From d9233cc34e389665dba7c1c79aeab1b58677ae1d Mon Sep 17 00:00:00 2001
From: DaTekShaman <datekshaman@yandex.ru>
Date: Sun, 15 Feb 2026 12:30:29 +0300
Subject: [PATCH] Refactor iptables setup scripts: remove legacy script and add
 new warpgate configuration script

---
 scripts/config-warpgate.sh                   | 208 +++++++++++++++++++
 scripts/iptables-mihomo-setup.sh             |   3 +-
 scripts/{ => legacy}/iptables-clash-setup.sh |   2 +-
 3 files changed, 211 insertions(+), 2 deletions(-)
 create mode 100644 scripts/config-warpgate.sh
 rename scripts/{ => legacy}/iptables-clash-setup.sh (95%)

diff --git a/scripts/config-warpgate.sh b/scripts/config-warpgate.sh
new file mode 100644
index 0000000..67ae398
--- /dev/null
+++ b/scripts/config-warpgate.sh
@@ -0,0 +1,208 @@
+#!/bin/bash
+set -euo pipefail
+
+# ==========================================
+# 0. USER INTERACTION
+# ==========================================
+# Запрашиваем пароль сразу, чтобы скрипт мог работать без присмотра дальше
+echo "-----------------------------------------------------"
+echo "🔐 USER SETUP"
+echo "-----------------------------------------------------"
+read -sp "Enter password for new user 'supervisor': " SUPERVISOR_PASS
+echo
+if [ -z "$SUPERVISOR_PASS" ]; then
+    echo "❌ Password cannot be empty."
+    exit 1
+fi
+
+# ==========================================
+# 1. CONFIGURATION
+# ==========================================
+
+# Netbird Setup Key (Get from Dashboard)
+NETBIRD_SETUP_KEY="YOUR_NETBIRD_SETUP_KEY_HERE"
+
+# Mihomo Version (Direct Link)
+# Используем Alpha версию как в твоем мануале. Для Stable ищи release tag.
+MIHOMO_URL="https://github.com/vernesong/mihomo/releases/download/Prerelease-Alpha/mihomo-linux-amd64-v3-alpha-smart-06249f8.gz"
+
+# Remote Resources (URLs)
+# Укажи здесь ссылки на raw-файлы из твоего Gitea/GitHub
+REPO_BASE="https://gitea.shamanlanding.org/DaTekShaman/clash-rules/raw/branch/main"
+
+URL_CONFIG_MIHOMO="${REPO_BASE}/config-clash/cadian/cadian.current.yaml"
+URL_UNIT_MIHOMO="${REPO_BASE}/systemd-units/mihomo.service"
+URL_UNIT_IPTABLES="${REPO_BASE}/systemd-units/mihomo-iptables.service"
+URL_SCRIPT_IPTABLES="${REPO_BASE}/scripts/iptables-mihomo-setup.sh"
+
+# Paths
+BIN_DIR="/usr/local/bin"
+CONF_DIR="/etc/mihomo"
+SYSTEMD_DIR="/etc/systemd/system"
+
+# ==========================================
+# 2. SYSTEM PREP & DEPENDENCIES
+# ==========================================
+echo ">>> [1/8] Updating system and installing dependencies..."
+apt-get update
+apt-get install -y curl wget ca-certificates gnupg tar iptables iproute2 gzip jq
+
+echo ">>> [2/8] Configuring Sysctl (Forwarding & TProxy requirements)..."
+# Критично для TProxy и маршрутизации
+cat <<EOF > /etc/sysctl.d/99-warpgate.conf
+net.ipv4.ip_forward=1
+net.ipv6.conf.all.forwarding=1
+net.ipv4.conf.all.rp_filter=0
+net.ipv4.conf.default.rp_filter=0
+net.ipv4.conf.wt0.rp_filter=0
+EOF
+sysctl --system
+
+# ==========================================
+# 3. NETBIRD INSTALLATION
+# ==========================================
+echo ">>> [3/8] Installing Netbird..."
+if ! command -v netbird &> /dev/null; then
+    curl -fsSL https://pkgs.netbird.io/install.sh | sh
+fi
+
+echo ">>> Connecting Netbird..."
+if ! netbird status | grep -q "Connected"; then
+    if [ "$NETBIRD_SETUP_KEY" != "YOUR_NETBIRD_SETUP_KEY_HERE" ]; then
+        netbird up --setup-key "$NETBIRD_SETUP_KEY" --allow-server-ssh --enable-ssh-root
+    else
+        echo "WARNING: Netbird Setup Key not set. Run 'netbird up --setup-key KEY --allow-server-ssh --enable-ssh-root' manually later."
+    fi
+else
+    echo "Netbird is already connected."
+fi
+
+# ==========================================
+# 4. ADGUARD VPN CLI
+# ==========================================
+echo ">>> [4/8] Installing AdGuard VPN CLI..."
+if ! command -v adguardvpn-cli &> /dev/null; then
+    curl -fsSL https://raw.githubusercontent.com/AdguardTeam/AdGuardVPNCLI/master/scripts/release/install.sh | sh -s -- -v
+fi
+
+# Преднастройка (применится после логина)
+adguardvpn-cli config set-mode socks
+adguardvpn-cli config set-socks-host 0.0.0.0
+adguardvpn-cli config set-tun-routing-mode none
+
+# ==========================================
+# 5. MIHOMO INSTALLATION
+# ==========================================
+echo ">>> [5/8] Installing Mihomo..."
+
+# User
+if ! id "mihomo" &>/dev/null; then
+    useradd --system --no-create-home --shell /usr/sbin/nologin mihomo
+fi
+
+# Binary
+mkdir -p /opt/mihomo_tmp
+cd /opt/mihomo_tmp
+
+if [ ! -f "${BIN_DIR}/mihomo" ]; then
+    echo "Downloading Mihomo binary..."
+    wget -qO mihomo.gz "$MIHOMO_URL"
+    gzip -d mihomo.gz
+    mv mihomo "${BIN_DIR}/mihomo"
+    chmod +x "${BIN_DIR}/mihomo"
+else
+    echo "Mihomo binary already exists."
+fi
+
+# Directories
+mkdir -p "$CONF_DIR"
+mkdir -p /var/log/mihomo
+chown -R mihomo:mihomo "$CONF_DIR" /var/log/mihomo
+
+# ==========================================
+# 6. CONFIGURATION & UNITS DOWNLOAD
+# ==========================================
+echo ">>> [6/8] Downloading Configs and Units..."
+
+# 6.1 Mihomo Config
+if [ ! -f "${CONF_DIR}/config.yaml" ]; then
+    echo "Fetching Config: $URL_CONFIG_MIHOMO"
+    wget -qO "${CONF_DIR}/config.yaml" "$URL_CONFIG_MIHOMO"
+    chown mihomo:mihomo "${CONF_DIR}/config.yaml"
+else
+    echo "Config exists, skipping download to preserve settings."
+fi
+
+# 6.2 Iptables Setup Script
+echo "Fetching Script: $URL_SCRIPT_IPTABLES"
+wget -qO "${BIN_DIR}/iptables-mihomo-setup.sh" "$URL_SCRIPT_IPTABLES"
+chmod +x "${BIN_DIR}/iptables-mihomo-setup.sh"
+
+# 6.3 Systemd Units
+echo "Fetching Unit: $URL_UNIT_MIHOMO"
+wget -qO "${SYSTEMD_DIR}/mihomo.service" "$URL_UNIT_MIHOMO"
+
+echo "Fetching Unit: $URL_UNIT_IPTABLES"
+wget -qO "${SYSTEMD_DIR}/mihomo-iptables.service" "$URL_UNIT_IPTABLES"
+
+# 6.4 CONFIG VALIDATION
+echo "Validating Mihomo Configuration..."
+
+# -t = test config, -d = config directory
+if ! "${BIN_DIR}/mihomo" -t -d "$CONF_DIR"; then
+    echo "❌ ERROR: Mihomo configuration test failed!"
+    echo "Please inspect: ${CONF_DIR}/config.yaml"
+    # Прерываем скрипт, чтобы не ломать DNS и не запускать сломанный сервис
+    exit 1
+else
+    echo "✅ Configuration test passed."
+fi
+
+# Reload daemon to see new units
+systemctl daemon-reload
+
+# ==========================================
+# 7. USER & SSH SETUP (NEW)
+# ==========================================
+echo ">>> [7/8] Configuring User and SSH..."
+
+# 7.1 Create Supervisor
+if ! id "supervisor" &>/dev/null; then
+    # -m создает домашнюю папку, -G sudo дает права администратора
+    useradd -m -s /bin/bash -G sudo supervisor
+    echo "supervisor:${SUPERVISOR_PASS}" | chpasswd
+    echo "✅ User 'supervisor' created."
+else
+    echo "User 'supervisor' already exists."
+fi
+
+# 7.2 Configure SSHD
+# Включаем вход по паролю и отключаем вход рутом (хорошая практика)
+sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
+sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+# На всякий случай включаем сервис
+systemctl enable ssh
+systemctl restart ssh
+echo "✅ SSH configured (Password Auth: YES)."
+
+# ==========================================
+# 7. DNS & FINALIZATION
+# ==========================================
+echo ">>> [8/8] Locking DNS..."
+
+systemctl stop systemd-resolved
+systemctl disable systemd-resolved
+rm -f /etc/resolv.conf
+echo "nameserver 127.0.0.1" > /etc/resolv.conf
+
+echo ">>> Enabling Services..."
+systemctl enable mihomo-iptables
+systemctl enable mihomo
+
+echo "-----------------------------------------------------"
+echo "INSTALLATION COMPLETE"
+echo "-----------------------------------------------------"
+echo "Next Steps:"
+echo "1. Login to AdGuard: 'adguardvpn-cli login'"
+echo "2. Start services: 'systemctl start mihomo-iptables mihomo'"
+echo "3. Check logs: 'journalctl -u mihomo -f'"
\ No newline at end of file
diff --git a/scripts/iptables-mihomo-setup.sh b/scripts/iptables-mihomo-setup.sh
index 666f501..a4f1a16 100644
--- a/scripts/iptables-mihomo-setup.sh
+++ b/scripts/iptables-mihomo-setup.sh
@@ -10,7 +10,8 @@ TPROXY_PORT="7893"    # UDP/TCP TProxy
 FW_MARK="0x1"
 ROUTE_TABLE="100"
 
-EXCLUDE_IFACES=("tun0" "wg0")
+#EXCLUDE_IFACES=("tun0" "wg0" "wt0")  
+EXCLUDE_IFACES=("tun0")  
 
 # ----------------------------
 # Helpers
diff --git a/scripts/iptables-clash-setup.sh b/scripts/legacy/iptables-clash-setup.sh
similarity index 95%
rename from scripts/iptables-clash-setup.sh
rename to scripts/legacy/iptables-clash-setup.sh
index 8eae58b..928faf6 100644
--- a/scripts/iptables-clash-setup.sh
+++ b/scripts/legacy/iptables-clash-setup.sh
@@ -26,7 +26,7 @@ iptables -t nat -I OUTPUT -m owner --uid-owner mihomo -j RETURN
 iptables -t nat -C OUTPUT -p tcp -j MIHOMO_REDIR 2>/dev/null || \
 iptables -t nat -A OUTPUT -p tcp -j MIHOMO_REDIR
 
-# Редирект вайргарда от Netbird неа порт 7982
+# Редирект вайргарда от Netbird на порт 7982
 # Перенаправляем трафик от интерфейса netbird в MIHOMO
 iptables -t nat -C PREROUTING -i wt0 -p tcp -j REDIRECT --to-port 7892 2>/dev/null || \
 iptables -t nat -A PREROUTING -i wt0 -p tcp -j REDIRECT --to-port 7892