Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

创建 Tailscale derper #219

Open
Bpazy opened this issue Mar 17, 2022 · 2 comments
Open

创建 Tailscale derper #219

Bpazy opened this issue Mar 17, 2022 · 2 comments
Labels
Wireguard 组网咯

Comments

@Bpazy
Copy link
Owner

Bpazy commented Mar 17, 2022 

version: '3'
services:
  derper:
    image: fredliang/derper:latest
    restart: unless-stopped
    ports:
      - 3478:3478/udp
      - 3476:80
      - 3477:443
    volumes:
      - /etc/nginx/ssl:/app/certs
    environment:
      - DERP_CERT_MODE=manual
      - DERP_DOMAIN=example.com
ls /etc/nginx/ssl

example.com.crt  example.com.key

为什么直接用 nginx 下的 ssl 证书呢?因为懒得再用 acme.sh 多申请一个子域名证书了。

同时 DERP 默认读取的证书文件名是定死的格式: 域名.cert

启动 derper: sudo docker-compose up -d

配置 Tailscale Access Controls,形如:

// Example/default ACLs for unrestricted connections.
{
  // Declare static groups of users beyond those in the identity service.
  "groups": {
    "group:example": [ "user1@example.com", "user2@example.com" ],
  },
  // Declare convenient hostname aliases to use in place of IP addresses.
  "hosts": {
    "example-host-1": "100.100.100.100",
  },
  // Access control lists.
  "acls": [
    // Match absolutely everything. Comment out this section if you want
    // to define specific ACL restrictions.
    { "action": "accept", "users": ["*"], "ports": ["*:*"] },
  ],
  "derpMap": {
    "OmitDefaultRegions": true,
    "Regions": { "900": {
      "RegionID": 900,
      "RegionCode": "myderp",
      "Nodes": [{
          "Name": "1",
          "RegionID": 900,
          "HostName": "example.com",
          "DERPPort": 3477
      }]
    }}
  }
}
@Bpazy Bpazy added the Wireguard 组网咯 label Mar 17, 2022
@Bpazy
Copy link
Owner Author

Bpazy commented Apr 6, 2022
edited

SSL 证书更新后自动重启 derper

我使用的是 acme.sh 作为证书申请和自动续期的,其提供了更新证书时 hook 的功能,名为: reloadcmd,所以只需要在 reloadcmd 中添加重启 derper 的命令即可。

如我原来的 reloadcmd 为:

--reloadcmd "systemctl restart nginx"

现在改为:

--reloadcmd "systemctl restart nginx && docker-compose -f /home/ubuntu/derper-docker/docker-compose.yaml up -d --force-recreate"
  1. 关于证书生成后如何修改 reloadcmd,最好通过 acme.sh --installcert 命令来修改,参考: 生成证书之后,还能怎样修改 reloadcmd 的命令? acmesh-official/acme.sh#2029
  2. 关于我的详细 acme.sh 配置,可以参考这里: acme.sh 使用记录 #138

容器管理工具从 docker compose 切换为 portainer 之后,无法通过命令重新创建 derper 容器了,先改为通过 docker 命令指定 container name 的方式重启对应容器:

--reloadcmd "systemctl restart nginx && docker restart derper-derper-1"

container name 从 Portainer 平台中获取。

@Bpazy Bpazy mentioned this issue Jun 1, 2022
Open
@he-sb he-sb mentioned this issue Dec 5, 2022
Open
@Bpazy
Copy link
Owner Author

Bpazy commented Apr 6, 2024
edited

从 docker 迁移到 k8s

apiVersion: v1
kind: PersistentVolume
metadata:
  name: derper-ssl-local-pv
spec:
  capacity:
    storage: 1Gi
  volumeMode: Filesystem
  accessModes:
  - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: derper-ssl-local-storage
  local:
    path: /etc/nginx/ssl
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/hostname
          operator: In
          values:
          - shan-tencent

---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: derper-ssl-local-storage
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer

---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: derper-ssl-pvc-local
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 100Mi
  storageClassName: derper-ssl-local-storage

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: derper
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      name: derper
  template:
    metadata:
      labels:
        name: derper
    spec:
      containers:
      - name: derper
        image: fredliang/derper:latest
        ports:
        - containerPort: 3478
          protocol: UDP
        - containerPort: 80
        - containerPort: 443
        volumeMounts:
        - name: ssl
          mountPath: /app/certs
        env:
        - name: DERP_CERT_MODE
          value: "manual"
        - name: DERP_DOMAIN
          value: "example.com"
      volumes:
      - name: ssl
        persistentVolumeClaim:
          claimName: derper-ssl-pvc-local

---
apiVersion: v1
kind: Service
metadata:
  name: derper
spec:
  type: NodePort
  selector:
    name: derper
  ports:
  - name: p1
    port: 31002
    targetPort: 3478
    nodePort: 31002
    protocol: UDP
  - name: p2
    port: 31000
    targetPort: 80
    nodePort: 31000
  - name: p3
    port: 31001
    targetPort: 443
    nodePort: 31001

注意,重启容器的指令同样要做变更:

acme.sh --installcert -d example.com \
  --key-file /etc/nginx/ssl/example.com.key \
  --fullchain-file /etc/nginx/ssl/fullchain.cer \
  --reloadcmd "kubectl scale deployment derper --replicas=0 && kubectl scale deployment derper --replicas=1"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Wireguard 组网咯
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Bpazy