diff --git a/.env b/.env new file mode 100644 index 0000000..6528776 --- /dev/null +++ b/.env @@ -0,0 +1,11 @@ +# 2025-02-25 + +VM_USER: 1000 # default uid +VM_GROUP: 1000 # default gid + +VM_IP: 1.2.3.4 # VM ip address +VM_PORT_DOCKER: 1000 # VM docker socket proxy port number + +VM_PORT_PANEL: 80 # external port number for panel +VM_PORT_WINGS_HTTP: 8080 # external port number for wings +VM_PORT_WINGS_SFTP: 2022 # external port number for sftp diff --git a/conf/node/config.yml b/conf/node/config.yml new file mode 100644 index 0000000..c74c140 --- /dev/null +++ b/conf/node/config.yml @@ -0,0 +1,107 @@ +debug: false +app_name: [REDACTED] +uuid: [REDACTED] +token_id: cJU1GL3LmCFl9s8S +token: [REDACTED (64 chars length)] +api: + host: 0.0.0.0 + port: 8080 + ssl: + enabled: false + cert: /etc/letsencrypt/live/[REDACTED (node.domain.com)]/fullchain.pem + key: /etc/letsencrypt/live/[REDACTED (node.domain.com)]/privkey.pem + disable_remote_download: false + upload_limit: 100 + trusted_proxies: [] +system: + root_directory: /var/lib/pterodactyl + log_directory: /var/log/pterodactyl + data: /var/lib/pterodactyl/volumes + archive_directory: /var/lib/pterodactyl/archives + backup_directory: /var/lib/pterodactyl/backups + tmp_directory: /tmp/pterodactyl + username: container + timezone: UTC + user: + rootless: + enabled: false + container_uid: 0 + container_gid: 0 + uid: 1000 + gid: 1000 + disk_check_interval: 150 + activity_send_interval: 60 + activity_send_count: 100 + check_permissions_on_boot: true + enable_log_rotate: true + websocket_log_count: 150 + sftp: + bind_address: 0.0.0.0 + bind_port: 2022 + read_only: false + crash_detection: + enabled: true + detect_clean_exit_as_crash: true + timeout: 60 + backups: + write_limit: 0 + compression_level: best_speed + transfers: + download_limit: 0 + openat_mode: auto +docker: + network: + interface: 172.173.0.1 + dns: + - 1.1.1.1 + - 8.8.8.8 + - 1.0.0.1 + - 8.8.4.4 + name: wings + ispn: false + driver: bridge + network_mode: wings + is_internal: false + enable_icc: true + network_mtu: 1500 + interfaces: + v4: + subnet: 172.173.0.0/16 + gateway: 172.173.0.1 + v6: + subnet: fdba:17c8:6c94::/64 + gateway: fdba:17c8:6c94::1011 + domainname: "" + registries: {} + tmpfs_size: 100 + container_pid_limit: 512 + installer_limits: + memory: 1024 + cpu: 100 + overhead: + override: false + default_multiplier: 1.05 + multipliers: {} + use_performant_inspect: true + userns_mode: "" + log_config: + type: local + config: + compress: "false" + max-file: "1" + max-size: 5m + mode: non-blocking +throttles: + enabled: true + lines: 2000 + line_reset_interval: 100 +remote: [REDACTED (https://panel.domain.com)] +remote_query: + timeout: 30 + boot_servers_per_page: 50 +allowed_mounts: +- /opt/docker/pterodactyl/mounts +allowed_origins: +- '*' +allow_cors_private_network: true +ignore_panel_config_updates: false diff --git a/conf/panel/nginx/panel.conf b/conf/panel/nginx/panel.conf new file mode 100644 index 0000000..b61b93e --- /dev/null +++ b/conf/panel/nginx/panel.conf @@ -0,0 +1,110 @@ +# 2025-02-25 + +server { + listen 80; + server_name _; + + root /app/public; + index index.html index.htm index.php; + charset utf-8; + + location / { + try_files $uri $uri/ /index.php?$query_string; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param HTTP_PROXY ""; + fastcgi_intercept_errors off; + fastcgi_buffer_size 128k; + fastcgi_buffers 256 16k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + fastcgi_connect_timeout 300; + fastcgi_send_timeout 300; + fastcgi_read_timeout 300; + } + + access_log off; + error_log /var/log/nginx/pterodactyl.app-error.log error; + + sendfile off; + tcp_nopush on; + tcp_nodelay on; + + open_file_cache max=200000 inactive=20s; + open_file_cache_valid 30s; + open_file_cache_min_uses 2; + open_file_cache_errors on; + + client_max_body_size 100m; + client_body_timeout 120s; + client_header_timeout 120s; + keepalive_timeout 120s; + send_timeout 120s; + reset_timedout_connection on; + keepalive_requests 100000; + + client_body_buffer_size 128k; + client_header_buffer_size 1k; + + gzip on; + gzip_min_length 10240; + gzip_comp_level 1; + gzip_vary on; + gzip_disable msie6; + gzip_proxied expired no-cache no-store private auth; + gzip_types + text/css + text/javascript + text/xml + text/plain + text/x-component + application/javascript + application/x-javascript + application/json + application/xml + application/rss+xml + application/atom+xml + font/truetype + font/opentype + application/vnd.ms-fontobject + image/svg+xml; + + location = /favicon.ico { + access_log off; + log_not_found off; + } + + location = /robots.txt { + access_log off; + log_not_found off; + } + + location ~ /\.ht { + access_log off; + log_not_found off; + deny all; + } + + location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { + return 403; + } + + location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { + return 403; + } + + location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { + return 403; + } + + location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { + return 403; + } +} diff --git a/datas/common/archives/.keep b/datas/common/archives/.keep new file mode 100644 index 0000000..e69de29 diff --git a/datas/common/backups/.keep b/datas/common/backups/.keep new file mode 100644 index 0000000..e69de29 diff --git a/datas/common/letsencrypt/renewal-hooks/.keep b/datas/common/letsencrypt/renewal-hooks/.keep new file mode 100644 index 0000000..e69de29 diff --git a/datas/common/volumes/.keep b/datas/common/volumes/.keep new file mode 100644 index 0000000..e69de29 diff --git a/datas/node/logs/install/.keep b/datas/node/logs/install/.keep new file mode 100644 index 0000000..e69de29 diff --git a/datas/node/tmp/.keep b/datas/node/tmp/.keep new file mode 100644 index 0000000..e69de29 diff --git a/datas/panel/appvar/.env b/datas/panel/appvar/.env new file mode 100644 index 0000000..622006d --- /dev/null +++ b/datas/panel/appvar/.env @@ -0,0 +1,21 @@ +APP_KEY=[REDACTED (32 chars length)] +APP_TIMEZONE=UTC +RECAPTCHA_ENABLED=false +APP_CORS_ALLOWED_ORIGINS=* +HASHIDS_SALT=uWWcuQNxWoC7UtinFC4R +APP_SERVICE_AUTHOR="[REDACTED (owner's email)]" +APP_URL="[REDACTED (https://panel.domain.com)]" +CACHE_DRIVER=redis +SESSION_DRIVER=redis +QUEUE_CONNECTION=redis +APP_ENVIRONMENT_ONLY=false +PTERODACTYL_TELEMETRY_ENABLED=false +SESSION_SECURE_COOKIE=true +REDIS_HOST=[REDACTED (redis ip)] +REDIS_PASSWORD=null +REDIS_PORT=[REDACTED (redis port)] +DB_HOST=[REDACTED (database ip)] +DB_PORT=[REDACTED (database port)] +DB_DATABASE=pterodactyl +DB_USERNAME=[REDACTED (database username)] +DB_PASSWORD=[REDACTED (database password)] diff --git a/datas/panel/certs/.keep b/datas/panel/certs/.keep new file mode 100644 index 0000000..e69de29 diff --git a/datas/panel/logs/.keep b/datas/panel/logs/.keep new file mode 100644 index 0000000..e69de29 diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..febcf88 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,145 @@ +# +# updated: 2025-02-25 +# stack: pterodactyl +# + +x-defaults: &defaults + environment: + TZ: "UTC" + PUID: 1000 + PGID: 1000 + # DOCKER_HOST: "unix:///var/run/docker.sock" + DOCKER_HOST: "tcp://${VM_IP}:${VM_PORT_DOCKER}" + logging: + driver: local + user: ${VM_USER}:${VM_GROUP} + privileged: false + read_only: false + security_opt: + - no-new-privileges=true + ipc: "private" + restart: unless-stopped + stdin_open: false + tty: false + dns: + - 1.1.1.1 + - 1.0.0.1 + - 8.8.8.8 + - 8.8.4.4 + healthcheck: + interval: 60s + timeout: 10s + retries: 5 + start_period: 60s + labels: + traefik.docker.network: traefik + com.centurylinklabs.watchtower.enable: true + deploy: + resources: + limits: + cpus: "1.0" + memory: 64M + tmpfs: + - /tmp:rw,size=64M + networks: + - dockerproxy + volumes: + - /etc/localtime:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + - /proc/cgroups:/cgroup:rw + # - /var/run/docker.sock:/var/run/docker.sock:ro + +networks: + dockerproxy: + external: true + pterodactyl: + name: pterodactyl + driver: bridge + enable_ipv6: false + driver_opts: + com.docker.network.driver.mtu: 1500 + default: + ipam: + config: + - subnet: 171.172.0.0/16 + node: + name: node + driver: bridge + enable_ipv6: false + ipam: + config: + - subnet: "172.172.0.0/16" + driver_opts: + com.docker.network.bridge.name: node + com.docker.network.driver.mtu: 1500 + +services: + panel: + <<: *defaults + user: 0:0 + container_name: panel + hostname: panel + image: ghcr.io/pterodactyl/panel:latest + restart: always + ports: + - "${VM_PORT_PANEL}:80" + expose: + - "80" + networks: + - pterodactyl + healthcheck: + test: uname -a || exit 1 + env_file: + - ./env/pterodactyl.env + - ./env/panel.env + deploy: + resources: + limits: + cpus: "${PROCESSORS}" + memory: 1G + tmpfs: + - /tmp:rw,noexec,nosuid,size=512M + volumes: + - ./conf/panel/nginx/:/etc/nginx/http.d/:rw + - ./datas/common/letsencrypt/:/etc/letsencrypt/:rw + - ./datas/panel/appvar/:/app/var/:rw + - ./datas/panel/logs/:/app/storage/logs:rw + + node: + <<: *defaults + user: 0:0 + container_name: node + hostname: node + image: ghcr.io/pterodactyl/wings:latest + restart: always + depends_on: + panel: + condition: service_healthy + ports: + - "${VM_PORT_WINGS_HTTP}:8080" + - "${VM_PORT_WINGS_SFTP}:2022" + expose: + - "8080" + - "2022" + networks: + - pterodactyl + - node + healthcheck: + test: ["CMD", "/usr/bin/wings", "version"] + env_file: + - ./env/pterodactyl.env + - ./env/node.env + deploy: + resources: + limits: + cpus: "${PROCESSORS}" + memory: 8G + volumes: + - /etc/ssl/certs:/etc/ssl/certs:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + - /var/lib/docker/containers:/var/lib/docker/containers:rw + - ./conf/node:/etc/pterodactyl:rw + - ./datas/common/letsencrypt/:/etc/letsencrypt/:rw + - ./datas/common:/var/lib/pterodactyl:rw + - ./datas/node/logs:/var/log/pterodactyl:rw + - ./datas/node/tmp:/tmp/pterodactyl/:rw diff --git a/env/node.env b/env/node.env new file mode 100644 index 0000000..9904018 --- /dev/null +++ b/env/node.env @@ -0,0 +1,5 @@ +# 2025-02-25 + +WINGS_UID: 1000 +WINGS_GID: 1000 +WINGS_USERNAME: container diff --git a/env/panel.env b/env/panel.env new file mode 100644 index 0000000..963f8ed --- /dev/null +++ b/env/panel.env @@ -0,0 +1,31 @@ +# 2025-02-25 + +PTERODACTYL_TELEMETRY_ENABLED: "false" + +APP_ENV: "production" +APP_ENVIRONMENT_ONLY: "false" +APP_SERVICE_AUTHOR: "[REDACTED (responsible's email)]" + +APP_URL: "[REDACTED (https://panel.domain.com)]" +TRUSTED_PROXIES: "*" + +DB_HOST: "[REDACTED (database ip)]" +DB_PORT: "[REDACTED (database port)]" +DB_DATABASE: "pterodactyl" +DB_USERNAME: "[REDACTED (database username)]" +DB_PASSWORD: "[REDACTED (database password)]" + +REDIS_HOST: "[REDACTED (redis ip)]" +REDIS_PORT: "[REDACTED (redis port)]" + +MAIL_HOST: "[REDACTED (mailer's ip)]" +MAIL_PORT: "[REDACTED (mailer's smtp port)]" +MAIL_DRIVER: "smtp" +MAIL_ENCRYPTION: "true" +MAIL_FROM: "[REDACTED (owner's email)]" +MAIL_USERNAME: "[REDACTED (owner's email username)]" +MAIL_PASSWORD: "[REDACTED (owner's email password)]" + +CACHE_DRIVER: "redis" +SESSION_DRIVER: "redis" +QUEUE_DRIVER: "redis" diff --git a/env/pterodactyl.env b/env/pterodactyl.env new file mode 100644 index 0000000..ebaff39 --- /dev/null +++ b/env/pterodactyl.env @@ -0,0 +1,3 @@ +# 2025-02-25 + +APP_TIMEZONE: "UTC" diff --git a/scripts/init.sh b/scripts/init.sh new file mode 100644 index 0000000..b0b99b6 --- /dev/null +++ b/scripts/init.sh @@ -0,0 +1,49 @@ +#!/bin/sh +# 2025-02-25 + +if [ "$(id -u)" != "0" ]; then + echo "This script must be run as root" 1>&2 + exit 1 +fi + +CWD=/opt/docker/pterodactyl/scripts +PTERODACTYL=$(realpath $CWD/../) + +# +# Choosen mode is to remove existing folders and symbolic links +# to be able to recreate good ones. +# + +# +# Remove existing settings +# + +if [ -L /var/lib/pterodactyl/volumes ]; then + rm -f /var/lib/pterodactyl/volumes +fi + +if [ -L /var/log/pterodactyl ]; then + rm -f /var/log/pterodactyl +fi + +if [ -L /tmp/pterodactyl ]; then + rm -rf /tmp/pterodactyl +fi + +if [ -d /var/lib/pterodactyl ]; then + rmdir /var/lib/pterodactyl +fi + + +# Create required settings +mkdir -p /var/lib/pterodactyl +ln -s $PTERODACTYL/datas/common/volumes /var/lib/pterodactyl/volumes +ln -s $PTERODACTYL/datas/node/tmp /tmp/pterodactyl +ln -s $PTERODACTYL/datas/node/logs /var/log/pterodactyl + +# Adjust owner (user:group) +chown -R 1000:1000 /var/lib/pterodactyl +chown -R 1000:1000 /var/log/pterodactyl +chown -R 1000:1000 /tmp/pterodactyl + +exit 0 \ No newline at end of file diff --git a/traefik/pterodactyl.yml b/traefik/pterodactyl.yml new file mode 100644 index 0000000..876b998 --- /dev/null +++ b/traefik/pterodactyl.yml @@ -0,0 +1,190 @@ +# 2025-02-25 + +http: + routers: + panel: + entryPoints: + - https + rule: Host(`panel.domain.com`) + middlewares: + - corsall@file + - standard@file + tls: + certResolver: letsencrypt + service: panel@file + + node: + entryPoints: + - https + rule: Host(`node.domain.com`) + middlewares: + - corsall@file + - standard@file + tls: + certResolver: letsencrypt + service: node@file + + services: + panel: + loadBalancer: + servers: + - url: "http://[REDACTED: VM_IP]:[REDACTED: VM_PORT_PANEL]" + node: + loadBalancer: + servers: + - url: "http://[REDACTED: VM_IP]:[REDACTER: VM_PORT_WINGS_HTTP]" + + middlewares: + + corsall: + headers: + customRequestHeaders: + Access-Control-Allow-Origin: origin-list-or-null + Sec-Fetch-Site: cross-site + X-Forwarded-Proto: https + Access-Control-Allow-Headers: "*, Authorization" + customResponseHeaders: + Access-Control-Allow-Origin: "*" + Sec-Fetch-Site: cross-site + X-Forwarded-Proto: https + Access-Control-Allow-Headers: "*, Authorization" + accessControlAllowMethods: + - OPTIONS + - POST + - GET + - PUT + - DELETE + - PATCH + accessControlAllowHeaders: + - "*, Authorization" + accessControlExposeHeaders: + - "*, Authorization" + accessControlMaxAge: 100 + addVaryHeader: true + accessControlAllowCredentials: true + accessControlAllowOriginList: + - "*" + + autodetect: + ContentType: {} + + compress: + compress: + minResponseBodyBytes: 64 + excludedContentTypes: + - text/event-stream + - image/gif + - image/jpeg + - image/pjpeg + - image/png + - image/svg+xml + - image/webp + - image/vnd.microsoft.icon + - image/vnd.djvu + - image/svg+xml + - audio/wave + - audio/wav + - audio/x-wav + - audio/x-pn-wav + - audio/webm + - audio/ogg + - audio/mpeg + - audio/x-ms-wma + - audio/vnd.rn-realaudio + - audio/x-wav + - video/webm + - video/ogg + - video/mpeg + - video/mp4 + - video/quicktime + - video/x-ms-wmv + - video/x-msvideo + - video/x-flv + - video/web + - application/ogg + - application/octet-stream + - application/pdf + - application/x-shockwave-flash + - application/zip + - application/json + - media + + httpsredirect: + redirectScheme: + scheme: https + + ratelimit: + rateLimit: + average: 128 + burst: 256 + + defaults: + headers: + frameDeny: false + customFrameOptionsValue: SAMEORIGIN + browserXssFilter: false + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + stsSeconds: 15552000 + customRequestheaders: + Alt-Svc: "h3=':443'; ma=86400" + customResponseHeaders: + Alt-Svc: "h3=':443'; ma=86400" + + csp: + headers: + contentsecuritypolicy: "\ + connect-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\ + script-src 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\ + style-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\ + img-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\ + font-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\ + frame-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\ + child-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\ + media-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\ + object-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\ + default-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' blob: data: wss: ws: *.domain.com https: http:;\ + frame-ancestors 'self' blob: data: wss: ws: *.domain.com https: http:;\ + " + + security: + headers: + customRequestheaders: + X-Content-Type-Options: "" + X-Forwarded-Proto: https + customResponseHeaders: + Permissions-Policy: "fullscreen=(*), display-capture=(self), accelerometer=(), battery=(), camera=(), autoplay=(self), vibrate=(self), geolocation=(self), midi=(self), notifications=(*), push=(*), microphone=(self), magnetometer=(self), gyroscope=(self), payment=(self)" + X-Forwarded-Proto: https + X-Permitted-Cross-Domain-Policies: "none" + X-Content-Type-Options: "" + sslProxyHeaders: + X-Forwarded-Proto: https + referrerPolicy: strict-origin-when-cross-origin + + manageheaders: + headers: + customResponseHeaders: + Server: "" + X-Powered-By: "" + Pragma: "" + X-Cacheable: "" + X-Cache: "" + X-Cache-Hits: "" + + common: + chain: + middlewares: + - httpsredirect@file + - ratelimit@file + - defaults@file + - csp@file + - security@file + - manageheaders@file + - autodetect@file + + standard: + chain: + middlewares: + - compress@file + - common@file