Konstantin GARSHENIN
посмотри и проверь.
#!/usr/bin/env bash
set -euo pipefail
echo "=== SRV1 bootstrap (HAProxy + Let's Encrypt) ==="
# --- Ввод параметров ---
read -rp "Domain (example.com): " DOMAIN
read -rp "Email (for Let's Encrypt): " EMAIL
read -rp "SRV2 IP: " SRV2_IP
read -rp "SRV2 SNI: " SRV2_SNI
# --- Проверка ---
if [[ -z "$DOMAIN" -z "$EMAIL" -z "$SRV2_IP" || -z "$SRV2_SNI" ]]; then
echo "❌ Все поля обязательны"
exit 1
fi
# --- Установка зависимостей ---
echo "=== Installing packages ==="
apt update
apt install -y docker.io docker-compose-plugin certbot gettext-base
systemctl enable docker
systemctl start docker
# --- Создание структуры ---
echo "=== Creating project structure ==="
mkdir -p srv1/{certs,letsencrypt}
cd srv1
# --- .env ---
cat > .env <<EOF
DOMAIN=$DOMAIN
EMAIL=$EMAIL
SRV2_IP=$SRV2_IP
SRV2_SNI=$SRV2_SNI
EOF
# --- docker-compose.yml ---
cat > docker-compose.yml <<'EOF'
services:
haproxy:
image: haproxy:2.9-alpine
container_name: srv1-haproxy
restart: unless-stopped
ports:
- "443:443"
volumes:
- ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
- ./certs:/usr/local/etc/haproxy/certs:ro
EOF
# --- haproxy.cfg.tpl ---
cat > haproxy.cfg.tpl <<'EOF'
global
log stdout format raw local0
defaults
log global
mode tcp
option tcplog
timeout connect 5s
timeout client 60s
timeout server 60s
frontend fe_443
bind :443 ssl crt /usr/local/etc/haproxy/certs/${DOMAIN}.pem
mode tcp
acl sni_ok req.ssl_sni -i ${DOMAIN}
use_backend bk_srv2 if sni_ok
tcp-request content reject if !sni_ok
backend bk_srv2
mode tcp
server srv2 ${SRV2_IP}:443 ssl verify none sni str(${SRV2_SNI})
EOF
# --- Получение сертификата ---
echo "=== Getting Let's Encrypt certificate ==="
docker run --rm --network host \
-v "$PWD/letsencrypt:/etc/letsencrypt" \
certbot/certbot certonly --standalone \
-d "$DOMAIN" -m "$EMAIL" --agree-tos --non-interactive
# --- Сборка PEM ---
echo "=== Building PEM ==="
cat "letsencrypt/live/$DOMAIN/fullchain.pem" \
"letsencrypt/live/$DOMAIN/privkey.pem" > "certs/$DOMAIN.pem"
# --- Генерация конфига ---
echo "=== Generating HAProxy config ==="
set -a
source .env
set +a
envsubst < haproxy.cfg.tpl > haproxy.cfg
# --- Проверка конфига ---
echo "=== Validating HAProxy config ==="
docker run --rm \
-v "$PWD/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro" \
haproxy:2.9-alpine \
haproxy -c -f /usr/local/etc/haproxy/haproxy.cfg
# --- Запуск ---
echo "=== Starting HAProxy ==="
docker compose up -d
echo "✅ DONE"
echo "Domain: https://$DOMAIN"
🐶 Проверил, есть 4 места, которые надо поправить:
1. `if` сломан, надо `||` между проверками.
2. `docker-compose.yml` сейчас невалидный, отступы нужны.
3. В `haproxy -c` надо примонтировать `certs`, иначе проверка упадёт.
4. Для `bind :443 ssl` лучше `ssl_fc_sni`, а не `req.ssl_sni`.
Вот поправленный вариант:
```bash
#!/usr/bin/env bash
set -euo pipefail
echo "=== SRV1 bootstrap (HAProxy + Let's Encrypt) ==="
read -rp "Domain (example.com): " DOMAIN
read -rp "Email (for Let's Encrypt): " EMAIL
read -rp "SRV2 IP: " SRV2_IP
read -rp "SRV2 SNI: " SRV2_SNI
if [[ -z "$DOMAIN" || -z "$EMAIL" || -z "$SRV2_IP" || -z "$SRV2_SNI" ]]; then
echo "❌ Все поля обязательны"
exit 1
fi
apt update
apt install -y docker.io docker-compose-plugin certbot gettext-base
systemctl enable --now docker
mkdir -p srv1/{certs,letsencrypt}
cd srv1
cat > .env <<EOF
DOMAIN=$DOMAIN
EMAIL=$EMAIL
SRV2_IP=$SRV2_IP
SRV2_SNI=$SRV2_SNI
EOF
cat > docker-compose.yml <<'EOF'
services:
haproxy:
image: haproxy:2.9-alpine
container_name: srv1-haproxy
restart: unless-stopped
ports:
- "443:443"
volumes:
- ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
- ./certs:/usr/local/etc/haproxy/certs:ro
EOF
cat > haproxy.cfg.tpl <<'EOF'
global
log stdout format raw local0
defaults
log global
mode tcp
option tcplog
timeout connect 5s
timeout client 60s
timeout server 60s
frontend fe_443
bind :443 ssl crt /usr/local/etc/haproxy/certs/${DOMAIN}.pem
mode tcp
acl sni_ok ssl_fc_sni -i ${DOMAIN}
use_backend bk_srv2 if sni_ok
tcp-request content reject if !sni_ok
backend bk_srv2
mode tcp
server srv2 ${SRV2_IP}:443 ssl verify none sni str(${SRV2_SNI})
EOF
docker run --rm --network host \
-v "$PWD/letsencrypt:/etc/letsencrypt" \
certbot/certbot certonly --standalone \
-d "$DOMAIN" -m "$EMAIL" --agree-tos --non-interactive
cat "letsencrypt/live/$DOMAIN/fullchain.pem" \
"letsencrypt/live/$DOMAIN/privkey.pem" > "certs/$DOMAIN.pem"
set -a
source .env
set +a
envsubst < haproxy.cfg.tpl > haproxy.cfg
docker run --rm \
-v "$PWD/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro" \
-v "$PWD/certs:/usr/local/etc/haproxy/certs:ro" \
haproxy:2.9-alpine haproxy -c -f /usr/local/etc/haproxy/haproxy.cfg
docker compose up -d
echo "✅ https://$DOMAIN"
```
Если хочешь, следующим сообщением дам ещё `renew.sh` и `cron` под автообновление сертификата.