feat: 三节点部署脚本（上海/CN中转/美国落地）

antigravity/maintenance/setup-node1-shanghai.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+# =============================================================
+# 节点 1：上海服务器
+# 部署：sub2api + node-tls-proxy + postgres + redis
+# =============================================================
+# 用法：bash setup-node1-shanghai.sh
+# 前置：已安装 Docker，已克隆仓库到当前目录
+
+set -euo pipefail
+GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m'
+ok()   { echo -e "${GREEN}✅ $*${NC}"; }
+info() { echo -e "${YELLOW}ℹ  $*${NC}"; }
+
+echo "================================================"
+echo "  节点1：上海服务器 部署"
+echo "================================================"
+
+# ── 1. 检查 Docker ─────────────────────────────────
+if ! command -v docker &>/dev/null; then
+    info "安装 Docker..."
+    curl -fsSL https://get.docker.com | bash
+    systemctl enable docker && systemctl start docker
+fi
+ok "Docker 已就绪"
+
+# ── 2. 进入 deploy 目录 ─────────────────────────────
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+DEPLOY_DIR="$(dirname "$SCRIPT_DIR")/deploy"
+cd "$DEPLOY_DIR"
+ok "工作目录: $DEPLOY_DIR"
+
+# ── 3. 生成 .env（如不存在）──────────────────────────
+if [ ! -f .env ]; then
+    cat > .env << EOF
+# ========== 必填 ==========
+POSTGRES_PASSWORD=$(openssl rand -hex 16)
+ADMIN_EMAIL=admin@sub2api.local
+ADMIN_PASSWORD=$(openssl rand -hex 8)
+JWT_SECRET=$(openssl rand -hex 32)
+TOTP_ENCRYPTION_KEY=$(openssl rand -hex 32)
+
+# ========== 时区（上海）==========
+TZ=Asia/Shanghai
+
+# ========== node-tls-proxy 指向 CN中转机 ==========
+# 上海的 sub2api 通过 GOST 把 TLS 流量送到 CN中转，
+# 中转再转发到美国落地，最终到 Anthropic/Google
+# 这里填 CN中转机 IP + GOST 暴露给上海的端口
+GATEWAY_NODE_TLS_PROXY_ENABLED=true
+GATEWAY_NODE_TLS_PROXY_LISTEN_HOST=<CN中转机IP>
+GATEWAY_NODE_TLS_PROXY_LISTEN_PORT=3456
+
+# ========== Gemini OAuth（如有）==========
+GEMINI_CLI_OAUTH_CLIENT_SECRET=
+ANTIGRAVITY_OAUTH_CLIENT_SECRET=
+EOF
+    ok ".env 已生成，请编辑填入 CN中转机 IP"
+    echo ""
+    echo "  → 编辑: nano $DEPLOY_DIR/.env"
+    echo "  → 修改 GATEWAY_NODE_TLS_PROXY_LISTEN_HOST=<CN中转机IP>"
+    echo ""
+    read -rp "填完后按 Enter 继续..." _
+fi
+
+# ── 4. 启动服务 ─────────────────────────────────────
+info "启动 sub2api + node-tls-proxy..."
+docker compose -f docker-compose.yml \
+               -f docker-compose.tls-proxy.yml \
+               pull
+docker compose -f docker-compose.yml \
+               -f docker-compose.tls-proxy.yml \
+               up -d
+
+ok "服务启动完成"
+
+# ── 5. 验证 ────────────────────────────────────────
+sleep 10
+echo ""
+echo "【验证】"
+docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
+echo ""
+if curl -sf http://127.0.0.1:8080/health >/dev/null 2>&1; then
+    ok "sub2api 健康检查通过（端口 8080）"
+else
+    echo "⏳ sub2api 还在启动，等 30 秒后手动检查..."
+fi
+
+echo ""
+echo "================================================"
+echo "  节点1 部署完成"
+echo "  管理面板: http://$(curl -sf ipinfo.io/ip 2>/dev/null || echo '<服务器IP>'):8080"
+echo "================================================"

antigravity/maintenance/setup-node2-cn-relay.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+# =============================================================
+# 节点 2：海外 CN 中转机
+# 部署：GOST 双向中转
+#   接收上海: relay+tls :3456  →  转发到美国落地 :8443
+# =============================================================
+# 用法：bash setup-node2-cn-relay.sh
+
+set -euo pipefail
+GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' NC='\033[0m'
+ok()   { echo -e "${GREEN}✅ $*${NC}"; }
+info() { echo -e "${YELLOW}ℹ  $*${NC}"; }
+fail() { echo -e "${RED}❌ $*${NC}"; }
+
+# ── 配置（修改这里）──────────────────────────────────
+US_LANDING_IP="${US_LANDING_IP:-}"        # 美国落地机 IP
+GOST_USER="${GOST_USER:-gostuser}"
+GOST_PASS="${GOST_PASS:-$(openssl rand -hex 8)}"
+LISTEN_PORT_FROM_SH="${LISTEN_PORT_FROM_SH:-3456}"   # 接收上海的端口
+LISTEN_PORT_TO_US="${LISTEN_PORT_TO_US:-8443}"        # 美国落地机监听端口
+
+echo "================================================"
+echo "  节点2：海外CN中转机 部署"
+echo "================================================"
+
+# 检查必填
+if [ -z "$US_LANDING_IP" ]; then
+    read -rp "请输入美国落地机 IP: " US_LANDING_IP
+fi
+
+# ── 1. 安装 GOST ────────────────────────────────────
+if ! command -v gost &>/dev/null; then
+    info "安装 GOST..."
+    ARCH=$(uname -m)
+    [ "$ARCH" = "x86_64" ] && GARCH="amd64" || GARCH="arm64"
+    LATEST=$(curl -sf https://api.github.com/repos/go-gost/gost/releases/latest | grep '"tag_name"' | cut -d'"' -f4)
+    wget -qO /tmp/gost.tar.gz \
+        "https://github.com/go-gost/gost/releases/download/${LATEST}/gost_linux_${GARCH}.tar.gz"
+    tar xzf /tmp/gost.tar.gz -C /tmp/
+    mv /tmp/gost /usr/local/bin/gost
+    chmod +x /usr/local/bin/gost
+fi
+ok "GOST $(gost -V 2>/dev/null | head -1 || echo '已安装')"
+
+# ── 2. 创建 Systemd 服务 ────────────────────────────
+# 中转机职责：
+#   - 接收上海 sub2api 发来的 relay+tls 连接（:3456）
+#   - 将流量通过 relay+tls 转发到美国落地机（:8443）
+cat > /etc/systemd/system/gost-relay.service << EOF
+[Unit]
+Description=GOST CN Relay - 接收上海转发到美国落地
+After=network.target
+
+[Service]
+Type=simple
+User=nobody
+ExecStart=/usr/local/bin/gost \\
+    -L "relay+tls://${GOST_USER}:${GOST_PASS}@:${LISTEN_PORT_FROM_SH}" \\
+    -F "relay+tls://${GOST_USER}:${GOST_PASS}@${US_LANDING_IP}:${LISTEN_PORT_TO_US}"
+Restart=always
+RestartSec=5
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable gost-relay
+systemctl restart gost-relay
+sleep 2
+ok "GOST 中转服务已启动"
+
+# ── 3. 防火墙开放端口 ───────────────────────────────
+if command -v ufw &>/dev/null; then
+    ufw allow "${LISTEN_PORT_FROM_SH}/tcp" comment "GOST from Shanghai" 2>/dev/null || true
+    ufw allow ssh 2>/dev/null || true
+    ok "ufw 端口已开放"
+fi
+
+# ── 4. 输出上海配置 ─────────────────────────────────
+MY_IP=$(curl -sf ipinfo.io/ip 2>/dev/null || echo '<本机IP>')
+echo ""
+echo "================================================"
+echo "  节点2 部署完成"
+echo "================================================"
+echo ""
+echo "【上海服务器 .env 填写以下值】"
+echo "  GATEWAY_NODE_TLS_PROXY_LISTEN_HOST=${MY_IP}"
+echo "  GATEWAY_NODE_TLS_PROXY_LISTEN_PORT=${LISTEN_PORT_FROM_SH}"
+echo ""
+echo "【GOST 认证信息（勿泄露）】"
+echo "  用户名: ${GOST_USER}"
+echo "  密码:   ${GOST_PASS}"
+echo ""
+systemctl status gost-relay --no-pager -l | tail -5

antigravity/maintenance/setup-node3-us-landing.sh

@@ -0,0 +1,143 @@
+#!/bin/bash
+# =============================================================
+# 节点 3：美国落地机（Debian 12，洛杉矶）
+# 部署：GOST 出口 + TCP 指纹伪装
+#   接收 CN中转 relay+tls :8443  →  直连 Anthropic/Google
+# =============================================================
+# 用法：sudo bash setup-node3-us-landing.sh
+
+set -euo pipefail
+GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' NC='\033[0m'
+ok()   { echo -e "${GREEN}✅ $*${NC}"; }
+info() { echo -e "${YELLOW}ℹ  $*${NC}"; }
+fail() { echo -e "${RED}❌ $*${NC}"; }
+
+GOST_USER="${GOST_USER:-gostuser}"
+GOST_PASS="${GOST_PASS:-}"        # 与 CN中转机相同，启动时填写
+LISTEN_PORT="${LISTEN_PORT:-8443}"
+
+echo "================================================"
+echo "  节点3：美国落地机 部署（Debian 12 / LA）"
+echo "================================================"
+
+[ "$(id -u)" != "0" ] && { fail "请用 sudo 执行"; exit 1; }
+
+# ── 1. 系统更新 ─────────────────────────────────────
+info "更新系统包..."
+apt-get update -qq && apt-get upgrade -y -qq
+ok "系统已更新"
+
+# ── 2. TCP 指纹伪装（macOS 特征）──────────────────────
+info "应用 TCP 指纹伪装..."
+
+# 实时生效
+sysctl -w net.ipv4.ip_default_ttl=64          # TTL=64（macOS 标准）
+sysctl -w net.ipv4.tcp_timestamps=0            # 禁用 TCP 时间戳（防 uptime 推算）
+sysctl -w net.ipv4.tcp_window_scaling=1        # 窗口扩展（macOS 开启）
+sysctl -w net.ipv4.tcp_rmem="4096 65535 6291456"  # 接收窗口65535（macOS默认）
+sysctl -w net.ipv4.tcp_wmem="4096 65535 6291456"  # 发送窗口65535
+sysctl -w net.ipv6.conf.all.disable_ipv6=1
+sysctl -w net.ipv6.conf.default.disable_ipv6=1
+
+# BBR 拥塞控制（降低丢包，提高吞吐）
+sysctl -w net.core.default_qdisc=fq
+sysctl -w net.ipv4.tcp_congestion_control=bbr
+
+# 持久化到 sysctl.conf
+cat >> /etc/sysctl.conf << 'EOF'
+
+# ── Antigravity macOS TCP Fingerprint ──
+net.ipv4.ip_default_ttl=64
+net.ipv4.tcp_timestamps=0
+net.ipv4.tcp_window_scaling=1
+net.ipv4.tcp_rmem=4096 65535 6291456
+net.ipv4.tcp_wmem=4096 65535 6291456
+net.ipv6.conf.all.disable_ipv6=1
+net.ipv6.conf.default.disable_ipv6=1
+net.core.default_qdisc=fq
+net.ipv4.tcp_congestion_control=bbr
+EOF
+sysctl -p > /dev/null 2>&1 || true
+ok "TCP 指纹伪装已应用（TTL=64, Window=65535, 时间戳禁用）"
+
+# ── 3. 时区（洛杉矶，匹配落地 IP 地理位置）─────────────
+timedatectl set-timezone America/Los_Angeles
+ok "时区已设置: $(date)"
+
+# ── 4. 安装 GOST ────────────────────────────────────
+if ! command -v gost &>/dev/null; then
+    info "安装 GOST..."
+    ARCH=$(uname -m)
+    [ "$ARCH" = "x86_64" ] && GARCH="amd64" || GARCH="arm64"
+    LATEST=$(curl -sf https://api.github.com/repos/go-gost/gost/releases/latest \
+              | grep '"tag_name"' | cut -d'"' -f4)
+    wget -qO /tmp/gost.tar.gz \
+        "https://github.com/go-gost/gost/releases/download/${LATEST}/gost_linux_${GARCH}.tar.gz"
+    tar xzf /tmp/gost.tar.gz -C /tmp/
+    mv /tmp/gost /usr/local/bin/gost
+    chmod +x /usr/local/bin/gost
+fi
+ok "GOST $(gost -V 2>/dev/null | head -1 || echo '已安装')"
+
+# ── 5. 填写 GOST 密码 ──────────────────────────────
+if [ -z "$GOST_PASS" ]; then
+    read -rp "请输入 GOST 密码（与 CN中转机相同）: " GOST_PASS
+fi
+
+# ── 6. 创建 GOST 出口服务 ──────────────────────────
+# 落地机职责：监听 CN中转机 relay+tls 连接，直接出口到 Anthropic/Google
+cat > /etc/systemd/system/gost-exit.service << EOF
+[Unit]
+Description=GOST US Landing Exit - 接收中转，直连 Anthropic/Google
+After=network.target
+
+[Service]
+Type=simple
+User=nobody
+# 监听 CN中转机的连接，透传到最终目标（relay 模式自动解析目标地址）
+ExecStart=/usr/local/bin/gost -L "relay+tls://${GOST_USER}:${GOST_PASS}@:${LISTEN_PORT}"
+Restart=always
+RestartSec=5
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable gost-exit
+systemctl restart gost-exit
+sleep 2
+ok "GOST 出口服务已启动"
+
+# ── 7. 防火墙 ──────────────────────────────────────
+if command -v ufw &>/dev/null; then
+    ufw allow ssh
+    ufw allow "${LISTEN_PORT}/tcp" comment "GOST from CN Relay"
+    ufw --force enable
+    ok "防火墙已配置（只开放 SSH + $LISTEN_PORT）"
+fi
+
+# ── 8. 验证 ───────────────────────────────────────
+echo ""
+echo "================================================"
+echo "  节点3 部署完成"
+echo "================================================"
+echo ""
+echo "【验证指纹伪装】"
+echo "  TTL:         $(sysctl -n net.ipv4.ip_default_ttl) （应为 64）"
+echo "  TCP 时间戳:  $(sysctl -n net.ipv4.tcp_timestamps) （应为 0）"
+echo "  时区:        $(timedatectl show -p Timezone --value)"
+echo "  当前时间:    $(date)"
+echo ""
+echo "【GOST 服务状态】"
+systemctl status gost-exit --no-pager -l | tail -5
+echo ""
+echo "【出口 IP 信息】"
+curl -sf ipinfo.io 2>/dev/null | python3 -c "
+import json,sys
+d=json.load(sys.stdin)
+print(f'  IP:   {d.get(\"ip\")}')
+print(f'  ISP:  {d.get(\"org\")}')
+print(f'  城市: {d.get(\"city\")}, {d.get(\"region\")}')
+" || echo "  (获取 IP 信息失败)"