feat: add more Agent services & easytier

2026-04-19 12:26:54 +08:00
parent 0e948befac
commit 0b5ba69cb0
30 changed files with 1775 additions and 0 deletions
@@ -0,0 +1,30 @@
+# EasyTier image version
+EASYTIER_VERSION=v2.6.0
+
+# Timezone
+TZ=UTC
+
+# Virtual network name (shared with all peers in the same network)
+EASYTIER_NETWORK_NAME=easytier
+
+# Virtual network secret — REQUIRED, change before deploying
+# Generate a strong secret: openssl rand -hex 16
+EASYTIER_NETWORK_SECRET=
+
+# Virtual IPv4 address of this server node within the EasyTier network
+EASYTIER_IPV4=10.144.144.1
+
+# Host port for peer TCP connections
+EASYTIER_TCP_PORT_OVERRIDE=11010
+
+# Host port for peer UDP connections
+EASYTIER_UDP_PORT_OVERRIDE=11010
+
+# Host port for the management RPC portal (bound to 127.0.0.1 by default)
+EASYTIER_RPC_PORT_OVERRIDE=15888
+
+# Resource limits
+EASYTIER_CPU_LIMIT=0.50
+EASYTIER_MEMORY_LIMIT=128M
+EASYTIER_CPU_RESERVATION=0.10
+EASYTIER_MEMORY_RESERVATION=32M
@@ -0,0 +1,88 @@
+# EasyTier
+
+[English](./README.md) | [中文](./README.zh.md)
+
+[EasyTier](https://github.com/EasyTier/EasyTier) is a mesh VPN networking tool that lets you build a private, encrypted overlay network across hosts that are behind NAT or firewalls. This stack deploys EasyTier as a **public relay server** — a stable entry point that peers can use for discovery and traffic relay when direct connections are not possible.
+
+## Services
+
+- `easytier`: EasyTier core node running in relay-only mode (`--no-tun`), without creating a local TUN interface.
+
+## Ports
+
+| Port       | Protocol | Description                                                        |
+| ---------- | -------- | ------------------------------------------------------------------ |
+| `11010`    | TCP      | Peer connection listener — must be publicly reachable              |
+| `11010`    | UDP      | Peer connection listener — must be publicly reachable              |
+| `15888`    | TCP      | Management RPC portal (bound to `127.0.0.1` by default)           |
+
+## Environment Variables
+
+| Variable                    | Description                                         | Default          |
+| --------------------------- | --------------------------------------------------- | ---------------- |
+| `EASYTIER_VERSION`          | EasyTier image version                              | `v2.6.0`         |
+| `TZ`                        | Timezone                                            | `UTC`            |
+| `EASYTIER_NETWORK_NAME`     | Virtual network name shared by all peers            | `easytier`       |
+| `EASYTIER_NETWORK_SECRET`   | Network secret (password); **required**             | `""`             |
+| `EASYTIER_IPV4`             | Virtual IPv4 of this server node                    | `10.144.144.1`   |
+| `EASYTIER_TCP_PORT_OVERRIDE`| Host port for peer TCP listener                     | `11010`          |
+| `EASYTIER_UDP_PORT_OVERRIDE`| Host port for peer UDP listener                     | `11010`          |
+| `EASYTIER_RPC_PORT_OVERRIDE`| Host port for management RPC (localhost only)       | `15888`          |
+| `EASYTIER_CPU_LIMIT`        | CPU limit                                           | `0.50`           |
+| `EASYTIER_MEMORY_LIMIT`     | Memory limit                                        | `128M`           |
+
+## Quick Start
+
+1. Copy `.env.example` and set a strong network secret:
+
+   ```bash
+   cp .env.example .env
+   ```
+
+   Edit `.env`:
+
+   ```env
+   EASYTIER_NETWORK_NAME=myvpn
+   EASYTIER_NETWORK_SECRET=<your-strong-secret>
+   ```
+
+   Generate a secret with: `openssl rand -hex 16`
+
+2. Start the server:
+
+   ```bash
+   docker compose up -d
+   ```
+
+3. Verify the node is healthy:
+
+   ```bash
+   docker compose exec easytier easytier-cli -p 127.0.0.1:15888 node info
+   ```
+
+4. On each peer machine, connect to this server:
+
+   ```bash
+   easytier-core \
+     --network-name myvpn \
+     --network-secret <your-strong-secret> \
+     --peers tcp://<server-public-ip>:11010 \
+     --ipv4 10.144.144.2
+   ```
+
+## Storage
+
+This stack does not use persistent volumes. Configuration is provided entirely via command-line flags derived from environment variables.
+
+## Security Notes
+
+- **`EASYTIER_NETWORK_SECRET` is required.** An empty secret leaves the network open to any peer that knows the network name. Always set a strong random value before exposing this server to the internet.
+- The management RPC port (`15888`) is bound to `127.0.0.1` by default. Do not expose it publicly unless you have separate authentication in place.
+- Ports `11010/tcp` and `11010/udp` must be open in your firewall / cloud security group for peers to reach this server.
+- This stack runs in `--no-tun` relay mode. No kernel TUN device is created, so no elevated capabilities (`NET_ADMIN`) are required and `cap_drop: ALL` is applied.
+- If you need this server node to also participate as a VPN peer (with a local virtual interface), remove `--no-tun` from `command` and add `cap_add: [NET_ADMIN]` to the service.
+
+## Documentation
+
+- [EasyTier GitHub](https://github.com/EasyTier/EasyTier)
+- [EasyTier Documentation](https://www.easytier.top/guide/introduction.html)
@@ -0,0 +1,88 @@
+# EasyTier
+
+[English](./README.md) | [中文](./README.zh.md)
+
+[EasyTier](https://github.com/EasyTier/EasyTier) 是一款网状 VPN 组网工具，可在 NAT 或防火墙后面的主机之间构建私有加密覆盖网络。本配置将 EasyTier 部署为**公共中继服务器**——作为稳定的入口节点，供各客户端节点在无法直连时进行发现和流量中转。
+
+## 服务
+
+- `easytier`：以中继模式（`--no-tun`）运行的 EasyTier 核心节点，不创建本地 TUN 网络接口。
+
+## 端口
+
+| 端口    | 协议 | 说明                                              |
+| ------- | ---- | ------------------------------------------------- |
+| `11010` | TCP  | 节点连接监听端口——需公网可达                      |
+| `11010` | UDP  | 节点连接监听端口——需公网可达                      |
+| `15888` | TCP  | 管理 RPC 端口（默认仅绑定 `127.0.0.1`）           |
+
+## 环境变量
+
+| 变量名                       | 描述                              | 默认值         |
+| ---------------------------- | --------------------------------- | -------------- |
+| `EASYTIER_VERSION`           | EasyTier 镜像版本                 | `v2.6.0`       |
+| `TZ`                         | 时区                              | `UTC`          |
+| `EASYTIER_NETWORK_NAME`      | 所有节点共享的虚拟网络名称        | `easytier`     |
+| `EASYTIER_NETWORK_SECRET`    | 网络密钥（密码），**必须设置**    | `""`           |
+| `EASYTIER_IPV4`              | 本服务器节点在虚拟网络中的 IPv4  | `10.144.144.1` |
+| `EASYTIER_TCP_PORT_OVERRIDE` | 节点 TCP 监听端口（宿主机映射）   | `11010`        |
+| `EASYTIER_UDP_PORT_OVERRIDE` | 节点 UDP 监听端口（宿主机映射）   | `11010`        |
+| `EASYTIER_RPC_PORT_OVERRIDE` | 管理 RPC 端口（仅本机可访问）     | `15888`        |
+| `EASYTIER_CPU_LIMIT`         | CPU 上限                          | `0.50`         |
+| `EASYTIER_MEMORY_LIMIT`      | 内存上限                          | `128M`         |
+
+## 快速开始
+
+1. 复制 `.env.example` 并设置强网络密钥：
+
+   ```bash
+   cp .env.example .env
+   ```
+
+   编辑 `.env`：
+
+   ```env
+   EASYTIER_NETWORK_NAME=myvpn
+   EASYTIER_NETWORK_SECRET=<你的强密钥>
+   ```
+
+   生成随机密钥：`openssl rand -hex 16`
+
+2. 启动服务：
+
+   ```bash
+   docker compose up -d
+   ```
+
+3. 验证节点状态：
+
+   ```bash
+   docker compose exec easytier easytier-cli -p 127.0.0.1:15888 node info
+   ```
+
+4. 在各客户端机器上连接到此服务器：
+
+   ```bash
+   easytier-core \
+     --network-name myvpn \
+     --network-secret <你的强密钥> \
+     --peers tcp://<服务器公网 IP>:11010 \
+     --ipv4 10.144.144.2
+   ```
+
+## 数据卷
+
+本配置不使用持久化卷，所有配置均通过环境变量转换为命令行参数传入。
+
+## 安全说明
+
+- **`EASYTIER_NETWORK_SECRET` 为必填项。** 若密钥为空，任何知道网络名称的节点均可接入，请务必在公网暴露前设置强密钥。
+- 管理 RPC 端口（`15888`）默认仅绑定 `127.0.0.1`，请勿在无额外认证保护的情况下对外暴露。
+- 防火墙及云安全组需放行 `11010/tcp` 和 `11010/udp`，客户端节点才能连接到本服务器。
+- 本配置以 `--no-tun` 中继模式运行，无需创建 TUN 设备，因此无需提升内核权限（`NET_ADMIN`），已应用 `cap_drop: ALL`。
+- 如需服务器节点同时作为 VPN 网络中的普通成员（拥有本地虚拟网卡），请移除 `command` 中的 `--no-tun` 参数，并在服务中添加 `cap_add: [NET_ADMIN]`。
+
+## 文档
+
+- [EasyTier GitHub](https://github.com/EasyTier/EasyTier)
+- [EasyTier 官方文档](https://www.easytier.top/guide/introduction.html)
@@ -0,0 +1,46 @@
+x-defaults: &defaults
+  restart: unless-stopped
+  logging:
+    driver: json-file
+    options:
+      max-size: 100m
+      max-file: '3'
+
+services:
+  easytier:
+    <<: *defaults
+    image: ${GLOBAL_REGISTRY:-}easytier/easytier:${EASYTIER_VERSION:-v2.6.0}
+    command:
+      - --network-name=${EASYTIER_NETWORK_NAME:-easytier}
+      - --network-secret=${EASYTIER_NETWORK_SECRET:-}
+      - --ipv4=${EASYTIER_IPV4:-10.144.144.1}
+      - --listeners
+      - tcp://0.0.0.0:11010
+      - udp://0.0.0.0:11010
+      - --rpc-portal=0.0.0.0:15888
+      - --no-tun
+    ports:
+      # Peer listener ports — must be reachable from the public internet
+      - '${EASYTIER_TCP_PORT_OVERRIDE:-11010}:11010/tcp'
+      - '${EASYTIER_UDP_PORT_OVERRIDE:-11010}:11010/udp'
+      # Management RPC — bind to localhost only by default for security
+      - '127.0.0.1:${EASYTIER_RPC_PORT_OVERRIDE:-15888}:15888'
+    environment:
+      - TZ=${TZ:-UTC}
+    # No TUN interface in server-relay mode; no special capabilities required
+    cap_drop:
+      - ALL
+    deploy:
+      resources:
+        limits:
+          cpus: ${EASYTIER_CPU_LIMIT:-0.50}
+          memory: ${EASYTIER_MEMORY_LIMIT:-128M}
+        reservations:
+          cpus: ${EASYTIER_CPU_RESERVATION:-0.10}
+          memory: ${EASYTIER_MEMORY_RESERVATION:-32M}
+    healthcheck:
+      test: ['CMD', 'easytier-cli', '-p', '127.0.0.1:15888', 'node', 'info']
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s