test

.forgejo/workflows/build-docker-images.yaml

@@ -0,0 +1,53 @@
+name: Build and Push Docker Image
+
+on:
+  push:
+    branches: [main]
+    tags: ["v*"]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout repository
+        uses: https://github.com/actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: https://github.com/docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: https://github.com/docker/setup-buildx-action@v2
+
+      - name: Log in to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: https://github.com/docker/login-action@v2
+        with:
+          registry: git.nokiy.net
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: https://github.com/docker/metadata-action@v4
+        with:
+          images: git.nokiy.net/${{ github.repository }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,format=short
+
+      - name: Build and push Docker image
+        uses: https://github.com/docker/build-push-action@v4
+        with:
+          context: templates/sing-box-reality-server
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

docker-compose.yaml

@@ -1,16 +1,15 @@
 services:
   sing-box:
-    image: ghcr.io/sagernet/sing-box:v1.12.0-alpha.9
+    build:
+      context: templates/sing-box-reality-server
+      dockerfile: Dockerfile
     restart: always
     container_name: sing-box
+    environment:
+      PROJECT_ID: ${PROJECT_ID}
+      INFISICAL_API_URL: https://infisical.nokiy.net/api
+      INFISICAL_SECRET_ENV: ${INFISICAL_SECRET_ENV:-prod}
+      INFISICAL_MACHINE_CLIENT_ID: ${INFISICAL_MACHINE_CLIENT_ID}
+      INFISICAL_MACHINE_CLIENT_SECRET: ${INFISICAL_MACHINE_CLIENT_SECRET}
     ports:
       - 443:443
-      - 127.0.0.1:10800:8080
-    volumes:
-      - ./singbox.json:/etc/sing-box/config.json:ro
-    command: -D /var/lib/sing-box -c /etc/sing-box/config.json run
-
-  warp:
-    image: ghcr.io/aleskxyz/warp-svc:v1.5.0
-    restart: always
-    container_name: warp

templates/sing-box-reality-server/Dockerfile

@@ -0,0 +1,19 @@
+FROM ghcr.io/sagernet/sing-box:v1.12.0-beta.14
+
+RUN apk add --no-cache curl
+
+RUN curl -1sLf \
+    'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
+    && apk add infisical
+
+RUN curl -L https://github.com/a8m/envsubst/releases/download/v1.2.0/envsubst-`uname -s`-`uname -m` -o envsubst \
+    && chmod +x envsubst \
+    && mv envsubst /usr/local/bin
+
+COPY ./sing-box-reality-server.json /etc/sing-box/config.template.json
+
+COPY ./start.sh /usr/local/bin/start.sh
+
+ENTRYPOINT ["/usr/bin/env"] 
+
+CMD ["/usr/local/bin/start.sh"]

templates/sing-box-reality-server/sing-box-reality-server.json

@@ -0,0 +1,57 @@
+{
+    "log": {
+        "level": "info",
+        "timestamp": true
+    },
+    "dns": {
+        "servers": [
+            {
+                "tag": "dns:cloudflare",
+                "type": "h3",
+                "server": "1.1.1.1",
+                "server_port": 443
+            }
+        ]
+    },
+    "ntp": {
+        "enabled": true,
+        "server": "pool.ntp.org",
+        "server_port": 123,
+        "interval": "60m"
+    },
+    "inbounds": [
+        {
+            "type": "vless",
+            "tag": "in:vless",
+            "listen": "::",
+            "listen_port": 443,
+            "users": [
+                {
+                    "uuid": "${UUID}",
+                    "flow": "xtls-rprx-vision"
+                }
+            ],
+            "tls": {
+                "enabled": true,
+                "server_name": "${DOMAIN}",
+                "reality": {
+                    "enabled": true,
+                    "handshake": {
+                        "server": "${DOMAIN}",
+                        "server_port": 443
+                    },
+                    "private_key": "${PRIVATE_KEY}",
+                    "short_id": [
+                        "${SHORT_ID}"
+                    ]
+                }
+            }
+        }
+    ],
+    "outbounds": [
+        {
+            "type": "direct",
+            "tag": "out:direct"
+        }
+    ]
+}

templates/sing-box-reality-server/start.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=$INFISICAL_MACHINE_CLIENT_ID --client-secret=$INFISICAL_MACHINE_CLIENT_SECRET --plain --silent)
+exec infisical run --token $INFISICAL_TOKEN --projectId $PROJECT_ID --env $INFISICAL_SECRET_ENV --domain $INFISICAL_API_URL --command "envsubst < /etc/sing-box/config.template.json > /etc/sing-box/config.json && sing-box run -c /etc/sing-box/config.json"