This is deployment for my personal server with xray on board for me and my friends to bypass internet censorship.
There are 3 types of componets: GH Pages, metrics and proxy. GH Actions that must be configured for this repository. Metrics should be deployed as a single instance (sharding is not allowed). Proxies could be deployed as many instances as needed, each instance should have dedicated IP address and DNS record (if exists). All hosts should be Debian hosts with public IPs.
Serves static content:
- static html pages with installation instructions which is being developed in a separate repository: xray-server-frontend. The user is provided with a private instruction link with a personal ShadowSocks configuration, which the user uses once to install the ShadowSocks configuration* personal dynamic ShadowSocks configuration json files (SIP008) for each client, which is used by ShadowSocks client each time before connecting to a ShadowSocks server
- personal vless subscription files for each client, which is used by Hiddify to refresh list of available servers
Playbook: users-configs.yml. It just renders files locally, the should be uploaded got GitHub Pages using Actions.
It is a single linux host with the prometheus installed. Users do not access this host. Host may have no domain name.
- prometheus (role:
prometheus
): monitoring to detect traffic abuse
Playbook: metrics.yml
As many proxy hosts as needed could be deployed but each one should have its own IP address and/or DNS record. Proxy(ies) is/are linux host(s) with installed
- xray-core (role:
xray
) that proxies traffic:- if it's valid vless connection, to the destination
- otherwise, to
server.fallback_proxy_target
- node-exporter (role:
node-exporter
): Prometheus exporter for hardware and OS metrics. Exports metrics to TCP port available from localhost only - xray-exporter (role:
node-exporter
): custom script that exports xray metrics. Exports metrics to TCP port available from localhost only - nginx (role:
metrics-exporter
) that proxies https requests onconfig_servers[uuid].prometheus_metrics.port
TCP port to node-exporter and xray-exporter:
Playbook: proxies.yml
This part requires Ansible knowledge. The deployment is tested on and implemented for Debian only.
- Initialize pre-commit hook to prevent secrets from being leaked:
- Install pre-commit
- Initialize pre-commit hook:
pre-commit install
- If servers are not configured yet, skip this step and go to "New server setup" section. Otherwise if server is already configured, add SSH private key to
id_rsa
file in the root of the local repository. Make sure that only you have permissions to read/write it:chmod 600 id_rsa
!
- Go to config and setup config files or GitHub Secrets.
- Add yout public key (pair of one you created in root of the local repo) to all servers' root user
- Run Deploy
- Update config in config or update GitHub Secrets.
- Run Deploy
- Update config in config or update GitHub Secrets.
- Add yout public key (pair of one you created in root of the local repo) to the new server's root user
- Run Deploy
Read code and find out
- If you changed deploy code: just push to master branch. GitHub Actions will automatically apply updates to the servers.
- If you changed list of users: manually trigger CD | Production
The following GitHub secrets are required for CD:
KNOWN_HOSTS
: list of known hosts as in.ssh/known_hosts
SSH_PRIVATE_KEY
: SSH private key to access servers- secrets described in config
make deploy_proxies deploy_metrics
make -e DOMAIN=<domain where GH pages are deployed> render_users_csv
make generate_uuid