waves/setup.sh at prod · DaRealFreedom/waves · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
#!/bin/bash

echo "The setup proccess is about to start, if you have any issues join discord.gg/dJvdkPRheV for support."
echo ""
echo "Type 'ok' to continue or 'cancel' to abort."

while true; do
    read -p "> " user_input
    case "$user_input" in
        ok)
            echo "Starting setup..."
            break
            ;;
        cancel)
            echo "Setup aborted."
            exit 0
            ;;
        *)
            echo "Please type 'ok' or 'cancel'."
            ;;
    esac
done

sudo ip link delete veth0-global 2>/dev/null
sudo modprobe nf_conntrack

sudo apt-get update -y
sudo apt-get install -y unzip libcap2-bin jq dnsutils build-essential pkg-config libssl-dev git debian-keyring debian-archive-keyring apt-transport-https coturn

if ! command -v bun; then
  curl -fsSL https://bun.sh/install | bash
  export PATH="$HOME/.bun/bin:$PATH"
fi

if ! $HOME/.bun/bin/bun pm -g ls | grep -q "pm2@"; then
  $HOME/.bun/bin/bun add -g pm2
else
  $HOME/.bun/bin/bun update -g pm2
fi

if ! command -v cargo; then
  curl https://sh.rustup.rs -sSf | sh -s -- -y
  export PATH="$HOME/.cargo/bin:$PATH"
fi

if ! dpkg-query -l | grep -q caddy; then
  curl -1sLf "https://dl.cloudsmith.io/public/caddy/stable/gpg.key" | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
  curl -1sLf "https://dl.cloudsmith.io/public/caddy/stable/deb.debian.txt" | sudo tee /etc/apt/sources.list.d/caddy-stable.list
  sudo apt-get update -y
  sudo apt-get install -y caddy
fi

if ! command -v node; then
  curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
  sudo apt-get install -y nodejs
fi

sudo rm -f /usr/local/bin/wireproxy /etc/wireproxy/wireproxy.conf
rm -f wireproxy.tar.gz
cat <<EOF | sudo tee /etc/sysctl.d/99-waves-optimizations.conf
net.netfilter.nf_conntrack_max = 524288
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
net.netfilter.nf_conntrack_tcp_timeout_established = 7200
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.ip_local_port_range = 1024 65535
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192
fs.file-max = 2097152
fs.nr_open = 2097152
vm.swappiness = 10
vm.vfs_cache_pressure = 50
EOF
sudo sysctl -p /etc/sysctl.d/99-waves-optimizations.conf
if ! grep -q "^\* soft nofile" /etc/security/limits.conf; then
  echo "* soft nofile 1048576" | sudo tee -a /etc/security/limits.conf
fi
if ! grep -q "^\* hard nofile" /etc/security/limits.conf; then
  echo "* hard nofile 1048576" | sudo tee -a /etc/security/limits.conf
fi

if [ ! -d "$HOME/epoxy-tls" ]; then
    git clone https://github.com/MercuryWorkshop/epoxy-tls.git "$HOME/epoxy-tls"
fi
cd "$HOME/epoxy-tls"
git fetch && git checkout . && git pull
if ! grep -q "^\[profile.release\]" Cargo.toml; then
    printf "\n[profile.release]\nlto = \"fat\"\ncodegen-units = 1\npanic = \"abort\"\nstrip = true\nopt-level = 3\n" >> Cargo.toml
fi
RUSTFLAGS="-C target-cpu=native" "$HOME/.cargo/bin/cargo" build --release
sudo cp target/release/epoxy-server /usr/local/bin/epoxy-server
sudo setcap cap_net_bind_service=+ep /usr/local/bin/epoxy-server

PUBLIC_IP=$(curl -s4 ifconfig.me)
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short txt ch whoami.cloudflare @1.0.0.1 | tr -d '"')

sudo tee /etc/turnserver.conf <<EOF
listening-port=3478
fingerprint
lt-cred-mech
user=luy:l4uy
realm=waves.lat
external-ip=$PUBLIC_IP
min-port=49152
max-port=65535
log-file=/var/log/turnserver.log
verbose
EOF
sudo systemctl enable coturn
sudo systemctl restart coturn

cd "$HOME/waves"
export PATH="$HOME/.bun/bin:$PATH"
export IP="$PUBLIC_IP"
bun install
bun run build

sudo mkdir -p /etc/epoxy-server /etc/systemd/system/caddy.service.d

sudo tee /etc/systemd/system/caddy.service.d/override.conf <<EOF
[Service]
Environment="NO_PROXY=127.0.0.1"
EOF
sudo systemctl daemon-reload

sudo tee /etc/caddy/Caddyfile <<EOF
{
    email sefiicc@gmail.com

    servers {
        protocols h1 h2 h3
    }

    on_demand_tls {
        ask http://127.0.0.1:3001/
    }
}

:443 {
    tls {
        on_demand
    }

    @websockets {
        path /w/*
        header Connection *Upgrade*
        header Upgrade websocket
    }

    reverse_proxy @websockets 127.0.0.1:8080 {
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}

        transport http {
            keepalive 256s
            keepalive_idle_conns 512
            keepalive_idle_conns_per_host 256
            dial_timeout 5s
        }
    }

    reverse_proxy /!!/* 127.0.0.1:4000 {
        header_up X-Forwarded-For {remote_host}
        header_up X-Real-IP {remote_host}

        flush_interval -1

        transport http {
            keepalive 256s
            keepalive_idle_conns 512
            keepalive_idle_conns_per_host 256
            dial_timeout 5s
            response_header_timeout 60s
        }
    }

    reverse_proxy 127.0.0.1:3000 {
        header_up X-Forwarded-For {remote_host}
        header_up X-Real-IP {remote_host}

        transport http {
            keepalive 256s
            keepalive_idle_conns 512
            keepalive_idle_conns_per_host 256
            dial_timeout 5s
        }
    }

    encode zstd gzip

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Frame-Options "ALLOWALL"
        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
        Referrer-Policy "no-referrer"
        Permissions-Policy "interest-cohort=(), payment=(), usb=(), geolocation=()"
    }
}

:80 {
    redir https://{host}{uri} permanent
}
EOF

sudo tee /etc/epoxy-server/config.toml <<EOF
[server]
bind = ["tcp", "0.0.0.0:8080"]
transport = "websocket"
resolve_ipv6 = false
tcp_nodelay = true
file_raw_mode = false
use_real_ip_headers = false
non_ws_response = "Hii! You should join discord.gg/dJvdkPRheV"
max_message_size = 65536
log_level = "OFF"
runtime = "multithread"
[wisp]
allow_wsproxy = true
buffer_size = 524288
prefix = "/w"
wisp_v2 = true
extensions = ["udp", "motd"]
password_extension_required = false
certificate_extension_required = false
[stream]
tcp_nodelay = true
buffer_size = 524288
allow_udp = true
allow_wsproxy_udp = false
dns_servers = ["94.140.14.14", "94.140.15.15", "176.103.130.130", "176.103.130.131"]
allow_direct_ip = true
allow_loopback = true
allow_multicast = true
allow_global = true
allow_non_global = true
allow_tcp_hosts = []
block_tcp_hosts = []
allow_udp_hosts = []
block_udp_hosts = []
allow_hosts = []
block_hosts = []
allow_ports = []
block_ports = []
EOF

"$HOME/.bun/bin/pm2" stop all
"$HOME/.bun/bin/pm2" delete all

tee ecosystem.config.cjs <<EOF
module.exports = {
  apps: [
    {
      name: "ask",
      script: "bun",
      args: "run ask.js",
      exec_mode: "fork",
      instances: 1,
      autorestart: true,
      max_memory_restart: "150M"
    },
    {
      name: "waves-ui",
      script: "./index.mjs",
      exec_mode: "fork",
      instances: 1,
      autorestart: true,
      max_memory_restart: "1G",
      node_args: "--max-old-space-size=512 --turbo-fast-api-calls --no-warnings",
      env: {
        NODE_ENV: "production",
        PORT: "3000"
      }
    },
    {
      name: "waves-bridge",
      script: "./bridge-server.mjs",
      exec_mode: "cluster",
      instances: "max",
      autorestart: true,
      max_memory_restart: "6G",
      exp_backoff_restart_delay: 100,
      node_args: "--max-old-space-size=6144 --turbo-fast-api-calls --no-warnings --max-http-header-size=32768",
      env: {
        NODE_ENV: "production",
        BRIDGE_PORT: "4000",
        UV_THREADPOOL_SIZE: "128"
      }
    },
    {
      name: "epoxy-server",
      script: "/usr/local/bin/epoxy-server",
      args: ["/etc/epoxy-server/config.toml"],
      exec_mode: "fork",
      instances: 1,
      autorestart: true,
      max_memory_restart: "4G",
      env: {
        RUST_LOG: "off"
      }
    }
  ]
};
EOF

sudo caddy fmt --overwrite /etc/caddy/Caddyfile
sudo caddy validate --config /etc/caddy/Caddyfile
sudo systemctl restart caddy

if command -v ufw && ufw status | grep -q "Status: active"; then
    sudo ufw allow 80/tcp
    sudo ufw allow 443/tcp
    sudo ufw allow 443/udp
    sudo ufw allow 3478/tcp
    sudo ufw allow 3478/udp
    sudo ufw allow 49152:65535/udp
fi

"$HOME/.bun/bin/pm2" start ecosystem.config.cjs --update-env
"$HOME/.bun/bin/pm2" save
sudo env PATH=$PATH:$HOME/.bun/bin "$HOME/.bun/bin/pm2" startup systemd -u "$USER" --hp "$HOME"

echo "Done! Your Waves instance is now all setup and ready to be used!!!!"