── redis-cli.sh └── run_redis_server.sh ├── registry ├── .gitignore ├── certs │ ├── i.com.crt │ └── i.com.key ├── readme.md └── start.sh └── tools ├── dingtalk_notify ├── .gitignore ├── README.md ├── config.ini.example ├── dingtalk.py └── send_ipv6.sh ├── fail2ban ├── centos7-fail2ban │ ├── jail.d │ │ └── ssh.conf │ └── readme.md ├── fail2ban-status.sh ├── ubuntu24-fail2ban │ ├── jail.d │ │ └── ssh.conf │ └── readme.md └── unban-all.sh ├── feishu_notify ├── notify.py └── requirements.txt ├── freeradius-openldap ├── freeradius │ ├── Dockerfile │ ├── clients.conf │ └── mods-enabled │ │ └── ldap ├── openldap │ ├── README.md │ ├── init │ │ ├── add_user.ldif │ │ ├── basedomain.ldif │ │ └── change_password.ldif │ └── start_openldap.sh └── readme.md └── upload_cos ├── .env.example ├── .gitignore ├── main.py ├── readme.md └── requirements.txt /.gitignore: -------------------------------------------------------------------------------- 1 | .env 2 | __pycache__ 3 | venv/ 4 | config.ini 5 | .DS_Store 6 | custom_nginx.conf 7 | 8 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 iuxt 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # quickstart项目说明 2 | 3 | 这个项目主要是用于快速的搭建服务,有时候我们只是想要一个学习或者测试的环境,所以没有必要把时间浪费在如何搭建上面,这个项目就是一个快速搭建环境的集合 4 | 5 | 详细说明请进入对应的文件夹查看说明或查看对应项目的官方文档 6 | 7 | 很多项目需要依赖Docker,安装docker可以使用 8 | 9 | ```bash 10 | curl -fsSL get.docker.com | bash 11 | ``` 12 | 13 | 项目配置文件统一叫.env,第一次使用需要从.env.example复制,并做修改 14 | 15 | 小工具都放到了tools里面 16 | 17 | public里面是本项目的公共脚本, 比如创建docker网络 18 | 19 | ## Sponsor 20 | The project is develop by [JetBrains Ide](https://www.jetbrains.com/?from=puck) 21 | 22 | [![](https://www.jetbrains.com/company/brand/img/logo1.svg)](https://www.jetbrains.com/?from=puck) 23 | -------------------------------------------------------------------------------- /consul/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | docker run -d --net=host --rm --name=consul consul:1.15.4 4 | 5 | -------------------------------------------------------------------------------- /elasticsearch/3-nodes-cluster/.gitignore: -------------------------------------------------------------------------------- 1 | certs/ 2 | es-data*/ 3 | es-logs*/ 4 | 5 | -------------------------------------------------------------------------------- /elasticsearch/3-nodes-cluster/es.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 设置Elasticsearch版本 4 | ELASTIC_VERSION=7.17.14 5 | 6 | sudo sysctl -w vm.max_map_count=262144 7 | 8 | docker network create --subnet=172.16.0.0/24 elasticsearch-br0 9 | mkdir es-data1 es-logs1 10 | mkdir es-data2 es-logs2 11 | mkdir es-data3 es-logs3 12 | mkdir certs 13 | sudo chown -R 1000 es-data1 es-logs1 14 | sudo chown -R 1000 es-data2 es-logs2 15 | sudo chown -R 1000 es-data3 es-logs3 16 | sudo chown -R 1000 certs 17 | 18 | 19 | # 生成证书 20 | docker run --rm -it -v $(pwd)/certs:/tmp/certs elasticsearch:${ELASTIC_VERSION} bash -c \ 21 | 'echo -e "\n\n" | /usr/share/elasticsearch/bin/elasticsearch-certutil ca -s -days 36500 && \ 22 | echo -e "\n\n\n" | /usr/share/elasticsearch/bin/elasticsearch-certutil cert -s -days 36500 --ca elastic-stack-ca.p12 && \ 23 | mv /usr/share/elasticsearch/*.p12 /tmp/certs && \ 24 | chmod 644 /tmp/certs/*' 25 | 26 | 27 | docker run -d --name elasticsearch1 \ 28 | --ulimit memlock=-1:-1 \ 29 | -e "ES_JAVA_OPTS=-Xms512m -Xmx512m" \ 30 | -e node.name=elasticsearch1 \ 31 | -e cluster.name=es-cluster \ 32 | -e discovery.seed_hosts=elasticsearch2,elasticsearch3 \ 33 | -e cluster.initial_master_nodes=elasticsearch1,elasticsearch2,elasticsearch3 \ 34 | -e bootstrap.memory_lock=true \ 35 | -e xpack.security.enabled=true \ 36 | -e http.cors.enabled=true \ 37 | -e http.cors.allow-origin="*" \ 38 | -e http.cors.allow-headers=Authorization \ 39 | -e xpack.security.enabled=true \ 40 | -e xpack.security.transport.ssl.enabled=true \ 41 | -e xpack.security.transport.ssl.verification_mode=certificate \ 42 | -e xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/elastic-certificates.p12 \ 43 | -e xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/config/elastic-certificates.p12 \ 44 | -v ./es-data1:/usr/share/elasticsearch/data:rw \ 45 | -v ./es-logs1:/usr/share/elasticsearch/logs:rw \ 46 | --mount type=bind,source=$(pwd)/certs/elastic-certificates.p12,target=/usr/share/elasticsearch/config/elastic-certificates.p12 \ 47 | --network elasticsearch-br0 \ 48 | --ip 172.16.0.11 \ 49 | -p 9201:9200 -p 9301:9300 \ 50 | elasticsearch:${ELASTIC_VERSION} 51 | 52 | docker run -d --name elasticsearch2 \ 53 | --ulimit memlock=-1:-1 \ 54 | -e "ES_JAVA_OPTS=-Xms512m -Xmx512m" \ 55 | -e node.name=elasticsearch2 \ 56 | -e cluster.name=es-cluster \ 57 | -e discovery.seed_hosts=elasticsearch1,elasticsearch3 \ 58 | -e cluster.initial_master_nodes=elasticsearch1,elasticsearch2,elasticsearch3 \ 59 | -e bootstrap.memory_lock=true \ 60 | -e xpack.security.enabled=true \ 61 | -e http.cors.enabled=true \ 62 | -e http.cors.allow-origin="*" \ 63 | -e http.cors.allow-headers=Authorization \ 64 | -e xpack.security.enabled=true \ 65 | -e xpack.security.transport.ssl.enabled=true \ 66 | -e xpack.security.transport.ssl.verification_mode=certificate \ 67 | -e xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/elastic-certificates.p12 \ 68 | -e xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/config/elastic-certificates.p12 \ 69 | -v ./es-data2:/usr/share/elasticsearch/data:rw \ 70 | -v ./es-logs2:/usr/share/elasticsearch/logs:rw \ 71 | --mount type=bind,source=$(pwd)/certs/elastic-certificates.p12,target=/usr/share/elasticsearch/config/elastic-certificates.p12 \ 72 | --network elasticsearch-br0 \ 73 | --ip 172.16.0.12 \ 74 | -p 9202:9200 -p 9302:9300 \ 75 | elasticsearch:${ELASTIC_VERSION} 76 | 77 | docker run -d --name elasticsearch3 \ 78 | --ulimit memlock=-1:-1 \ 79 | -e "ES_JAVA_OPTS=-Xms512m -Xmx512m" \ 80 | -e node.name=elasticsearch3 \ 81 | -e cluster.name=es-cluster \ 82 | -e discovery.seed_hosts=elasticsearch1,elasticsearch2 \ 83 | -e cluster.initial_master_nodes=elasticsearch1,elasticsearch2,elasticsearch3 \ 84 | -e bootstrap.memory_lock=true \ 85 | -e xpack.security.enabled=true \ 86 | -e http.cors.enabled=true \ 87 | -e http.cors.allow-origin="*" \ 88 | -e http.cors.allow-headers=Authorization \ 89 | -e xpack.security.enabled=true \ 90 | -e xpack.security.transport.ssl.enabled=true \ 91 | -e xpack.security.transport.ssl.verification_mode=certificate \ 92 | -e xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/elastic-certificates.p12 \ 93 | -e xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/config/elastic-certificates.p12 \ 94 | -v ./es-data3:/usr/share/elasticsearch/data:rw \ 95 | -v ./es-logs3:/usr/share/elasticsearch/logs:rw \ 96 | --mount type=bind,source=$(pwd)/certs/elastic-certificates.p12,target=/usr/share/elasticsearch/config/elastic-certificates.p12 \ 97 | --network elasticsearch-br0 \ 98 | --ip 172.16.0.13 \ 99 | -p 9203:9200 -p 9303:9300 \ 100 | elasticsearch:${ELASTIC_VERSION} 101 | 102 | 103 | # 等待服务启动正常 104 | sleep 10 105 | while true 106 | do 107 | docker exec elasticsearch1 bash -c "curl -s -o /dev/null http://localhost:9200" 108 | if [ $? == 0 ];then 109 | break 110 | fi 111 | echo "waiting..." 112 | sleep 1 113 | done 114 | 115 | 116 | # 初始化ES密码 117 | ELASTIC_PASSWORD="ywphQxkiLOO0aSPjmvND" 118 | echo "y 119 | ${ELASTIC_PASSWORD} 120 | ${ELASTIC_PASSWORD} 121 | ${ELASTIC_PASSWORD} 122 | ${ELASTIC_PASSWORD} 123 | ${ELASTIC_PASSWORD} 124 | ${ELASTIC_PASSWORD} 125 | ${ELASTIC_PASSWORD} 126 | ${ELASTIC_PASSWORD} 127 | ${ELASTIC_PASSWORD} 128 | ${ELASTIC_PASSWORD} 129 | ${ELASTIC_PASSWORD} 130 | ${ELASTIC_PASSWORD}" | docker exec -i elasticsearch1 /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive 131 | 132 | 133 | 134 | # 启动kibana 135 | docker run -d --name kibana \ 136 | --net elasticsearch-br0 \ 137 | -p 5601:5601 \ 138 | -v "$(pwd)"/kibana.yml:/usr/share/kibana/config/kibana.yml \ 139 | kibana:${ELASTIC_VERSION} 140 | -------------------------------------------------------------------------------- /elasticsearch/3-nodes-cluster/kibana.yml: -------------------------------------------------------------------------------- 1 | server.name: kibana 2 | server.port: 5601 3 | server.host: "0.0.0.0" 4 | elasticsearch.username: "elastic" 5 | elasticsearch.password: "ywphQxkiLOO0aSPjmvND" 6 | 7 | elasticsearch.hosts: ["http://elasticsearch1:9200", "http://elasticsearch2:9200", "http://elasticsearch3:9200"] 8 | i18n.locale: "zh-CN" -------------------------------------------------------------------------------- /elasticsearch/3-nodes-cluster/readme.md: -------------------------------------------------------------------------------- 1 | ## 证书生成 2 | 3 | ```bash 4 | /usr/share/elasticsearch/bin/elasticsearch-certutil ca 5 | /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 6 | ``` 7 | 8 | ## 初始化密码 9 | 10 | ```bash 11 | docker exec elasticsearch1 bash -c "echo y | /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto" 12 | ``` 13 | 14 | ## 重新设置密码 15 | 16 | ```bash 17 | curl -XPUT -u elastic:belu3EfkGVLiU2vEcRno http://localhost:9200/_xpack/security/user/elastic/_password -H "Content-Type: application/json" -d ' 18 | { 19 | "password": "Ds8meuPwMDEv32f6qLdw" 20 | }' 21 | ``` 22 | 23 | ## 清理集群 24 | 25 | ```bash 26 | docker rm -f kibana elasticsearch1 elasticsearch2 elasticsearch3 27 | docker volume rm es-logs3 es-logs2 es-logs1 es-data3 es-data2 es-data1 28 | ``` -------------------------------------------------------------------------------- /elasticsearch/single-node/.gitignore: -------------------------------------------------------------------------------- 1 | es-data/ 2 | es-logs/ 3 | es-plugins/ 4 | -------------------------------------------------------------------------------- /elasticsearch/single-node/elasticsearch.yml: -------------------------------------------------------------------------------- 1 | cluster.name: "cluster01" 2 | network.host: 0.0.0.0 3 | 4 | xpack.security.enabled: true 5 | 6 | http.cors.enabled: true 7 | http.cors.allow-origin: "*" 8 | -------------------------------------------------------------------------------- /elasticsearch/single-node/es.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | docker network create elasticsearch 4 | docker rm -f elasticsearch kibana 5 | mkdir es-data es-logs 6 | sudo chown -R 1000 es-data es-logs 7 | 8 | 9 | docker run -d --name elasticsearch \ 10 | -e "ES_JAVA_OPTS=-Xms512m -Xmx512m" \ 11 | -e "discovery.type=single-node" \ 12 | -v "$(pwd)"/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro \ 13 | -v "$(pwd)"/es-data:/usr/share/elasticsearch/data:rw \ 14 | -v "$(pwd)"/es-logs:/usr/share/elasticsearch/logs:rw \ 15 | --privileged --network elasticsearch \ 16 | -p 9200:9200 -p 9300:9300 \ 17 | elasticsearch:7.17.14 18 | 19 | 20 | # 等待服务启动正常 21 | sleep 10 22 | while true 23 | do 24 | docker exec elasticsearch bash -c "curl -s -o /dev/null http://localhost:9200" 25 | if [ $? == 0 ];then 26 | break 27 | fi 28 | echo "waiting..." 29 | sleep 1 30 | done 31 | 32 | # 初始化ES密码 33 | ELASTIC_PASSWORD="ywphQxkiLOO0aSPjmvND" 34 | echo "y 35 | ${ELASTIC_PASSWORD} 36 | ${ELASTIC_PASSWORD} 37 | ${ELASTIC_PASSWORD} 38 | ${ELASTIC_PASSWORD} 39 | ${ELASTIC_PASSWORD} 40 | ${ELASTIC_PASSWORD} 41 | ${ELASTIC_PASSWORD} 42 | ${ELASTIC_PASSWORD} 43 | ${ELASTIC_PASSWORD} 44 | ${ELASTIC_PASSWORD} 45 | ${ELASTIC_PASSWORD} 46 | ${ELASTIC_PASSWORD}" | docker exec -i elasticsearch /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive 47 | 48 | 49 | 50 | # 启动kibana 51 | docker run -d --name kibana \ 52 | --net elasticsearch \ 53 | -p 5601:5601 \ 54 | -v "$(pwd)"/kibana.yml:/usr/share/kibana/config/kibana.yml \ 55 | kibana:7.17.14 56 | -------------------------------------------------------------------------------- /elasticsearch/single-node/kibana.yml: -------------------------------------------------------------------------------- 1 | server.name: kibana 2 | server.port: 5601 3 | server.host: "0.0.0.0" 4 | elasticsearch.username: "elastic" 5 | elasticsearch.password: "ywphQxkiLOO0aSPjmvND" 6 | 7 | elasticsearch.hosts: ["http://elasticsearch:9200"] 8 | i18n.locale: "zh-CN" -------------------------------------------------------------------------------- /elasticsearch/single-node/readme.md: -------------------------------------------------------------------------------- 1 | ## 初始化密码 2 | 3 | ```bash 4 | docker exec elasticsearch bash -c "echo y | /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto" 5 | ``` 6 | 7 | ## 重新设置密码 8 | 9 | ```bash 10 | curl -XPUT -u elastic:belu3EfkGVLiU2vEcRno http://localhost:9200/_xpack/security/user/elastic/_password -H "Content-Type: application/json" -d ' 11 | { 12 | "password": "Ds8meuPwMDEv32f6qLdw" 13 | }' 14 | ``` 15 | -------------------------------------------------------------------------------- /gitlab-arm64/.gitignore: -------------------------------------------------------------------------------- 1 | config/ 2 | data/ 3 | logs/ 4 | redis/ 5 | postgres/ 6 | gitlab/ 7 | conf/ 8 | -------------------------------------------------------------------------------- /gitlab-arm64/nginx.conf: -------------------------------------------------------------------------------- 1 | upstream gitlab { 2 | server gitlab-ce:80; 3 | } 4 | 5 | server { 6 | listen 80; 7 | listen [::]:80; 8 | listen 443 ssl; 9 | listen [::]:443 ssl; 10 | server_name gitlab.babudiu.com ; 11 | client_max_body_size 1024m; 12 | 13 | ssl_certificate ssl/gitlab.babudiu.com.crt; 14 | ssl_certificate_key ssl/gitlab.babudiu.com.key; 15 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 16 | ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 17 | ssl_prefer_server_ciphers on; 18 | ssl_session_cache shared:SSL:10m; 19 | ssl_session_timeout 10m; 20 | error_page 497 https://$host$request_uri; 21 | 22 | if ( $scheme = http ){ 23 | rewrite ^(/.*)$ https://$host$1 permanent; 24 | } 25 | 26 | location / { 27 | proxy_pass http://gitlab; 28 | proxy_set_header HOST $host; 29 | proxy_set_header X-Forwarded-Proto $scheme; 30 | proxy_set_header X-Real-IP $remote_addr; 31 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 32 | } 33 | 34 | } 35 | -------------------------------------------------------------------------------- /gitlab-arm64/readme.md: -------------------------------------------------------------------------------- 1 | 构建arm64镜像的作者仓库,以及流水线 2 | https://git.yrzr.tk/docker/gitlab-ce-arm64/-/pipelines 3 | 4 | 5 | 初始账号root 6 | 7 | 初始密码 8 | 9 | ```bash 10 | docker exec gitlab-ce bash -c "cat /etc/gitlab/initial_root_password" 11 | ``` 12 | 13 | 14 | 修改ssh port 15 | 16 | vim conf/gitlab.rb 17 | 18 | ```bash 19 | gitlab_rails['gitlab_shell_ssh_port'] = 2222 20 | ``` 21 | -------------------------------------------------------------------------------- /gitlab-arm64/run_gitlab.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd $(dirname $0) 3 | 4 | docker run \ 5 | --detach \ 6 | --restart always \ 7 | --name gitlab-ce \ 8 | --privileged \ 9 | --memory 8192M \ 10 | --network iuxt \ 11 | --publish 2222:22 \ 12 | --hostname gitlab.babudiu.com \ 13 | --env GITLAB_OMNIBUS_CONFIG=" \ 14 | gitlab_rails['gitlab_shell_ssh_port'] = 2222 15 | external_url 'https://gitlab.babudiu.com' 16 | nginx['listen_port'] = 80 17 | nginx['listen_https'] = false 18 | " \ 19 | --volume "$PWD"/conf:/etc/gitlab:z \ 20 | --volume "$PWD"/logs:/var/log/gitlab:z \ 21 | --volume "$PWD"/data:/var/opt/gitlab:z \ 22 | --restart always \ 23 | yrzr/gitlab-ce-arm64v8:latest 24 | 25 | ../public/add_config_to_nginx.sh -------------------------------------------------------------------------------- /gitlab-arm64/stop_gitlab.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd $(dirname $0) 3 | 4 | docker rm -f gitlab-ce 5 | 6 | rm -f ../nginx/conf.d/"$(basename "$(pwd)")".conf 7 | 8 | ../nginx/reload_nginx.sh 9 | -------------------------------------------------------------------------------- /grafana/.gitignore: -------------------------------------------------------------------------------- 1 | data/ 2 | -------------------------------------------------------------------------------- /grafana/nginx.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | listen [::]:80; 4 | listen 443 ssl; 5 | listen [::]:443 ssl; 6 | server_name grafana.babudiu.com; 7 | client_max_body_size 1024m; 8 | 9 | ssl_certificate ssl/babudiu.com.crt; 10 | ssl_certificate_key ssl/babudiu.com.key; 11 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 12 | ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 13 | ssl_prefer_server_ciphers on; 14 | ssl_session_cache shared:SSL:10m; 15 | ssl_session_timeout 10m; 16 | error_page 497 https://$host$request_uri; 17 | 18 | location / { 19 | proxy_pass http://grafana:3000; 20 | proxy_set_header HOST $host; 21 | proxy_set_header X-Forwarded-Proto $scheme; 22 | proxy_set_header X-Real-IP $remote_addr; 23 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 24 | } 25 | 26 | } 27 | 28 | -------------------------------------------------------------------------------- /grafana/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd "$(dirname $0)" || exit 3 | 4 | docker rm -f grafana 5 | mkdir data 6 | sudo chown -R 472:472 data 7 | docker run -d --name=grafana \ 8 | --restart always \ 9 | --user 472 \ 10 | -p 8000:3000 \ 11 | --volume "./data:/var/lib/grafana" \ 12 | --add-host=host.docker.internal:host-gateway \ 13 | grafana/grafana 14 | 15 | docker logs -f grafana 16 | -------------------------------------------------------------------------------- /grafana/stop.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd $(dirname $0) 3 | 4 | docker rm -f grafana 5 | rm -f ../nginx/conf.d/"$(basename "$(pwd)")".conf 6 | 7 | ../nginx/reload_nginx.sh -------------------------------------------------------------------------------- /jenkins/nginx.conf: -------------------------------------------------------------------------------- 1 | upstream jenkins { 2 | server host.docker.internal:8080; 3 | } 4 | 5 | server { 6 | listen 80; 7 | listen [::]:80; 8 | listen 443 ssl; 9 | listen [::]:443 ssl; 10 | server_name jenkins.babudiu.com ; 11 | client_max_body_size 1024m; 12 | 13 | ssl_certificate ssl/jenkins.babudiu.com.crt; 14 | ssl_certificate_key ssl/jenkins.babudiu.com.key; 15 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 16 | ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 17 | ssl_prefer_server_ciphers on; 18 | ssl_session_cache shared:SSL:10m; 19 | ssl_session_timeout 10m; 20 | error_page 497 https://$host$request_uri; 21 | 22 | if ( $scheme = http ){ 23 | rewrite ^(/.*)$ https://$host$1 permanent; 24 | } 25 | 26 | location / { 27 | proxy_pass http://jenkins; 28 | proxy_set_header HOST $host; 29 | proxy_set_header X-Forwarded-Proto $scheme; 30 | proxy_set_header X-Real-IP $remote_addr; 31 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 32 | } 33 | 34 | } 35 | -------------------------------------------------------------------------------- /jenkins/readme.md: -------------------------------------------------------------------------------- 1 | 官方说明: 2 | 3 | -------------------------------------------------------------------------------- /jenkins/start_jenkins.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd $(dirname $0) 3 | 4 | docker run -d \ 5 | -v jenkins_home:/var/jenkins_home \ 6 | -p 8080:8080 -p 50000:50000 \ 7 | --name jenkins \ 8 | --restart=on-failure \ 9 | jenkins/jenkins:lts-jdk11 10 | 11 | ../public/add_config_to_nginx.sh -------------------------------------------------------------------------------- /jenkins/stop.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd $(dirname $0) 3 | 4 | docker rm -f jenkins 5 | rm -f ../nginx/conf.d/"$(basename "$(pwd)")".conf 6 | 7 | ../nginx/reload_nginx.sh -------------------------------------------------------------------------------- /kafka/.gitignore: -------------------------------------------------------------------------------- 1 | kafka-data/ -------------------------------------------------------------------------------- /kafka/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd $(dirname $0) 3 | 4 | mkdir kafka-data 5 | sudo chown -R 1001:1001 kafka-data 6 | 7 | sudo docker network create ops 8 | 9 | sudo docker run -d --name kafka-server --hostname kafka-server \ 10 | --network ops \ 11 | -e KAFKA_CFG_NODE_ID=0 \ 12 | -e KAFKA_CFG_PROCESS_ROLES=controller,broker \ 13 | -e KAFKA_CFG_LISTENERS=PLAINTEXT://:9092,CONTROLLER://:9093 \ 14 | -e KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT \ 15 | -e KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka-server:9093 \ 16 | -e KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER \ 17 | -e KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=true \ 18 | -v ./kafka-data:/bitnami/kafka \ 19 | -p 9092:9092 \ 20 | -p 9093:9093 \ 21 | bitnami/kafka:3.8.0 22 | -------------------------------------------------------------------------------- /mysql/.env.example: -------------------------------------------------------------------------------- 1 | MYSQL_ROOT_PASSWORD=123456 2 | MYSQL_PORT=127.0.0.1:3306 3 | MYSQLX_PORT=127.0.0.1:33060 4 | MYSQL_DATABASE=default 5 | MYSQL_DATA=$(pwd)/mysql_data 6 | # for arm server use tag 8-oracle 7 | MYSQL_VERSION=8.0 8 | 9 | # 容器重启策略 10 | # Docker 容器的重启策略具体如下: 11 | 12 | # no 默认策略,在容器退出时不重启容器。启动容器时不添加参数 --restart 即可。 13 | # on-failure 在容器非正常退出时(退出状态非0),才会重启容器。 14 | # on-failure:n 在容器非正常退出时重启容器,并且指定重启次数。n 为正整数。如果不指定次数,则会一直重启。 15 | # always 只要容器退出就重启容器。 16 | # unless-stopped 在容器退出时总是重启容器,但是 Docker 守护进程启动之前就已经停止运行的容器不算在内。 17 | 18 | RESTART=no -------------------------------------------------------------------------------- /mysql/.gitignore: -------------------------------------------------------------------------------- 1 | mysql_data/ 2 | mysql-files/ 3 | .env 4 | 5 | -------------------------------------------------------------------------------- /mysql/config/my.cnf: -------------------------------------------------------------------------------- 1 | [mysqld] 2 | lower_case_table_names = 1 3 | 4 | -------------------------------------------------------------------------------- /mysql/init_sql/1.sql: -------------------------------------------------------------------------------- 1 | CREATE DATABASE IF NOT EXISTS database1; -------------------------------------------------------------------------------- /mysql/mysql_client.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | cd $(dirname $0) 4 | 5 | source ./.env 6 | docker exec -it mysql bash -c "mysql -hlocalhost -uroot -p${MYSQL_ROOT_PASSWORD}" -------------------------------------------------------------------------------- /mysql/mysql_dump.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | cd $(dirname $0) 4 | 5 | source ./.env 6 | docker exec -it mysql bash -c "mysqldump -hlocalhost -uroot -p${MYSQL_ROOT_PASSWORD} --all-databases > /var/lib/mysql-files/all.sql" 7 | -------------------------------------------------------------------------------- /mysql/run_mysql_server.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | cd $(dirname $0) 4 | 5 | source .env 6 | 7 | ../public/docker-network.sh 8 | 9 | docker run --name mysql \ 10 | -e MYSQL_ROOT_PASSWORD="${MYSQL_ROOT_PASSWORD}" \ 11 | -e MYSQL_DATABASE="${MYSQL_DATABASE}" \ 12 | -v "${MYSQL_DATA}":/var/lib/mysql \ 13 | -v ./mysql-files:/var/lib/mysql-files \ 14 | -v ./config:/etc/mysql/conf.d \ 15 | -v ./init_sql:/docker-entrypoint-initdb.d \ 16 | -p "${MYSQL_PORT}":3306 \ 17 | -p "${MYSQLX_PORT}":33060 \ 18 | --network iuxt \ 19 | --restart "${RESTART}" \ 20 | -d mysql:"${MYSQL_VERSION}" 21 | -------------------------------------------------------------------------------- /nginx/.gitignore: -------------------------------------------------------------------------------- 1 | www/ 2 | src/ 3 | -------------------------------------------------------------------------------- /nginx/README.md: -------------------------------------------------------------------------------- 1 | 这个是docke版的nginx,作为所有服务的入口 2 | 3 | 启动不了, 请看日志, 一般都是证书找不到或者配置文件错误等问题. -------------------------------------------------------------------------------- /nginx/conf.d/.gitignore: -------------------------------------------------------------------------------- 1 | *.conf 2 | *.conf.bak 3 | -------------------------------------------------------------------------------- /nginx/conf.d/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iuxt/quickstart/0c200ebfcba226e4087c83e81639220c572fd215/nginx/conf.d/.gitkeep -------------------------------------------------------------------------------- /nginx/conf.d/README.md: -------------------------------------------------------------------------------- 1 | 这里不要手动创建文件,创建在sites-available,然后执行脚本./enable.sh 2 | 3 | -------------------------------------------------------------------------------- /nginx/fail2ban/filter.d/nginx-http-cc.conf: -------------------------------------------------------------------------------- 1 | [Definition] 2 | failregex = ^\{\"log\":\" - .*HTTP/1.* (404|444|403|400) .*$ 3 | ignoreregex = -------------------------------------------------------------------------------- /nginx/fail2ban/filter.d/nginx-stream-cc.conf: -------------------------------------------------------------------------------- 1 | [Definition] 2 | failregex = ^\{\"log\":\" - .*TCP.* 200 .*$ 3 | ignoreregex = -------------------------------------------------------------------------------- /nginx/fail2ban/jail.d/nginx-http-cc.conf: -------------------------------------------------------------------------------- 1 | [nginx-http-cc] 2 | enabled = true 3 | chain = DOCKER-USER 4 | port = http,https 5 | filter = nginx-http-cc 6 | action = %(action_)s 7 | maxretry = 50 8 | findtime = 10m 9 | bantime = 2h 10 | logpath = /var/lib/docker/containers/1166369af45c7689abf4523eb57df57f44ea389760ce80b56633d85a6c8a826a/1166369af45c7689abf4523eb57df57f44ea389760ce80b56633d85a6c8a826a-json.log 11 | -------------------------------------------------------------------------------- /nginx/fail2ban/jail.d/nginx-stream-cc.conf: -------------------------------------------------------------------------------- 1 | [nginx-stream-cc] 2 | enabled = true 3 | filter = nginx-stream-cc 4 | maxretry = 20 5 | findtime = 5m 6 | bantime = 2h 7 | logpath = /var/lib/docker/containers/1166369af45c7689abf4523eb57df57f44ea389760ce80b56633d85a6c8a826a/1166369af45c7689abf4523eb57df57f44ea389760ce80b56633d85a6c8a826a-json.log 8 | action = iptables-allports[chain="DOCKER-USER"] 9 | 10 | -------------------------------------------------------------------------------- /nginx/fail2ban/readme.md: -------------------------------------------------------------------------------- 1 | # fail2ban防止暴力破解配置 2 | 3 | ## 测试方法 4 | 5 | ```bash 6 | echo "我的公网IP是:" 7 | curl 4.ipw.cn ; echo 8 | 9 | for i in {1..55}; do 10 | echo $i 次访问 11 | curl https://baidu.com 12 | done 13 | ``` -------------------------------------------------------------------------------- /nginx/fail2ban/set_fail2ban.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "$(id -u)" != "0" ]; then 4 | echo "Error: 必须使用ROOT用户来运行, 你可以在命令前面加上 sudo " 5 | exit 1 6 | fi 7 | 8 | # nginx-http-cc 9 | cp -f filter.d/nginx-http-cc.conf /etc/fail2ban/filter.d/ 10 | cp -f jail.d/nginx-http-cc.conf /etc/fail2ban/jail.d/ 11 | container_id=$(docker inspect --format="{{.Id}}" nginx) 12 | logpath=/var/lib/docker/containers/${container_id}/${container_id}-json.log 13 | sed -i "s#logpath = .*#logpath = ${logpath}#g" /etc/fail2ban/jail.d/nginx-http-cc.conf 14 | 15 | # nginx-stream-cc 16 | cp -f filter.d/nginx-stream-cc.conf /etc/fail2ban/filter.d/ 17 | cp -f jail.d/nginx-stream-cc.conf /etc/fail2ban/jail.d/ 18 | container_id=$(docker inspect --format="{{.Id}}" nginx) 19 | logpath=/var/lib/docker/containers/${container_id}/${container_id}-json.log 20 | sed -i "s#logpath = .*#logpath = ${logpath}#g" /etc/fail2ban/jail.d/nginx-stream-cc.conf 21 | 22 | systemctl enable fail2ban 23 | systemctl reload fail2ban 24 | 25 | fail2ban-client status nginx-http-cc 26 | fail2ban-client status nginx-stream-cc 27 | 28 | -------------------------------------------------------------------------------- /nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | 2 | user nginx; 3 | worker_processes auto; 4 | 5 | error_log /var/log/nginx/error.log notice; 6 | pid /var/run/nginx.pid; 7 | 8 | 9 | events { 10 | worker_connections 1024; 11 | } 12 | 13 | 14 | http { 15 | server_tokens off; 16 | include /etc/nginx/mime.types; 17 | default_type application/octet-stream; 18 | 19 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 20 | '$status $body_bytes_sent "$http_referer" ' 21 | '"$http_user_agent" "$http_x_forwarded_for"'; 22 | 23 | access_log /var/log/nginx/access.log main; 24 | 25 | sendfile on; 26 | #tcp_nopush on; 27 | 28 | keepalive_timeout 65; 29 | 30 | #gzip on; 31 | 32 | include /etc/nginx/conf.d/*.conf; 33 | } 34 | 35 | stream { 36 | 37 | log_format proxy '$remote_addr - [$time_local] ' 38 | '$protocol $status $bytes_sent $bytes_received ' 39 | '$session_time "$upstream_addr" ' 40 | '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; 41 | 42 | include stream.d/*.conf; 43 | access_log /dev/stdout proxy; 44 | } 45 | -------------------------------------------------------------------------------- /nginx/reload_nginx.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | docker exec nginx nginx -t 4 | 5 | if [ $? -eq 0 ]; then 6 | docker exec nginx nginx -s reload 7 | else 8 | echo "nginx配置文件不正确" 9 | fi 10 | 11 | -------------------------------------------------------------------------------- /nginx/run_nginx.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -uo pipefail 3 | cd $(dirname $0) 4 | 5 | ../public/docker-network.sh 6 | 7 | docker rm -f nginx 8 | 9 | # stream.d里面的端口,需要进行转发 10 | FORWARD_PORT=$(grep -h "listen" stream.d/*.conf | awk 'NF > 0 {print $NF}' | sed 's/;//') 11 | 12 | # 初始化一个变量存储端口映射 13 | DOCKER_PORT_MAPPING="" 14 | 15 | # 遍历每个端口,拼接成 Docker 的端口映射格式 16 | for i in $FORWARD_PORT; do 17 | DOCKER_PORT_MAPPING="$DOCKER_PORT_MAPPING -p $i:$i" 18 | done 19 | 20 | # 输出最终的结果 21 | echo $DOCKER_PORT_MAPPING 22 | 23 | 24 | docker run --name nginx \ 25 | -v ./www:/usr/share/nginx/html:ro \ 26 | -v ./nginx.conf:/etc/nginx/nginx.conf \ 27 | -v ./conf.d:/etc/nginx/conf.d \ 28 | -v ./stream.d:/etc/nginx/stream.d \ 29 | -v ./ssl:/etc/nginx/ssl \ 30 | -v ./src:/src \ 31 | --mount type=bind,source=/etc/localtime,target=/etc/localtime,readonly \ 32 | -p 80:80 \ 33 | -p 443:443 \ 34 | $DOCKER_PORT_MAPPING \ 35 | --add-host=host.docker.internal:host-gateway \ 36 | --network iuxt \ 37 | --restart always \ 38 | --log-opt max-size=1G \ 39 | -d nginx:1.27.0 40 | 41 | 42 | cd fail2ban && sudo ./set_fail2ban.sh 43 | 44 | -------------------------------------------------------------------------------- /nginx/ssl/.gitignore: -------------------------------------------------------------------------------- 1 | *.key 2 | *.crt 3 | -------------------------------------------------------------------------------- /nginx/stop_nginx.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | docker rm -f nginx 4 | 5 | sudo rm -f /etc/fail2ban/jail.d/nginx-stream-cc.conf 6 | sudo rm -f /etc/fail2ban/jail.d/nginx-http-cc.conf 7 | 8 | sudo systemctl enable fail2ban 9 | sudo systemctl reload fail2ban 10 | 11 | sudo fail2ban-client status 12 | 13 | -------------------------------------------------------------------------------- /nginx/stream.d/.gitignore: -------------------------------------------------------------------------------- 1 | *.conf 2 | *.conf.bak 3 | -------------------------------------------------------------------------------- /nginx/stream.d/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iuxt/quickstart/0c200ebfcba226e4087c83e81639220c572fd215/nginx/stream.d/.gitkeep -------------------------------------------------------------------------------- /public/add_config_to_nginx.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | app=$(basename "$(pwd)") 4 | echo "$app" 5 | 6 | 7 | if [ ! -e ./custom_nginx.conf ];then 8 | /bin/cp nginx.conf custom_nginx.conf 9 | fi 10 | 11 | /bin/cp -f custom_nginx.conf ../nginx/conf.d/"$app".conf 12 | ../nginx/reload_nginx.sh -------------------------------------------------------------------------------- /public/docker-network.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "$(docker network ls | grep -c iuxt)" -eq 0 ]; then 4 | docker network create iuxt 5 | else 6 | echo "docker network iuxt exists skip" 7 | fi 8 | 9 | -------------------------------------------------------------------------------- /redis/redis-cli.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | cd $(dirname $0) 4 | 5 | source .env 6 | docker run -it --network iuxt --rm redis:${REDIS_VER} redis-cli -h redis 7 | -------------------------------------------------------------------------------- /redis/run_redis_server.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | cd $(dirname $0) 4 | 5 | source .env 6 | 7 | ../public/docker-network.sh 8 | 9 | docker run --name redis \ 10 | --network iuxt \ 11 | -p 6379:6379 \ 12 | --restart always \ 13 | -d redis:${REDIS_VER} 14 | -------------------------------------------------------------------------------- /registry/.gitignore: -------------------------------------------------------------------------------- 1 | data/ 2 | 3 | -------------------------------------------------------------------------------- /registry/certs/i.com.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFwzCCA6ugAwIBAgIUMvNiX244jps/CKfQIaL6l6DYGLcwDQYJKoZIhvcNAQEN 3 | BQAwZjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQHDAhT 4 | aGFuZ2hhaTENMAsGA1UECgwEaXV4dDENMAsGA1UECwwEaXV4dDETMBEGA1UEAwwK 5 | emhhbmdsaWt1bjAeFw0yNDEyMTIwODA2MTZaFw0zNDEyMTAwODA2MTZaMGExCzAJ 6 | BgNVBAYTAkNOMREwDwYDVQQIDAhTaGFuZ2hhaTERMA8GA1UEBwwIU2hhbmdoYWkx 7 | DTALBgNVBAoMBGl1eHQxDTALBgNVBAsMBGl1eHQxDjAMBgNVBAMMBWkuY29tMIIC 8 | IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvI3s1bLjJsZMZZfiAFHDrJm4 9 | ci5+HpUb8fB244vFRd6Bf/7re3C3U7gXxImHuYYWbMJWT1xyBnYcZs4a+d3fcYGa 10 | Ip6fLuXsG0t6IJZEOjeUzzFLzGod2Lhl+4LarxWgkPV9jmj4OnrH6Z8txE5/yNMy 11 | JS0WcY7CjkbzPZQH90Oov3wIKd/GVooKeXeiNIdxc6pjyu9uSFz5rKubc4E0Eb7t 12 | uRkvdjx9DNxTQwRuI980gaO+eX5HS1gpSRpl+byvAB9NQDkaSkC4eaHYy5Y7mwVr 13 | HeEAizLQx6XB+1GqkmKFq50S8/Ra3M1ajHthYxMjtNYbM6ZjnC28Fj9HLkmeH01P 14 | ZNo2pfygKvdbAF2Gl3+CrzLS/FGOY50jnzGTACs2Enc7qi4t7c4ri7hSfS4g3AWA 15 | PmvwZHGg9su1U5s+EcrXLbS9LeH3abXbXyOsSOMVOll6H3nK68W84Fvc7jAnLOcd 16 | XQ/87AI9rZsI3xW5F/BzbjEwcuo9Wi0dtIB2hdc/wJV8kjvsbyfDYeCQESpnEFUX 17 | p6qVfvjmIF9fUNM+FRR34ocKgk0lLA/gSYKZZRkyoO9rzX6i3Fom98Mi24JZPMvE 18 | DdVZTfO2dIGEsTAAMFdQECfpDne3G2j/tnDcOFFxbql767VOdMH7MtBmsFc1z+Jm 19 | gHRRO+Tbaho0TZc09UsCAwEAAaNuMGwwKgYDVR0RBCMwIYIJbG9jYWxob3N0hwR/ 20 | AAABggVpLmNvbYIHKi5pLmNvbTAdBgNVHQ4EFgQUqE5txj0xNI5ccb7LXHLnscrz 21 | J20wHwYDVR0jBBgwFoAU0T4BbjAiTTbWqtOLkH7VqI/oRU8wDQYJKoZIhvcNAQEN 22 | BQADggIBAFIUYjUroBSpX+BfVtuk6hxi3HR4mapNeAM357PC5m9lfNx0hnMzPi8Y 23 | tSjNO5p9KO4TVlb6qWnD3jZe369O/31Af7Brp9f2l+qJD9TH62VCobgzGz18f8DH 24 | v8OgJPZsvHeJXYvDS4PEsTsl509VU/PPIDlMVlzvJbFu2w0Fgr3FsW/xKTmjLID5 25 | klNysrCRCSjaNDYaJCx4miLXJR2m5tqcefVS/xTg7/cmLbtOLlB/xW44/jUoqBgv 26 | t9UKMnn1MoasEEPui/FZZBoxnxabrqdJtDuRXi1653k/zVaKMFiRMOeNLCgDgDW7 27 | +9Fut1wNwRXP7ANrSNvOtkgRqfnWqE22fVLV1Gb/iH8Zz1mcuNd+SQT4UNvEYCXj 28 | MU/vUX9mKlNe3AQX40p8cqBJZOMl2rY2dEz+Mh0JDH51tBxCDX4RVit6yDUpd8yA 29 | 13IQtO2ruHHvbmA5IJYWFclpEfE+QHi1fLD8ls/LkZLdHUs6CQGTB4ZthbVe2Wy8 30 | W5xr8GWUe63HTH9kptMgX4DQrZOercv/eJSnLg9Uieu7fEt1APgIidllRPGUF8fh 31 | nOmAmxdKz5f9PsflX81N8eFb2ZbXW5QatVZPmQe3aVXak9bTB6lFkLhDri69kdsZ 32 | X/PzH+9FNLfGZOUf0Tf4VxjVG/P2c2Gq/kwZWwRStLYyVvtb8rvO 33 | -----END CERTIFICATE----- 34 | -------------------------------------------------------------------------------- /registry/certs/i.com.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC8jezVsuMmxkxl 3 | l+IAUcOsmbhyLn4elRvx8Hbji8VF3oF//ut7cLdTuBfEiYe5hhZswlZPXHIGdhxm 4 | zhr53d9xgZoinp8u5ewbS3oglkQ6N5TPMUvMah3YuGX7gtqvFaCQ9X2OaPg6esfp 5 | ny3ETn/I0zIlLRZxjsKORvM9lAf3Q6i/fAgp38ZWigp5d6I0h3FzqmPK725IXPms 6 | q5tzgTQRvu25GS92PH0M3FNDBG4j3zSBo755fkdLWClJGmX5vK8AH01AORpKQLh5 7 | odjLljubBWsd4QCLMtDHpcH7UaqSYoWrnRLz9FrczVqMe2FjEyO01hszpmOcLbwW 8 | P0cuSZ4fTU9k2jal/KAq91sAXYaXf4KvMtL8UY5jnSOfMZMAKzYSdzuqLi3tziuL 9 | uFJ9LiDcBYA+a/BkcaD2y7VTmz4RytcttL0t4fdptdtfI6xI4xU6WXofecrrxbzg 10 | W9zuMCcs5x1dD/zsAj2tmwjfFbkX8HNuMTBy6j1aLR20gHaF1z/AlXySO+xvJ8Nh 11 | 4JARKmcQVRenqpV++OYgX19Q0z4VFHfihwqCTSUsD+BJgpllGTKg72vNfqLcWib3 12 | wyLbglk8y8QN1VlN87Z0gYSxMAAwV1AQJ+kOd7cbaP+2cNw4UXFuqXvrtU50wfsy 13 | 0GawVzXP4maAdFE75NtqGjRNlzT1SwIDAQABAoICAA0h42dk3K5ELGj9AZgdGcBJ 14 | Oo/1TgJqRzZ8FYO2peg+XY2hHxyLVrFlhn5BR+szfBdaF7HSUfzCOCsu2rEhc2EP 15 | 8kDMBHE7QU0LXjerz5ewbFRb7hgQIgEIos24KOv92R+PgY2sIPHNwGO0mvbrsrm1 16 | f+4X7FK/ayyGo4Vb7IwbscKYbGciN0mqtp0MKId5EX1JVkb5kxhGJXuRvjN2wb4k 17 | qqD0MJqPDvSY2dG2mscz0g/fbDJBCc0lGEcHqCeTLSsYgwRglcSrKk4KaDORxJgA 18 | 8ht0ItoPEXx+Pnr3DqbAZufzejD0iWmMgex74WYJnLiJGv7nbVOg2dNA1//Qz8rm 19 | uEb6gpdFAjZZ7vX04PjThATp3vZxMSCZgFGlhxSrVs7a/WTWIx+jGOtIHQdbatm9 20 | l4H+yvWtg7H5O5eoB37r/khhd22y1FuUufoq+5pElOXHcCntWLmknOXf+hpIHHkY 21 | CV5XI+lQ8EZt4C3mv+kJ5287a8wihoaBp3+3fPH4Obi7ADNnndUzzrL9Lxuw+BMk 22 | zvLO7c8/JuSDE2fxS4ZiiszycKSxkLtcyiGmZsncHDcU1BearU9dQRfS8wPaQGir 23 | 1JjLHs3YKqmArE+u29cr92By89wsL0TRE8j8aqqKVq+hNaNBNjwFkgnBDkCR6hNL 24 | Jx/vQvXnDK6Gkkg6x+qZAoIBAQDcthYX/bckp3uhQOjMHxtv7NONb7crPcXaUBeS 25 | vaGrCfxD9ENah2D8Yrn2r7kGxeXxQ06z4rq1fiKRyzEw0pcuN3d7jTiTYC1+5u3K 26 | 7LYvgrra5/kk9dsiWTqdplrt999b5tG56SoqzoNQ5waQ48zLINnufOTgVZ8C4z4P 27 | uJ9gARXcOQLqNsYzCYVUjUsD5fM8V+PT+C3yqVU7OHvg9U4ssMsUX5cfIUEx9xWw 28 | YDA1rDUliWTUg4F7BWaF8Q/USsysQJ94ebkWkDisk9A2qLkQBPTYTNjBzGYFa1d3 29 | Tu8Ej9dLMeotTpxFrA1/oQy/m1junduZdFzvhLiYmmSH9R/ZAoIBAQDas6DhCYaF 30 | G1pxibxFRdmjr77Et9tWLfeoeI01oh/btEc63Uxv4KqzTJHfrhGqjfYxx+j//CNb 31 | T/plZ6F/W+sI6Zxh3BLnyKav9HoKxma/nwp0SFJF/UAfjyRcp5Ju7SOepgxUzRew 32 | JD44JqAhH+YBxCTFi8mVNhutWtS4U0HKaHsRJyh4MtoUHHE8HL+ViakJCkRyuHOo 33 | tToUQZVVsl/8Uows5JEKGNdZGhyn/rH99wdsC2H5rxIKp81qdtHAC4agt90XJ3wF 34 | FN2soFIdrvTyoV7DRKdy0H0dxqz6TO5i4cLlaTD1pWxrtGOXuB2RV3zM5LWopQBF 35 | tCeilwh93mvDAoIBAQCSragtNX4bK/srhVmxHhM75OYLHu1aHWl51rRz3vasFqzB 36 | 9Hk2lrXLxUjVOp76c1aHajXJsqpmp3cN8T21tp6mJlKPl6C7wLU7mvj5XSsOlBDe 37 | HkAjYgjJ4QblcoMHly2ng9Rpex186VW31HE2pU2ayTBMIFBzDjPo1WCPTiEMymve 38 | uTzIrrI1hORI9sWdx5pIxhgw7MSMeiCchMM/E4dqh+vOlGB4Xb9YF18goiwn31RK 39 | p+6MlQDd4w7pgPUGHte6ug/BHxP0fNBNUMaVLLggf0rA3QFIejBq9ZVhQuHx5C4u 40 | WPPKPG36l4c5BKzWQcVufxZL+1swCsIrGKArAqqxAoIBAQCvjMywlrLSGZjJ1mO3 41 | v0/p4mJhCawYSyGmq829pXupIdajW4vFqjObZPUa9WDc5MMgRnWzNTM0UsiNqVer 42 | IZ9SMiMDMmJCh3+1caqdB5Dmc8UyffL8l0JnksD/VstmGxgieusfDtna29zNucOD 43 | k1VPSaCyqXiQOzSQPH7PzpTa4m8W37XOdhMzXXlPZUwrvqpexU0YQRMl8wLBy7sR 44 | ZPNDWQeH6Zi64CHMNfeWqg057JaalbB5eZwjzXpH4USQwS+5xpzDvz//3DXsIWyI 45 | wy1/rSSh3XQD53Lm+dlTuXkJCmslNwDDzZtwAQaIfJPPXMiit1tSGdBUIz5FdrKs 46 | RmN9AoIBAB3hm2Z9dFT8WJI8gYe5JSXHSY2EQq0Lg3tbN372lfnP5HqZ917RYWu8 47 | zKeACjczQ5JFrYoDmqJ3LrKl2z1MQ8DcD+ZZI+o3OnHggBYFaPQkXo2AWdDv317s 48 | wmDUw9E7gIwZ4weLWtRTlkCJcOYD636aMD6KW72UpRYUe9zvjT1E82nuH0/Lld3f 49 | +Yw82dMAZqqtR6Go0/MFmG6QVlynpIemWWWw261Cit3EssO40RCgVRi6K/9Fesfe 50 | tFk1FkXuEEb7SmxX1d2uGnHvYe50Hv0EhbzejaxuD6xM9OxWI2m6xze00RVmNuTW 51 | KUhgq4J75ERNLZWWVxHnTXWbzTcf+mo= 52 | -----END PRIVATE KEY----- 53 | -------------------------------------------------------------------------------- /registry/readme.md: -------------------------------------------------------------------------------- 1 | ## 启动服务 2 | 3 | 4 | 我的证书是自签名的 *.i.com 泛域名,假设我用 hub.i.com 5 | 6 | ## 绑定hosts 7 | 8 | ``` 9 | 192.168.0.11 hub.i.com 10 | ``` 11 | 12 | ## 修改docker配置 13 | 14 | ```bash 15 | mkdir -p /etc/docker/certs.d/hub.i.com/ 16 | cp i.com.crt /etc/docker/certs.d/hub.i.com/ 17 | ``` -------------------------------------------------------------------------------- /registry/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd $(dirname $0) 3 | 4 | # 使用HTTP协议 5 | # docker run -d \ 6 | # --restart=always \ 7 | # --name registry \ 8 | # -v "$(pwd)"/data:/var/lib/registry \ 9 | # -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \ 10 | # -p 5000:5000 \ 11 | # registry:2 12 | 13 | 14 | # 下面的是https的配置 15 | docker run -d \ 16 | --restart=always \ 17 | --name registry \ 18 | -v "$(pwd)"/certs:/certs \ 19 | -v "$(pwd)"/data:/var/lib/registry \ 20 | -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ 21 | -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/i.com.crt \ 22 | -e REGISTRY_HTTP_TLS_KEY=/certs/i.com.key \ 23 | -p 443:443 \ 24 | registry:2 25 | -------------------------------------------------------------------------------- /tools/dingtalk_notify/.gitignore: -------------------------------------------------------------------------------- 1 | config.ini 2 | -------------------------------------------------------------------------------- /tools/dingtalk_notify/README.md: -------------------------------------------------------------------------------- 1 | # 钉钉通知脚本 2 | 3 | > 需要添加钉钉机器人,安全选择加签模式 4 | 5 | ## before use 6 | 7 | 1. install python 8 | 2. install requests 9 | 10 | ```bash 11 | pip install requests 12 | ``` 13 | 14 | 3. copy config.ini.example to config.ini 15 | 16 | ```bash 17 | cp config.ini.example config.ini 18 | ``` 19 | 20 | 4. change config.ini 21 | 22 | ## how to use 23 | 24 | ```bash 25 | python3 dingtalk.py 26 | ``` 27 | 28 | ## crontab 29 | 30 | ```bash 31 | 0 */6 * * * cd /data/code/quickstart/dingtalk_notify/ && ./send_ipv6.sh >> /data/logs/dingtalk_notify.log 2>&1 32 | ``` 33 | -------------------------------------------------------------------------------- /tools/dingtalk_notify/config.ini.example: -------------------------------------------------------------------------------- 1 | [dingtalk] 2 | webhook_url=https://oapi.dingtalk.com/robot/send?access_token=xxxxx 3 | secret=xxxxx -------------------------------------------------------------------------------- /tools/dingtalk_notify/dingtalk.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import time 3 | import hmac 4 | import hashlib 5 | import base64 6 | import urllib.parse 7 | import configparser 8 | import requests 9 | import sys 10 | 11 | now = str(time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())) 12 | 13 | # 读取配置文件 14 | conf = configparser.ConfigParser() 15 | conf.read("config.ini") 16 | secret = conf["dingtalk"]["secret"] 17 | webhook_url = conf["dingtalk"]["webhook_url"] 18 | 19 | # 根据时间戳生成签名 20 | timestamp = str(round(time.time() * 1000)) 21 | secret_enc = secret.encode('utf-8') 22 | string_to_sign = '{}\n{}'.format(timestamp, secret) 23 | string_to_sign_enc = string_to_sign.encode('utf-8') 24 | hmac_code = hmac.new(secret_enc, string_to_sign_enc, digestmod=hashlib.sha256).digest() 25 | sign = urllib.parse.quote_plus(base64.b64encode(hmac_code)) 26 | 27 | # 要发送的数据 28 | data = """ 29 | { 30 | "msgtype":"text", 31 | "text": { 32 | "content": "%s %s" 33 | } 34 | } 35 | """ %(now, sys.argv[1]) 36 | 37 | # url参数 38 | params={ 39 | 'timestamp': timestamp, 40 | 'sign': sign 41 | } 42 | 43 | # header 44 | header = {'Content-Type': 'application/json'} 45 | 46 | # post消息出去 47 | r = requests.post(webhook_url, headers=header, params=params, data=data.encode('utf-8')) 48 | print(r.text) 49 | -------------------------------------------------------------------------------- /tools/dingtalk_notify/send_ipv6.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | data=$(ip a | grep "inet6.*global" | awk '{print $2}' | grep -v "^fe80::" ) 4 | 5 | ./dingtalk.py "${data}" 6 | -------------------------------------------------------------------------------- /tools/fail2ban/centos7-fail2ban/jail.d/ssh.conf: -------------------------------------------------------------------------------- 1 | [DEFAULT] 2 | # Ban hosts for one hour: 3 | bantime = 3600 4 | # Override /etc/fail2ban/jail.d/00-firewalld.conf: 5 | banaction = iptables-multiport 6 | 7 | [sshd] 8 | port = 2222 9 | enabled = true 10 | mode = aggressive 11 | -------------------------------------------------------------------------------- /tools/fail2ban/centos7-fail2ban/readme.md: -------------------------------------------------------------------------------- 1 | 2 | ```bash 3 | systemctl disable --now firewalld 4 | sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux && setenforce 0 5 | 6 | yum install -y fail2ban 7 | 8 | rm -f /etc/fail2ban/jail.d/00-firewalld.conf 9 | ``` 10 | 11 | 12 | vim /etc/fail2ban/jail.d/ssh.conf 13 | 14 | ```ini 15 | [DEFAULT] 16 | # Ban hosts for one hour: 17 | bantime = 3600 18 | # Override /etc/fail2ban/jail.d/00-firewalld.conf: 19 | banaction = iptables-multiport 20 | 21 | [sshd] 22 | enabled = true 23 | mode = aggressive 24 | ``` 25 | 26 | aggressive 配置是 为了将那些 使用错误key登录失败的一起禁用了。 27 | 28 | -------------------------------------------------------------------------------- /tools/fail2ban/fail2ban-status.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | jail_list=$(fail2ban-client status | grep "Jail list" | awk -F ":" '{print $2}' | xargs | sed 's/,//g') 4 | 5 | for i in ${jail_list[*]}; 6 | do 7 | fail2ban-client status "$i" 8 | done 9 | 10 | -------------------------------------------------------------------------------- /tools/fail2ban/ubuntu24-fail2ban/jail.d/ssh.conf: -------------------------------------------------------------------------------- 1 | [sshd] 2 | port = 2222 3 | mode = aggressive 4 | enabled = true 5 | bantime = 1d -------------------------------------------------------------------------------- /tools/fail2ban/ubuntu24-fail2ban/readme.md: -------------------------------------------------------------------------------- 1 | 2 | 删除默认配置 3 | 4 | rm -f /etc/fail2ban/jail.d/defaults-debian.conf 5 | -------------------------------------------------------------------------------- /tools/fail2ban/unban-all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | fail2ban-client unban --all 3 | -------------------------------------------------------------------------------- /tools/feishu_notify/notify.py: -------------------------------------------------------------------------------- 1 | from dotenv import load_dotenv 2 | import requests 3 | import time 4 | import os 5 | import json 6 | import sys 7 | import hashlib 8 | import base64 9 | import hmac 10 | 11 | 12 | class FeishuNotify(): 13 | 14 | 15 | def __init__(self): 16 | # 加载.env 文件中的环境变量 17 | load_dotenv() 18 | 19 | # 获取环境变量的值 20 | self.url = os.getenv("url") 21 | self.sign_key = os.getenv("sign_key") 22 | self.timestamp = str(round(time.time())) 23 | 24 | 25 | 26 | def gen_sign(self): 27 | # 拼接timestamp和secret 28 | string_to_sign = '{}\n{}'.format(self.timestamp, self.sign_key) 29 | hmac_code = hmac.new(string_to_sign.encode("utf-8"), digestmod=hashlib.sha256).digest() 30 | 31 | # 对结果进行base64处理 32 | sign = base64.b64encode(hmac_code).decode('utf-8') 33 | 34 | return sign 35 | 36 | 37 | def send_notify(self, title, content): 38 | self.title = title 39 | self.content = content 40 | 41 | data = { 42 | "timestamp": self.timestamp, 43 | "sign": self.gen_sign(), 44 | "msg_type": "interactive", 45 | "card": { 46 | "elements": [{ 47 | "tag": "div", 48 | "text": { 49 | "content": self.content, 50 | "tag": "lark_md" 51 | } 52 | }, { 53 | "actions": [{ 54 | "tag": "button", 55 | "text": { 56 | "content": "更多景点介绍 :玫瑰:", 57 | "tag": "lark_md" 58 | }, 59 | "url": "https://www.example.com", 60 | "type": "default", 61 | "value": {} 62 | }], 63 | "tag": "action" 64 | }], 65 | "header": { 66 | "title": { 67 | "content": self.title, 68 | "tag": "plain_text" 69 | } 70 | } 71 | } 72 | } 73 | 74 | 75 | header = {'Content-Type': 'application/json'} 76 | 77 | r = requests.post(url=self.url, headers=header, data=json.dumps(data)) 78 | print(r.text) 79 | 80 | 81 | 82 | if __name__ == "__main__": 83 | a = FeishuNotify() 84 | a.send_notify(title=sys.argv[1], content=sys.argv[2]) 85 | 86 | 87 | 88 | ''' 89 | # 可以在Python中调用 90 | import notify 91 | a = notify.FeishuNotify() 92 | a.send_notify(title='通知', content='hello') 93 | 94 | # 也可以在命令行传参 95 | python3 notify.py 通知 哈哈哈 96 | ''' 97 | -------------------------------------------------------------------------------- /tools/feishu_notify/requirements.txt: -------------------------------------------------------------------------------- 1 | certifi==2024.7.4 2 | charset-normalizer==3.3.2 3 | idna==3.7 4 | python-dotenv==1.0.1 5 | requests==2.32.3 6 | urllib3==2.2.2 7 | -------------------------------------------------------------------------------- /tools/freeradius-openldap/freeradius/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM centos:7 2 | 3 | # RADIUS Authentication Messages 4 | EXPOSE 1812/udp 5 | 6 | # RADIUS Accounting Messages 7 | EXPOSE 1813/udp 8 | 9 | RUN yum install -y freeradius freeradius-utils freeradius-ldap && \ 10 | yum clean all 11 | 12 | COPY mods-enabled/ldap /etc/raddb/mods-enabled/ldap 13 | COPY clients.conf /etc/raddb/clients.conf 14 | 15 | CMD ["radiusd", "-f"] -------------------------------------------------------------------------------- /tools/freeradius-openldap/freeradius/clients.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ## 3 | ## clients.conf -- client configuration directives 4 | ## 5 | ## $Id: 76b300d3c55f1c5c052289b76bf28ac3a370bbb2 $ 6 | 7 | ####################################################################### 8 | # 9 | # Define RADIUS clients (usually a NAS, Access Point, etc.). 10 | 11 | # 12 | # Defines a RADIUS client. 13 | # 14 | # '127.0.0.1' is another name for 'localhost'. It is enabled by default, 15 | # to allow testing of the server after an initial installation. If you 16 | # are not going to be permitting RADIUS queries from localhost, we suggest 17 | # that you delete, or comment out, this entry. 18 | # 19 | # 20 | 21 | # 22 | # Each client has a "short name" that is used to distinguish it from 23 | # other clients. 24 | # 25 | # In version 1.x, the string after the word "client" was the IP 26 | # address of the client. In 2.0, the IP address is configured via 27 | # the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x 28 | # format is still accepted. 29 | # 30 | client localhost { 31 | # Only *one* of ipaddr, ipv4addr, ipv6addr may be specified for 32 | # a client. 33 | # 34 | # ipaddr will accept IPv4 or IPv6 addresses with optional CIDR 35 | # notation '/' to specify ranges. 36 | # 37 | # ipaddr will accept domain names e.g. example.org resolving 38 | # them via DNS. 39 | # 40 | # If both A and AAAA records are found, A records will be 41 | # used in preference to AAAA. 42 | ipaddr = 127.0.0.1 43 | 44 | # Same as ipaddr but allows v4 addresses only. Requires A 45 | # record for domain names. 46 | # ipv4addr = * # any. 127.0.0.1 == localhost 47 | 48 | # Same as ipaddr but allows v6 addresses only. Requires AAAA 49 | # record for domain names. 50 | # ipv6addr = :: # any. ::1 == localhost 51 | 52 | # 53 | # A note on DNS: We STRONGLY recommend using IP addresses 54 | # rather than host names. Using host names means that the 55 | # server will do DNS lookups when it starts, making it 56 | # dependent on DNS. i.e. If anything goes wrong with DNS, 57 | # the server won't start! 58 | # 59 | # The server also looks up the IP address from DNS once, and 60 | # only once, when it starts. If the DNS record is later 61 | # updated, the server WILL NOT see that update. 62 | # 63 | 64 | # 65 | # The transport protocol. 66 | # 67 | # If unspecified, defaults to "udp", which is the traditional 68 | # RADIUS transport. It may also be "tcp", in which case the 69 | # server will accept connections from this client ONLY over TCP. 70 | # 71 | proto = * 72 | 73 | # 74 | # The shared secret use to "encrypt" and "sign" packets between 75 | # the NAS and FreeRADIUS. You MUST change this secret from the 76 | # default, otherwise it's not a secret any more! 77 | # 78 | # The secret can be any string, up to 8k characters in length. 79 | # 80 | # Control codes can be entered vi octal encoding, 81 | # e.g. "\101\102" == "AB" 82 | # Quotation marks can be entered by escaping them, 83 | # e.g. "foo\"bar" 84 | # 85 | # A note on security: The security of the RADIUS protocol 86 | # depends COMPLETELY on this secret! We recommend using a 87 | # shared secret that is composed of: 88 | # 89 | # upper case letters 90 | # lower case letters 91 | # numbers 92 | # 93 | # And is at LEAST 8 characters long, preferably 16 characters in 94 | # length. The secret MUST be random, and should not be words, 95 | # phrase, or anything else that is recognisable. 96 | # 97 | # The default secret below is only for testing, and should 98 | # not be used in any real environment. 99 | # 100 | secret = testing123 101 | 102 | # 103 | # Old-style clients do not send a Message-Authenticator 104 | # in an Access-Request. RFC 5080 suggests that all clients 105 | # SHOULD include it in an Access-Request. The configuration 106 | # item below allows the server to require it. If a client 107 | # is required to include a Message-Authenticator and it does 108 | # not, then the packet will be silently discarded. 109 | # 110 | # allowed values: yes, no 111 | require_message_authenticator = no 112 | 113 | # 114 | # The short name is used as an alias for the fully qualified 115 | # domain name, or the IP address. 116 | # 117 | # It is accepted for compatibility with 1.x, but it is no 118 | # longer necessary in >= 2.0 119 | # 120 | # shortname = localhost 121 | 122 | # 123 | # the following three fields are optional, but may be used by 124 | # checkrad.pl for simultaneous use checks 125 | # 126 | 127 | # 128 | # The nas_type tells 'checkrad.pl' which NAS-specific method to 129 | # use to query the NAS for simultaneous use. 130 | # 131 | # Permitted NAS types are: 132 | # 133 | # cisco 134 | # computone 135 | # livingston 136 | # juniper 137 | # max40xx 138 | # multitech 139 | # netserver 140 | # pathras 141 | # patton 142 | # portslave 143 | # tc 144 | # usrhiper 145 | # other # for all other types 146 | 147 | # 148 | nas_type = other # localhost isn't usually a NAS... 149 | 150 | # 151 | # The following two configurations are for future use. 152 | # The 'naspasswd' file is currently used to store the NAS 153 | # login name and password, which is used by checkrad.pl 154 | # when querying the NAS for simultaneous use. 155 | # 156 | # login = !root 157 | # password = someadminpas 158 | 159 | # 160 | # As of 2.0, clients can also be tied to a virtual server. 161 | # This is done by setting the "virtual_server" configuration 162 | # item, as in the example below. 163 | # 164 | # virtual_server = home1 165 | 166 | # 167 | # A pointer to the "home_server_pool" OR a "home_server" 168 | # section that contains the CoA configuration for this 169 | # client. For an example of a coa home server or pool, 170 | # see raddb/sites-available/originate-coa 171 | # coa_server = coa 172 | 173 | # 174 | # Response window for proxied packets. If non-zero, 175 | # then the lower of (home, client) response_window 176 | # will be used. 177 | # 178 | # i.e. it can be used to lower the response_window 179 | # packets from one client to a home server. It cannot 180 | # be used to raise the response_window. 181 | # 182 | # response_window = 10.0 183 | 184 | # 185 | # Connection limiting for clients using "proto = tcp". 186 | # 187 | # This section is ignored for clients sending UDP traffic 188 | # 189 | limit { 190 | # 191 | # Limit the number of simultaneous TCP connections from a client 192 | # 193 | # The default is 16. 194 | # Setting this to 0 means "no limit" 195 | max_connections = 16 196 | 197 | # The per-socket "max_requests" option does not exist. 198 | 199 | # 200 | # The lifetime, in seconds, of a TCP connection. After 201 | # this lifetime, the connection will be closed. 202 | # 203 | # Setting this to 0 means "forever". 204 | lifetime = 0 205 | 206 | # 207 | # The idle timeout, in seconds, of a TCP connection. 208 | # If no packets have been received over the connection for 209 | # this time, the connection will be closed. 210 | # 211 | # Setting this to 0 means "no timeout". 212 | # 213 | # We STRONGLY RECOMMEND that you set an idle timeout. 214 | # 215 | idle_timeout = 30 216 | } 217 | } 218 | 219 | # IPv6 Client 220 | client localhost_ipv6 { 221 | ipv6addr = ::1 222 | secret = testing123 223 | } 224 | 225 | # All IPv6 Site-local clients 226 | #client sitelocal_ipv6 { 227 | # ipv6addr = fe80::/16 228 | # secret = testing123 229 | #} 230 | 231 | #client example.org { 232 | # ipaddr = radius.example.org 233 | # secret = testing123 234 | #} 235 | 236 | # 237 | # You can now specify one secret for a network of clients. 238 | # When a client request comes in, the BEST match is chosen. 239 | # i.e. The entry from the smallest possible network. 240 | # 241 | 242 | client private-network-1 { 243 | ipaddr = 192.168.2.0/23 244 | secret = 12345678 245 | } 246 | 247 | #client private-network-2 { 248 | # ipaddr = 198.51.100.0/24 249 | # secret = testing123-2 250 | #} 251 | 252 | ####################################################################### 253 | # 254 | # Per-socket client lists. The configuration entries are exactly 255 | # the same as above, but they are nested inside of a section. 256 | # 257 | # You can have as many per-socket client lists as you have "listen" 258 | # sections, or you can re-use a list among multiple "listen" sections. 259 | # 260 | # Un-comment this section, and edit a "listen" section to add: 261 | # "clients = per_socket_clients". That IP address/port combination 262 | # will then accept ONLY the clients listed in this section. 263 | # 264 | #clients per_socket_clients { 265 | # client socket_client { 266 | # ipaddr = 192.0.2.4 267 | # secret = testing123 268 | # } 269 | #} -------------------------------------------------------------------------------- /tools/freeradius-openldap/freeradius/mods-enabled/ldap: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 4b7e4585c029b8617aa7b9169a42bf50a5ec4938 $ 4 | 5 | ldap { 6 | server = '192.168.2.230' 7 | port = 389 8 | identity = 'cn=admin,dc=nutstore,dc=com' 9 | password = com.012 10 | base_dn = 'dc=nutstore,dc=com' 11 | 12 | sasl { 13 | } 14 | 15 | update { 16 | control:Password-With-Header += 'userPassword' 17 | 18 | control: += 'radiusControlAttribute' 19 | request: += 'radiusRequestAttribute' 20 | reply: += 'radiusReplyAttribute' 21 | } 22 | 23 | 24 | user { 25 | base_dn = "${..base_dn}" 26 | 27 | filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" 28 | 29 | sasl { 30 | } 31 | } 32 | 33 | group { 34 | base_dn = "${..base_dn}" 35 | filter = '(objectClass=posixGroup)' 36 | membership_attribute = 'memberOf' 37 | } 38 | 39 | profile { 40 | } 41 | 42 | client { 43 | base_dn = "${..base_dn}" 44 | filter = '(objectClass=radiusClient)' 45 | 46 | template { 47 | } 48 | 49 | attribute { 50 | ipaddr = 'radiusClientIdentifier' 51 | secret = 'radiusClientSecret' 52 | } 53 | } 54 | 55 | accounting { 56 | reference = "%{tolower:type.%{Acct-Status-Type}}" 57 | 58 | type { 59 | start { 60 | update { 61 | description := "Online at %S" 62 | } 63 | } 64 | 65 | interim-update { 66 | update { 67 | description := "Last seen at %S" 68 | } 69 | } 70 | 71 | stop { 72 | update { 73 | description := "Offline at %S" 74 | } 75 | } 76 | } 77 | } 78 | 79 | post-auth { 80 | update { 81 | description := "Authenticated at %S" 82 | } 83 | } 84 | 85 | options { 86 | 87 | chase_referrals = yes 88 | rebind = yes 89 | res_timeout = 10 90 | srv_timelimit = 3 91 | net_timeout = 1 92 | idle = 60 93 | probes = 3 94 | interval = 3 95 | ldap_debug = 0x0028 96 | } 97 | 98 | tls { 99 | } 100 | 101 | pool { 102 | start = ${thread[pool].start_servers} 103 | min = ${thread[pool].min_spare_servers} 104 | max = ${thread[pool].max_servers} 105 | spare = ${thread[pool].max_spare_servers} 106 | uses = 0 107 | retry_delay = 30 108 | lifetime = 0 109 | idle_timeout = 60 110 | } 111 | } -------------------------------------------------------------------------------- /tools/freeradius-openldap/openldap/README.md: -------------------------------------------------------------------------------- 1 | 2 | 添加新用户 3 | ldapadd -x -D cn=admin,dc=nutstore,dc=com -w com.012 -f basedomain.ldif 4 | ldapadd -x -D cn=admin,dc=nutstore,dc=com -w com.012 -f add_user.ldif -------------------------------------------------------------------------------- /tools/freeradius-openldap/openldap/init/add_user.ldif: -------------------------------------------------------------------------------- 1 | dn: uid=zhanglikun,ou=People,dc=nutstore,dc=com 2 | ou: People 3 | uid: zhanglikun 4 | cn: zhanglikun 5 | sn: zhanglikun 6 | givenName: zhanglikun 7 | displayName: zhanglikun 8 | mail: zhanglikun@nutstore.net 9 | objectClass: person 10 | objectClass: organizationalPerson 11 | objectClass: inetOrgPerson 12 | userpassword: {SSHA}KIJZfwpXRlJwkKAnL/GnVH3IAQ/qzdrF 13 | -------------------------------------------------------------------------------- /tools/freeradius-openldap/openldap/init/basedomain.ldif: -------------------------------------------------------------------------------- 1 | dn: dc=nutstore,dc=com 2 | objectClass: top 3 | objectClass: dcObject 4 | objectclass: organization 5 | o: Server World 6 | dc: nutstore 7 | 8 | dn: cn=Manager,dc=nutstore,dc=com 9 | objectClass: organizationalRole 10 | cn: Manager 11 | description: Directory Manager 12 | 13 | dn: ou=People,dc=nutstore,dc=com 14 | objectClass: organizationalUnit 15 | ou: People 16 | 17 | dn: ou=Group,dc=nutstore,dc=com 18 | objectClass: organizationalUnit 19 | ou: Group -------------------------------------------------------------------------------- /tools/freeradius-openldap/openldap/init/change_password.ldif: -------------------------------------------------------------------------------- 1 | dn: uid=zhanglikun,ou=People,dc=nutstore,dc=com 2 | changetype: modify 3 | replace: userpassword 4 | userpassword: new password 5 | 6 | # ldapmodify -x -D cn=Manager,dc=nutstore,dc=com -W -f change_passwd.ldif -------------------------------------------------------------------------------- /tools/freeradius-openldap/openldap/start_openldap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | docker run -d --name openldap \ 4 | --env LDAP_ADMIN_USERNAME=admin \ 5 | --env LDAP_ADMIN_PASSWORD=com.012 \ 6 | --env LDAP_USERS=zhanglikun \ 7 | --env LDAP_PASSWORDS=com.012 \ 8 | --env LDAP_ROOT="dc=nutstore,dc=com" \ 9 | -p 389:1389 \ 10 | bitnami/openldap:latest -------------------------------------------------------------------------------- /tools/freeradius-openldap/readme.md: -------------------------------------------------------------------------------- 1 | 这个工具是freeradius连接openldap做认证的, 之前用它来给公司的无线AP做认证, 做到一人一个账号密码,离职删除账号不可访问公司Wi-Fi。暂时不维护了 -------------------------------------------------------------------------------- /tools/upload_cos/.env.example: -------------------------------------------------------------------------------- 1 | backup_dir = "c:\\111" 2 | secret_id = '' # 替换为用户的 SecretId,请登录访问管理控制台进行查看和管理,https://console.cloud.tencent.com/cam/capi 3 | secret_key = '' # 替换为用户的 SecretKey,请登录访问管理控制台进行查看和管理,https://console.cloud.tencent.com/cam/capi 4 | region = 'ap-shanghai' # 替换为用户的 region,已创建桶归属的region可以在控制台查看,https://console.cloud.tencent.com/cos5/bucket 5 | bucket = '' # 存储桶的名字 -------------------------------------------------------------------------------- /tools/upload_cos/.gitignore: -------------------------------------------------------------------------------- 1 | .env 2 | venv/ 3 | -------------------------------------------------------------------------------- /tools/upload_cos/main.py: -------------------------------------------------------------------------------- 1 | # -*- coding=utf-8 2 | from json import load 3 | 4 | from urllib3 import Retry 5 | from qcloud_cos import CosConfig 6 | from qcloud_cos import CosS3Client 7 | import sys 8 | import logging 9 | import time 10 | import os 11 | from dotenv import load_dotenv 12 | 13 | load_dotenv() 14 | now = time.strftime("%Y-%m-%d_%H%M%S", time.localtime()) 15 | filename = "halo-" + now + ".tar.gz" 16 | 17 | def backup(src, dest): 18 | command = "tar zc --exclude=logs --exclude=.git " + src + " -f " + dest 19 | os.system(command) 20 | 21 | 22 | def upload_cos(bucket, filename): 23 | # 正常情况日志级别使用INFO,需要定位时可以修改为DEBUG,此时SDK会打印和服务端的通信信息 24 | logging.basicConfig(level=logging.INFO, stream=sys.stdout) 25 | 26 | # 1. 设置用户属性, 包括 secret_id, secret_key, region等。Appid 已在CosConfig中移除,请在参数 Bucket 中带上 Appid。Bucket 由 BucketName-Appid 组成 27 | secret_id = os.getenv("secret_id") 28 | secret_key = os.getenv("secret_key") 29 | region = os.getenv("region") 30 | token = None 31 | scheme = 'https' 32 | 33 | config = CosConfig(Region=region, SecretId=secret_id, SecretKey=secret_key, Token=token, Scheme=scheme) 34 | client = CosS3Client(config, retry=5) 35 | 36 | # # 本地路径 简单上传 37 | # response = client.put_object_from_local_file( 38 | # Bucket=bucket, 39 | # LocalFilePath=filename, 40 | # Key=filename, 41 | # ) 42 | # print(response['ETag']) 43 | 44 | # 高级上传接口 45 | response = client.upload_file( 46 | Bucket=bucket, 47 | LocalFilePath=filename, 48 | Key=filename, 49 | PartSize=1, 50 | MAXThread=10, 51 | EnableMD5=False 52 | ) 53 | 54 | def clean_tmp(filename): 55 | os.remove(filename) 56 | 57 | if __name__ == "__main__": 58 | try: 59 | backup(os.getenv("backup_dir"), filename) 60 | upload_cos(os.getenv("bucket"), filename) 61 | finally: 62 | clean_tmp(filename) 63 | -------------------------------------------------------------------------------- /tools/upload_cos/readme.md: -------------------------------------------------------------------------------- 1 | 2 | # 腾讯云cos上传脚本 3 | 4 | ## 使用说明 5 | 6 | 1. 生成.env配置文件 7 | 自行修改配置文件 8 | 9 | ```bash 10 | cp .env.example .env 11 | ``` 12 | 13 | 2. 安装依赖包 14 | 15 | ```bash 16 | pip install -r requirements.txt 17 | ``` 18 | 19 | 3. 定时运行 20 | 21 | 用crontab来做 22 | -------------------------------------------------------------------------------- /tools/upload_cos/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iuxt/quickstart/0c200ebfcba226e4087c83e81639220c572fd215/tools/upload_cos/requirements.txt --------------------------------------------------------------------------------