kraoc/pterodactyl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initialisation

Browse Source
This commit is contained in:
Olivier 2025-02-25 15:53:10 +01:00
parent d6fddabb6b
commit bad764beb4
18 changed files with 672 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.env Normal file
View File

@ -0,0 +1,11 @@
# 2025-02-25
VM_USER: 1000 # default uid
VM_GROUP: 1000 # default gid
VM_IP: 1.2.3.4 # VM ip address
VM_PORT_DOCKER: 1000 # VM docker socket proxy port number
VM_PORT_PANEL: 80 # external port number for panel
VM_PORT_WINGS_HTTP: 8080 # external port number for wings
VM_PORT_WINGS_SFTP: 2022 # external port number for sftp

107
conf/node/config.yml Normal file
View File

@ -0,0 +1,107 @@
debug: false
app_name: [REDACTED]
uuid: [REDACTED]
token_id: cJU1GL3LmCFl9s8S
token: [REDACTED (64 chars length)]
api:
host: 0.0.0.0
port: 8080
ssl:
enabled: false
cert: /etc/letsencrypt/live/[REDACTED (node.domain.com)]/fullchain.pem
key: /etc/letsencrypt/live/[REDACTED (node.domain.com)]/privkey.pem
disable_remote_download: false
upload_limit: 100
trusted_proxies: []
system:
root_directory: /var/lib/pterodactyl
log_directory: /var/log/pterodactyl
data: /var/lib/pterodactyl/volumes
archive_directory: /var/lib/pterodactyl/archives
backup_directory: /var/lib/pterodactyl/backups
tmp_directory: /tmp/pterodactyl
username: container
timezone: UTC
user:
rootless:
enabled: false
container_uid: 0
container_gid: 0
uid: 1000
gid: 1000
disk_check_interval: 150
activity_send_interval: 60
activity_send_count: 100
check_permissions_on_boot: true
enable_log_rotate: true
websocket_log_count: 150
sftp:
bind_address: 0.0.0.0
bind_port: 2022
read_only: false
crash_detection:
enabled: true
detect_clean_exit_as_crash: true
timeout: 60
backups:
write_limit: 0
compression_level: best_speed
transfers:
download_limit: 0
openat_mode: auto
docker:
network:
interface: 172.173.0.1
dns:
- 1.1.1.1
- 8.8.8.8
- 1.0.0.1
- 8.8.4.4
name: wings
ispn: false
driver: bridge
network_mode: wings
is_internal: false
enable_icc: true
network_mtu: 1500
interfaces:
v4:
subnet: 172.173.0.0/16
gateway: 172.173.0.1
v6:
subnet: fdba:17c8:6c94::/64
gateway: fdba:17c8:6c94::1011
domainname: ""
registries: {}
tmpfs_size: 100
container_pid_limit: 512
installer_limits:
memory: 1024
cpu: 100
overhead:
override: false
default_multiplier: 1.05
multipliers: {}
use_performant_inspect: true
userns_mode: ""
log_config:
type: local
config:
compress: "false"
max-file: "1"
max-size: 5m
mode: non-blocking
throttles:
enabled: true
lines: 2000
line_reset_interval: 100
remote: [REDACTED (https://panel.domain.com)]
remote_query:
timeout: 30
boot_servers_per_page: 50
allowed_mounts:
- /opt/docker/pterodactyl/mounts
allowed_origins:
- '*'
allow_cors_private_network: true
ignore_panel_config_updates: false

110
conf/panel/nginx/panel.conf Normal file
View File

@ -0,0 +1,110 @@
# 2025-02-25
server {
listen 80;
server_name _;
root /app/public;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
}
access_log off;
error_log /var/log/nginx/pterodactyl.app-error.log error;
sendfile off;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
client_max_body_size 100m;
client_body_timeout 120s;
client_header_timeout 120s;
keepalive_timeout 120s;
send_timeout 120s;
reset_timedout_connection on;
keepalive_requests 100000;
client_body_buffer_size 128k;
client_header_buffer_size 1k;
gzip on;
gzip_min_length 10240;
gzip_comp_level 1;
gzip_vary on;
gzip_disable msie6;
gzip_proxied expired no-cache no-store private auth;
gzip_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/atom+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
access_log off;
log_not_found off;
}
location ~ /\.ht {
access_log off;
log_not_found off;
deny all;
}
location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ {
return 403;
}
location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ {
return 403;
}
location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ {
return 403;
}
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) {
return 403;
}
}

0
datas/common/archives/.keep Normal file
View File

0
datas/common/backups/.keep Normal file
View File

0
datas/common/letsencrypt/renewal-hooks/.keep Normal file
View File

0
datas/common/volumes/.keep Normal file
View File

0
datas/node/logs/install/.keep Normal file
View File

0
datas/node/tmp/.keep Normal file
View File

21
datas/panel/appvar/.env Normal file
View File

@ -0,0 +1,21 @@
APP_KEY=[REDACTED (32 chars length)]
APP_TIMEZONE=UTC
RECAPTCHA_ENABLED=false
APP_CORS_ALLOWED_ORIGINS=*
HASHIDS_SALT=uWWcuQNxWoC7UtinFC4R
APP_SERVICE_AUTHOR="[REDACTED (owner's email)]"
APP_URL="[REDACTED (https://panel.domain.com)]"
CACHE_DRIVER=redis
SESSION_DRIVER=redis
QUEUE_CONNECTION=redis
APP_ENVIRONMENT_ONLY=false
PTERODACTYL_TELEMETRY_ENABLED=false
SESSION_SECURE_COOKIE=true
REDIS_HOST=[REDACTED (redis ip)]
REDIS_PASSWORD=null
REDIS_PORT=[REDACTED (redis port)]
DB_HOST=[REDACTED (database ip)]
DB_PORT=[REDACTED (database port)]
DB_DATABASE=pterodactyl
DB_USERNAME=[REDACTED (database username)]
DB_PASSWORD=[REDACTED (database password)]

0
datas/panel/certs/.keep Normal file
View File

0
datas/panel/logs/.keep Normal file
View File

145
docker-compose.yml Normal file
View File

@ -0,0 +1,145 @@
#
# updated: 2025-02-25
# stack: pterodactyl
#
x-defaults: &defaults
environment:
TZ: "UTC"
PUID: 1000
PGID: 1000
# DOCKER_HOST: "unix:///var/run/docker.sock"
DOCKER_HOST: "tcp://${VM_IP}:${VM_PORT_DOCKER}"
logging:
driver: local
user: ${VM_USER}:${VM_GROUP}
privileged: false
read_only: false
security_opt:
- no-new-privileges=true
ipc: "private"
restart: unless-stopped
stdin_open: false
tty: false
dns:
- 1.1.1.1
- 1.0.0.1
- 8.8.8.8
- 8.8.4.4
healthcheck:
interval: 60s
timeout: 10s
retries: 5
start_period: 60s
labels:
traefik.docker.network: traefik
com.centurylinklabs.watchtower.enable: true
deploy:
resources:
limits:
cpus: "1.0"
memory: 64M
tmpfs:
- /tmp:rw,size=64M
networks:
- dockerproxy
volumes:
- /etc/localtime:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- /proc/cgroups:/cgroup:rw
# - /var/run/docker.sock:/var/run/docker.sock:ro
networks:
dockerproxy:
external: true
pterodactyl:
name: pterodactyl
driver: bridge
enable_ipv6: false
driver_opts:
com.docker.network.driver.mtu: 1500
default:
ipam:
config:
- subnet: 171.172.0.0/16
node:
name: node
driver: bridge
enable_ipv6: false
ipam:
config:
- subnet: "172.172.0.0/16"
driver_opts:
com.docker.network.bridge.name: node
com.docker.network.driver.mtu: 1500
services:
panel:
<<: *defaults
user: 0:0
container_name: panel
hostname: panel
image: ghcr.io/pterodactyl/panel:latest
restart: always
ports:
- "${VM_PORT_PANEL}:80"
expose:
- "80"
networks:
- pterodactyl
healthcheck:
test: uname -a || exit 1
env_file:
- ./env/pterodactyl.env
- ./env/panel.env
deploy:
resources:
limits:
cpus: "${PROCESSORS}"
memory: 1G
tmpfs:
- /tmp:rw,noexec,nosuid,size=512M
volumes:
- ./conf/panel/nginx/:/etc/nginx/http.d/:rw
- ./datas/common/letsencrypt/:/etc/letsencrypt/:rw
- ./datas/panel/appvar/:/app/var/:rw
- ./datas/panel/logs/:/app/storage/logs:rw
node:
<<: *defaults
user: 0:0
container_name: node
hostname: node
image: ghcr.io/pterodactyl/wings:latest
restart: always
depends_on:
panel:
condition: service_healthy
ports:
- "${VM_PORT_WINGS_HTTP}:8080"
- "${VM_PORT_WINGS_SFTP}:2022"
expose:
- "8080"
- "2022"
networks:
- pterodactyl
- node
healthcheck:
test: ["CMD", "/usr/bin/wings", "version"]
env_file:
- ./env/pterodactyl.env
- ./env/node.env
deploy:
resources:
limits:
cpus: "${PROCESSORS}"
memory: 8G
volumes:
- /etc/ssl/certs:/etc/ssl/certs:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /var/lib/docker/containers:/var/lib/docker/containers:rw
- ./conf/node:/etc/pterodactyl:rw
- ./datas/common/letsencrypt/:/etc/letsencrypt/:rw
- ./datas/common:/var/lib/pterodactyl:rw
- ./datas/node/logs:/var/log/pterodactyl:rw
- ./datas/node/tmp:/tmp/pterodactyl/:rw

5
env/node.env vendored Normal file
View File

@ -0,0 +1,5 @@
# 2025-02-25
WINGS_UID: 1000
WINGS_GID: 1000
WINGS_USERNAME: container

31
env/panel.env vendored Normal file
View File

@ -0,0 +1,31 @@
# 2025-02-25
PTERODACTYL_TELEMETRY_ENABLED: "false"
APP_ENV: "production"
APP_ENVIRONMENT_ONLY: "false"
APP_SERVICE_AUTHOR: "[REDACTED (responsible's email)]"
APP_URL: "[REDACTED (https://panel.domain.com)]"
TRUSTED_PROXIES: "*"
DB_HOST: "[REDACTED (database ip)]"
DB_PORT: "[REDACTED (database port)]"
DB_DATABASE: "pterodactyl"
DB_USERNAME: "[REDACTED (database username)]"
DB_PASSWORD: "[REDACTED (database password)]"
REDIS_HOST: "[REDACTED (redis ip)]"
REDIS_PORT: "[REDACTED (redis port)]"
MAIL_HOST: "[REDACTED (mailer's ip)]"
MAIL_PORT: "[REDACTED (mailer's smtp port)]"
MAIL_DRIVER: "smtp"
MAIL_ENCRYPTION: "true"
MAIL_FROM: "[REDACTED (owner's email)]"
MAIL_USERNAME: "[REDACTED (owner's email username)]"
MAIL_PASSWORD: "[REDACTED (owner's email password)]"
CACHE_DRIVER: "redis"
SESSION_DRIVER: "redis"
QUEUE_DRIVER: "redis"

3
env/pterodactyl.env vendored Normal file
View File

@ -0,0 +1,3 @@
# 2025-02-25
APP_TIMEZONE: "UTC"

49
scripts/init.sh Normal file
View File

@ -0,0 +1,49 @@
#!/bin/sh
# 2025-02-25
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
CWD=/opt/docker/pterodactyl/scripts
PTERODACTYL=$(realpath $CWD/../)
#
# Choosen mode is to remove existing folders and symbolic links
# to be able to recreate good ones.
#
#
# Remove existing settings
#
if [ -L /var/lib/pterodactyl/volumes ]; then
rm -f /var/lib/pterodactyl/volumes
fi
if [ -L /var/log/pterodactyl ]; then
rm -f /var/log/pterodactyl
fi
if [ -L /tmp/pterodactyl ]; then
rm -rf /tmp/pterodactyl
fi
if [ -d /var/lib/pterodactyl ]; then
rmdir /var/lib/pterodactyl
fi
# Create required settings
mkdir -p /var/lib/pterodactyl
ln -s $PTERODACTYL/datas/common/volumes /var/lib/pterodactyl/volumes
ln -s $PTERODACTYL/datas/node/tmp /tmp/pterodactyl
ln -s $PTERODACTYL/datas/node/logs /var/log/pterodactyl
# Adjust owner (user:group)
chown -R 1000:1000 /var/lib/pterodactyl
chown -R 1000:1000 /var/log/pterodactyl
chown -R 1000:1000 /tmp/pterodactyl
exit 0

190
traefik/pterodactyl.yml Normal file
View File

@ -0,0 +1,190 @@
# 2025-02-25
http:
routers:
panel:
entryPoints:
- https
rule: Host(`panel.domain.com`)
middlewares:
- corsall@file
- standard@file
tls:
certResolver: letsencrypt
service: panel@file
node:
entryPoints:
- https
rule: Host(`node.domain.com`)
middlewares:
- corsall@file
- standard@file
tls:
certResolver: letsencrypt
service: node@file
services:
panel:
loadBalancer:
servers:
- url: "http://[REDACTED: VM_IP]:[REDACTED: VM_PORT_PANEL]"
node:
loadBalancer:
servers:
- url: "http://[REDACTED: VM_IP]:[REDACTER: VM_PORT_WINGS_HTTP]"
middlewares:
corsall:
headers:
customRequestHeaders:
Access-Control-Allow-Origin: origin-list-or-null
Sec-Fetch-Site: cross-site
X-Forwarded-Proto: https
Access-Control-Allow-Headers: "*, Authorization"
customResponseHeaders:
Access-Control-Allow-Origin: "*"
Sec-Fetch-Site: cross-site
X-Forwarded-Proto: https
Access-Control-Allow-Headers: "*, Authorization"
accessControlAllowMethods:
- OPTIONS
- POST
- GET
- PUT
- DELETE
- PATCH
accessControlAllowHeaders:
- "*, Authorization"
accessControlExposeHeaders:
- "*, Authorization"
accessControlMaxAge: 100
addVaryHeader: true
accessControlAllowCredentials: true
accessControlAllowOriginList:
- "*"
autodetect:
ContentType: {}
compress:
compress:
minResponseBodyBytes: 64
excludedContentTypes:
- text/event-stream
- image/gif
- image/jpeg
- image/pjpeg
- image/png
- image/svg+xml
- image/webp
- image/vnd.microsoft.icon
- image/vnd.djvu
- image/svg+xml
- audio/wave
- audio/wav
- audio/x-wav
- audio/x-pn-wav
- audio/webm
- audio/ogg
- audio/mpeg
- audio/x-ms-wma
- audio/vnd.rn-realaudio
- audio/x-wav
- video/webm
- video/ogg
- video/mpeg
- video/mp4
- video/quicktime
- video/x-ms-wmv
- video/x-msvideo
- video/x-flv
- video/web
- application/ogg
- application/octet-stream
- application/pdf
- application/x-shockwave-flash
- application/zip
- application/json
- media
httpsredirect:
redirectScheme:
scheme: https
ratelimit:
rateLimit:
average: 128
burst: 256
defaults:
headers:
frameDeny: false
customFrameOptionsValue: SAMEORIGIN
browserXssFilter: false
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customRequestheaders:
Alt-Svc: "h3=':443'; ma=86400"
customResponseHeaders:
Alt-Svc: "h3=':443'; ma=86400"
csp:
headers:
contentsecuritypolicy: "\
connect-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
script-src 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
style-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
img-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
font-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
frame-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
child-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
media-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
object-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
default-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\
frame-ancestors 'self' blob: data: wss: ws: *.domain.com https: http:;\
"
security:
headers:
customRequestheaders:
X-Content-Type-Options: ""
X-Forwarded-Proto: https
customResponseHeaders:
Permissions-Policy: "fullscreen=(*), display-capture=(self), accelerometer=(), battery=(), camera=(), autoplay=(self), vibrate=(self), geolocation=(self), midi=(self), notifications=(*), push=(*), microphone=(self), magnetometer=(self), gyroscope=(self), payment=(self)"
X-Forwarded-Proto: https
X-Permitted-Cross-Domain-Policies: "none"
X-Content-Type-Options: ""
sslProxyHeaders:
X-Forwarded-Proto: https
referrerPolicy: strict-origin-when-cross-origin
manageheaders:
headers:
customResponseHeaders:
Server: ""
X-Powered-By: ""
Pragma: ""
X-Cacheable: ""
X-Cache: ""
X-Cache-Hits: ""
common:
chain:
middlewares:
- httpsredirect@file
- ratelimit@file
- defaults@file
- csp@file
- security@file
- manageheaders@file
- autodetect@file
standard:
chain:
middlewares:
- compress@file
- common@file