iphealth 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,113 @@
+# iphealth
+
+在新 VPS 上一键按需部署完整套件：**VLESS + Reality + Hysteria2**、**代理订阅服务**、**IP 健康监控**（VictoriaMetrics + blackbox + vmagent + nginx /vm）及系统/网络优化。
+
+## 使用方式
+
+```bash
+sudo -E npx iphealth@latest
+```
+
+进入交互式 CLI，按提示勾选模块并输入必要参数（敏感信息仅通过交互或环境变量注入，不入库、不打印明文）。
+
+## 模块说明
+
+| 模块 ID | 说明 |
+|--------|------|
+| **系统基础与安全** | |
+| `base` | 基础初始化：apt update/upgrade（可选）、curl/jq/unzip/nginx、时区 |
+| `ssh_harden` | SSH 安全加固：禁用密码登录、修改端口（有断连风险，需二次确认） |
+| `firewall` | UFW：放行 22 / 80 / 443，开启前二次确认 |
+| **网络加速与系统调优** | |
+| `bbr` | BBR + TCP 调优，写入 `/etc/sysctl.d/99-iphealth.conf`，可回滚 |
+| `ulimit` | 提高 NOFILE，作用于 xray / vmagent / victoriametrics 等服务 |
+| **代理内核** | |
+| `xray_core` | 安装 Xray 到 `/usr/local/bin/xray`，systemd 单元不自动启动 |
+| `xray_config` | 生成 `/etc/xray/config.json`（VLESS+Reality，端口默认 443），权限 600 |
+| **代理订阅服务** | |
+| `sub_source` | 生成 `/etc/iphealth/subscription/source.json`（节点源数据），权限 600 |
+| `sub_builder` | 订阅构建服务：127.0.0.1:29100，systemd `iphealth-sub.service`，X-Sub-Token / query token |
+| `sub_nginx` | nginx 80 暴露 `/sub/` → 127.0.0.1:29100，不占用 443 |
+| `sub_policy` | 订阅内容策略：最小 Clash/Stash YAML（proxies + PROXY/DIRECT + MATCH,PROXY） |
+| **IPhealth 监控栈** | |
+| `vm` | VictoriaMetrics，127.0.0.1:8428，retention 默认 60d |
+| `blackbox` | blackbox_exporter，127.0.0.1:9115，modules: http/https/icmp/github_head |
+| `vmagent` | 抓取 blackbox → 写入本地 VM，127.0.0.1:8429，探测目标运行时输入 |
+| `nginx_vm` | nginx 80 暴露 `/vm/`，X-VM-Token 鉴权，反代到本机 18080（VM 只读） |
+
+## 订阅 URL 示例（占位）
+
+- Clash：`http://<DOMAIN>/sub/clash?token=<TOKEN>`  
+  或 Header：`X-Sub-Token: <TOKEN>`
+- Stash：`http://<DOMAIN>/sub/stash?token=<TOKEN>`
+
+将 `<DOMAIN>` 替换为服务器域名或 IP，`<TOKEN>` 替换为部署时生成/输入的订阅 Token。
+
+## 监控 /vm URL 示例（占位）
+
+- 只读查询（GET）：`http://<DOMAIN>/vm/api/v1/query?query=...`  
+  请求头：`X-VM-Token: <VM_TOKEN>`
+
+将 `<DOMAIN>` 替换为 nginx 中配置的 `server_name`，`<VM_TOKEN>` 为部署时生成/输入的 X-VM-Token。
+
+## 安全提示
+
+- **不要将任何生成的配置或密钥提交到 Git**。`/etc/xray/config.json`、`/etc/iphealth/subscription/source.json`、`token`、X-VM-Token 等均为敏感信息。
+- 使用**密码管理器**保存 UUID、Reality 私钥/公钥、订阅 Token、VM Token。
+- 本工具不在 NPM 包、Git 仓库或模板中包含域名、IP、UUID、密钥、Token；所有敏感信息仅在**运行时交互输入或环境变量**注入。
+- 落盘敏感文件均为 **权限 600、归属 root**；CLI 日志**不打印敏感明文**，最多显示末尾 4 位用于确认。
+- 涉及系统级变更（sysctl / 防火墙 / SSH）时，会**先展示变更摘要并二次确认**后再执行。
+
+## 回滚建议
+
+- **sysctl**：删除 `/etc/sysctl.d/99-iphealth.conf` 后执行 `sysctl -p` 或重启。
+- **systemd 服务**：`sudo systemctl stop <service>; sudo systemctl disable <service>`（如 xray、iphealth-sub、victoriametrics、blackbox_exporter、vmagent）。
+- **nginx**：删除 `/etc/nginx/conf.d/iphealth-*.conf` 后 `nginx -t && systemctl reload nginx`。
+
+## NPM 发布说明
+
+```bash
+npm login
+npm publish --access public
+```
+
+发布后用户可通过 `npx iphealth@latest` 使用。
+
+## 本地开发 / 试运行
+
+```bash
+cd iphealth-cli
+node bin/cli.js
+# 或仅生成计划不执行
+node bin/cli.js --dry-run
+```
+
+## 示例运行输出（无敏感信息）
+
+```
+iphealth — 一键按需部署：VLESS+Reality / Hysteria2 / 订阅 / IP 健康监控
+
+可选模块（按组）：
+[系统基础与安全]
+  base: 基础初始化 (apt/nginx/时区)
+  ...
+输入要启用的模块 ID，逗号分隔： base,xray_core,xray_config,sub_source,sub_builder,sub_nginx
+已选（含依赖）： base, xray_core, xray_config, sub_source, sub_builder, sub_nginx
+  UUID: ...xyz1
+  Reality privateKey: ...abcd
+  X-Sub-Token: ...ef12
+--- 执行计划 (plan.json) ---
+  { "version": "1.0", "modules": [...], "options": {...}, "secretRefs": { "xray_uuid": "/tmp/iphealth-secrets.xxx/xray_uuid", ... } }
+Ports: 22 (SSH), 80, 443; 443 (Xray); 29100 (subscription, 127.0.0.1); 80 /sub/
+是否执行 apply？（将运行 sudo bash apply.sh） (y/N): 
+```
+
+## 依赖
+
+- Node.js >= 18
+- 执行 apply 的机器需具备：`jq`（解析 plan.json）、`sudo`、root 权限以写入 /etc 与敏感文件。
+- **二进制**：apply 脚本仅部署配置与 systemd 单元，不自动下载 Xray / blackbox_exporter / VictoriaMetrics / vmagent。部署前请自行将对应二进制安装到 `/usr/local/bin/`（如从 GitHub releases 下载），或先选 `base` 安装 curl/jq 后手动执行下载脚本。
+
+## License
+
+MIT

package/bin/cli.js

@@ -0,0 +1,171 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const { getPackageRoot, mask, backupSuffix } = require('../lib/utils');
+const { ask, askConfirm, close, validatePort, validateUuid, randomHex, generateUuid, logMasked } = require('../lib/prompts');
+const { getModules, resolveSelection, printModuleList } = require('../lib/menu');
+const { buildPlan } = require('../lib/plan');
+const { emit } = require('../lib/emit');
+const { runApply } = require('../lib/runner');
+
+const DRY_RUN = process.argv.includes('--dry-run');
+
+function isRoot() {
+  return process.getuid && process.getuid() === 0;
+}
+
+async function main() {
+  console.log('iphealth — 一键按需部署：VLESS+Reality / Hysteria2 / 订阅 / IP 健康监控\n');
+
+  if (!DRY_RUN && process.platform === 'linux' && !isRoot()) {
+    console.log('提示：建议使用 sudo -E npx iphealth@latest 以正确写入敏感文件权限。\n');
+  }
+
+  printModuleList();
+  const sel = await ask('输入要启用的模块 ID，逗号分隔（如 base,xray_core,xray_config,sub_source,sub_builder,sub_nginx）');
+  const selectedIds = sel ? sel.split(',').map((s) => s.trim()).filter(Boolean) : [];
+  if (selectedIds.length === 0) {
+    console.log('未选择任何模块，退出。');
+    close();
+    process.exit(0);
+  }
+
+  const resolved = resolveSelection(selectedIds);
+  console.log('\n已选（含依赖）：', resolved.join(', '));
+
+  const options = {};
+  const secretRefs = {};
+  const secretsDir = path.join(os.tmpdir(), `iphealth-secrets.${Date.now()}`);
+  fs.mkdirSync(secretsDir, { recursive: true });
+  if (process.getuid && process.getuid() === 0) {
+    try { fs.chmodSync(secretsDir, 0o700); } catch (_) {}
+  }
+
+  for (const id of resolved) {
+    if (id === 'base') {
+      options.apt_upgrade = await askConfirm('执行 apt update && upgrade？', false);
+      options.timezone = await ask('时区 (留空跳过)', { default: '' });
+    }
+    if (id === 'ssh_harden') {
+      console.log('SSH 加固可能导致断连，请确保已用 key 登录。');
+      options.ssh_disable_password = await askConfirm('禁用密码登录？', false);
+      options.ssh_port = await ask('SSH 端口 (留空保持 22)', { default: '22' });
+    }
+    if (id === 'firewall') {
+      console.log('将放行：22 (SSH), 80, 443。请二次确认。');
+      const ok = await askConfirm('确认启用 UFW 并应用上述规则？', false);
+      if (!ok) { resolved.splice(resolved.indexOf(id), 1); continue; }
+    }
+    if (id === 'bbr') {
+      const ok = await askConfirm('将写入 /etc/sysctl.d/99-iphealth.conf 并应用 BBR，确认？', true);
+      if (!ok) { resolved.splice(resolved.indexOf(id), 1); continue; }
+    }
+    if (id === 'xray_core') {
+      options.xray_version = await ask('Xray 版本 (如 1.8.4，留空用 latest)', { default: '1.8.4' });
+    }
+    if (id === 'xray_config') {
+      options.xray_port = parseInt(await ask('Xray 监听端口', { default: '443' }), 10) || 443;
+      const uuidInput = await ask('UUID (留空自动生成)');
+      const uuid = uuidInput && validateUuid(uuidInput) ? uuidInput : generateUuid();
+      const uuidPath = path.join(secretsDir, 'xray_uuid');
+      fs.writeFileSync(uuidPath, uuid, 'utf8');
+      if (process.getuid === 0) fs.chmodSync(uuidPath, 0o600);
+      secretRefs.xray_uuid = uuidPath;
+      logMasked('UUID', uuid);
+
+      const genReality = await askConfirm('自动生成 Reality 私钥？（公钥需用 xray x25519 从私钥导出）', true);
+      let privKey, pubKey;
+      if (genReality) {
+        privKey = require('crypto').randomBytes(32).toString('base64').replace(/=/g, '');
+        console.log('  → 请在本机或 VPS 上运行: xray x25519  (将生成的 private key 替换当前私钥，或直接输入下方公钥)');
+        pubKey = await ask('Reality publicKey (base64，由 xray x25519 输出)');
+      } else {
+        privKey = await ask('Reality privateKey (base64)');
+        pubKey = await ask('Reality publicKey (base64)');
+      }
+      if (privKey) {
+        fs.writeFileSync(path.join(secretsDir, 'xray_private_key'), privKey, 'utf8');
+        if (process.getuid === 0) fs.chmodSync(path.join(secretsDir, 'xray_private_key'), 0o600);
+        secretRefs.xray_private_key = path.join(secretsDir, 'xray_private_key');
+      }
+      if (pubKey) {
+        fs.writeFileSync(path.join(secretsDir, 'reality_public_key'), pubKey, 'utf8');
+        if (process.getuid === 0) fs.chmodSync(path.join(secretsDir, 'reality_public_key'), 0o600);
+        secretRefs.reality_public_key = path.join(secretsDir, 'reality_public_key');
+      }
+      logMasked('Reality privateKey', privKey);
+      options.reality_short_ids = [(await ask('shortId (留空自动生成)', { default: randomHex(4) })) || randomHex(4)];
+      options.reality_server_names = [(await ask('serverName / SNI (如 www.cloudflare.com)', { default: 'www.cloudflare.com' }))];
+      options.reality_dest = await ask('Reality dest (如 www.cloudflare.com:443)', { default: 'www.cloudflare.com:443' });
+      options.xray_flow = await ask('flow', { default: 'xtls-rprx-vision' });
+      options.sub_node_name = await ask('订阅节点名称', { default: 'node1' });
+      options.sub_address = await ask('订阅显示的地址 (域名)', { default: options.reality_dest?.split(':')[0] || 'example.com' });
+    }
+    if (id === 'sub_builder') {
+      const tok = await ask('订阅 Token (留空自动生成)');
+      const subToken = tok || randomHex(24);
+      fs.writeFileSync(path.join(secretsDir, 'sub_token'), subToken, 'utf8');
+      if (process.getuid === 0) fs.chmodSync(path.join(secretsDir, 'sub_token'), 0o600);
+      secretRefs.sub_token = path.join(secretsDir, 'sub_token');
+      logMasked('X-Sub-Token', subToken);
+    }
+    if (id === 'sub_nginx') {
+      options.sub_domain = await ask('订阅域名 (留空则用 server_name _)', { default: '' });
+    }
+    if (id === 'vm') {
+      options.vm_retention = await ask('VictoriaMetrics 保留期', { default: '60d' });
+      options.vm_data_path = await ask('数据目录', { default: '/var/lib/victoriametrics' });
+    }
+    if (id === 'vmagent') {
+      options.probe_target = await ask('探测目标 URL (如 https://example.com)', { default: 'https://example.com' });
+      options.probe_target_host = await ask('探测目标主机 (icmp)', { default: 'example.com' });
+    }
+    if (id === 'nginx_vm') {
+      options.vm_nginx_server_name = await ask('监控 /vm 的 server_name (域名)', { default: 'monitor.example.com' });
+      const vt = await ask('X-VM-Token (留空自动生成)');
+      const vmToken = vt || randomHex(24);
+      fs.writeFileSync(path.join(secretsDir, 'vm_token'), vmToken, 'utf8');
+      if (process.getuid === 0) fs.chmodSync(path.join(secretsDir, 'vm_token'), 0o600);
+      secretRefs.vm_token = path.join(secretsDir, 'vm_token');
+      logMasked('X-VM-Token', vmToken);
+    }
+  }
+
+  const plan = buildPlan(resolved, options, secretRefs);
+  const outDir = path.join(os.tmpdir(), `iphealth-apply.${Date.now()}`);
+  emit(plan, outDir, secretsDir);
+
+  const planPath = path.join(outDir, 'plan.json');
+  const applyPath = path.join(outDir, 'apply.sh');
+  console.log('\n--- 执行计划 (plan.json) ---');
+  console.log(JSON.stringify(plan, null, 2).replace(/\n/g, '\n  '));
+  console.log('\n--- 敏感信息仅存于文件，未写入 plan ---');
+  console.log('Ports:', plan.summary?.ports?.join('; ') || '');
+  console.log('Files:', plan.summary?.files?.join(', ') || '');
+  console.log('Services:', plan.summary?.services?.join(', ') || '');
+
+  const proceed = await askConfirm('\n是否执行 apply？（将运行 sudo bash apply.sh）', false);
+  close();
+
+  if (!proceed) {
+    console.log('已取消。计划与脚本位于：', outDir);
+    console.log('可稍后手动执行: sudo bash', applyPath);
+    process.exit(0);
+  }
+
+  try {
+    await runApply(applyPath);
+    console.log('\n部署完成。请查看上方 summary。');
+  } catch (e) {
+    console.error(e.message);
+    process.exit(1);
+  }
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/lib/emit.js

@@ -0,0 +1,152 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { resolveInPackage, render } = require('./utils');
+
+const TEMPLATES_DIR = 'templates';
+const SCRIPTS_DIR = 'scripts';
+
+function loadTemplate(name) {
+  const p = resolveInPackage(TEMPLATES_DIR, name);
+  if (!fs.existsSync(p)) throw new Error(`Template not found: ${name}`);
+  return fs.readFileSync(p, 'utf8');
+}
+
+function loadScript(name) {
+  const p = resolveInPackage(SCRIPTS_DIR, name);
+  if (!fs.existsSync(p)) throw new Error(`Script not found: ${name}`);
+  return fs.readFileSync(p, 'utf8');
+}
+
+/**
+ * Emit all artifacts to outDir.
+ * - Rendered config files (with placeholders like __SECRET_FILE:xray_private_key__ that apply.sh will replace)
+ * - plan.json
+ * - apply.sh (from apply.sh.tpl, with plan path and secrets dir)
+ * Secrets are NOT in artifacts; they're in secretsDir. Plan references secretsDir paths.
+ */
+function emit(plan, outDir, secretsDir) {
+  const planPath = path.join(outDir, 'plan.json');
+  const applyPath = path.join(outDir, 'apply.sh');
+  const stagedDir = path.join(outDir, 'staged');
+
+  if (!fs.existsSync(outDir)) fs.mkdirSync(outDir, { recursive: true });
+  if (!fs.existsSync(stagedDir)) fs.mkdirSync(stagedDir, { recursive: true });
+
+  fs.writeFileSync(planPath, JSON.stringify(plan, null, 2), 'utf8');
+
+  const applyTpl = loadScript('apply.sh.tpl');
+  const applyContent = render(applyTpl, {
+    PLAN_PATH: planPath,
+    SECRETS_DIR: secretsDir,
+    STAGED_DIR: stagedDir,
+  });
+  fs.writeFileSync(applyPath, applyContent, 'utf8');
+  fs.chmodSync(applyPath, 0o755);
+
+  const modules = plan.modules || [];
+  const opts = plan.options || {};
+  const refs = plan.secretRefs || {};
+
+  if (modules.includes('bbr')) {
+    const tpl = loadTemplate('sysctl_iphealth.conf.tpl');
+    fs.writeFileSync(path.join(stagedDir, '99-iphealth.conf'), render(tpl, {}), 'utf8');
+  }
+
+  if (modules.includes('xray_config')) {
+    const tpl = loadTemplate('xray_config.json.tpl');
+    const content = render(tpl, {
+      XRAY_PORT: opts.xray_port ?? 443,
+      REALITY_SERVER_NAMES: JSON.stringify(opts.reality_server_names || ['example.com']),
+      REALITY_SHORT_IDS: JSON.stringify(opts.reality_short_ids || ['']),
+      REALITY_DEST: (opts.reality_dest || 'example.com:443'),
+      FLOW: opts.xray_flow || 'xtls-rprx-vision',
+    });
+    fs.writeFileSync(path.join(stagedDir, 'xray_config.json'), content, 'utf8');
+    // Private key and UUID will be injected by apply.sh from secret files
+  }
+
+  if (modules.includes('sub_source')) {
+    const tpl = loadTemplate('source.json.tpl');
+    const content = render(tpl, {
+      NODE_NAME: opts.sub_node_name || 'node1',
+      ADDRESS: opts.sub_address || 'example.com',
+      PORT: opts.xray_port ?? 443,
+      FLOW: opts.xray_flow || 'xtls-rprx-vision',
+      SERVER_NAME: opts.reality_server_names?.[0] || opts.reality_dest?.split(':')[0] || 'example.com',
+      SHORT_ID: opts.reality_short_ids?.[0] || '',
+    });
+    fs.writeFileSync(path.join(stagedDir, 'source.json'), content, 'utf8');
+  }
+
+  if (modules.includes('sub_builder')) {
+    const tpl = loadTemplate('subscription_service.tpl');
+    fs.writeFileSync(path.join(stagedDir, 'iphealth-sub.service'), render(tpl, {
+      LISTEN_PORT: '29100',
+    }), 'utf8');
+    const subServer = fs.readFileSync(resolveInPackage(TEMPLATES_DIR, 'sub_server.js'), 'utf8');
+    fs.writeFileSync(path.join(stagedDir, 'sub_server.js'), subServer, 'utf8');
+  }
+
+  if (modules.includes('sub_nginx')) {
+    const tpl = loadTemplate('nginx_sub.conf.tpl');
+    fs.writeFileSync(path.join(stagedDir, 'iphealth-sub.conf'), render(tpl, {
+      SUB_UPSTREAM_PORT: '29100',
+    }), 'utf8');
+  }
+
+  if (modules.includes('vm')) {
+    const tpl = loadTemplate('victoriametrics.service.tpl');
+    fs.writeFileSync(path.join(stagedDir, 'victoriametrics.service'), render(tpl, {
+      RETENTION: opts.vm_retention || '60d',
+      DATA_PATH: opts.vm_data_path || '/var/lib/victoriametrics',
+      LISTEN_ADDR: '127.0.0.1:8428',
+    }), 'utf8');
+  }
+
+  if (modules.includes('blackbox')) {
+    const tpl = loadTemplate('blackbox.yml.tpl');
+    fs.writeFileSync(path.join(stagedDir, 'blackbox.yml'), tpl, 'utf8');
+    const svc = loadTemplate('blackbox.service.tpl');
+    fs.writeFileSync(path.join(stagedDir, 'blackbox_exporter.service'), svc, 'utf8');
+  }
+
+  if (modules.includes('vmagent')) {
+    const tpl = loadTemplate('vmagent_scrape.yml.tpl');
+    const probeTarget = opts.probe_target || 'https://example.com';
+    const probeHost = opts.probe_target_host || 'example.com';
+    fs.writeFileSync(path.join(stagedDir, 'vmagent.yml'), render(tpl, {
+      PROBE_TARGET_HTTP: probeTarget,
+      PROBE_TARGET_HTTPS: probeTarget,
+      PROBE_TARGET_ICMP: probeHost,
+      EXTERNAL_LABELS: JSON.stringify({ env: 'iphealth' }),
+    }), 'utf8');
+    const svc = loadTemplate('vmagent.service.tpl');
+    fs.writeFileSync(path.join(stagedDir, 'vmagent.service'), render(svc, {
+      CONFIG_PATH: '/etc/vmagent/vmagent.yml',
+    }), 'utf8');
+  }
+
+  if (modules.includes('nginx_vm')) {
+    const tplReadonly = loadTemplate('nginx_vm_readonly.conf.tpl');
+    fs.writeFileSync(path.join(stagedDir, 'iphealth-vm-readonly.conf'), render(tplReadonly, {
+      VM_BACKEND: '127.0.0.1:8428',
+      LISTEN_VM: '18080',
+    }), 'utf8');
+    const tpl80 = loadTemplate('nginx_vm_80.conf.tpl');
+    fs.writeFileSync(path.join(stagedDir, 'iphealth-vm-80.conf'), render(tpl80, {
+      SERVER_NAME: opts.vm_nginx_server_name || 'monitor.example.com',
+      VM_UPSTREAM: '127.0.0.1:18080',
+    }), 'utf8');
+  }
+
+  if (modules.includes('xray_core') || modules.includes('xray_config')) {
+    const tpl = loadTemplate('xray.service.tpl');
+    fs.writeFileSync(path.join(stagedDir, 'xray.service'), render(tpl, {}), 'utf8');
+  }
+
+  return { planPath, applyPath, stagedDir };
+}
+
+module.exports = { loadTemplate, loadScript, emit };

package/lib/menu.js

@@ -0,0 +1,81 @@
+'use strict';
+
+const MODULES = [
+  { id: 'base', label: '基础初始化 (apt/nginx/时区)', group: '系统基础与安全' },
+  { id: 'ssh_harden', label: 'SSH 安全加固 (禁用密码/改端口)', group: '系统基础与安全' },
+  { id: 'firewall', label: '防火墙 UFW (放行 SSH/80/443)', group: '系统基础与安全' },
+  { id: 'bbr', label: 'BBR / TCP 调优 (sysctl)', group: '网络加速与系统调优' },
+  { id: 'ulimit', label: '资源限制 ulimit (NOFILE)', group: '网络加速与系统调优' },
+  { id: 'xray_core', label: '安装 Xray 核心', group: '代理内核' },
+  { id: 'xray_config', label: '生成 Xray 配置 (VLESS+Reality)', group: '代理内核', deps: ['xray_core'] },
+  { id: 'sub_source', label: '订阅源数据 source.json', group: '代理订阅服务', deps: ['xray_config'] },
+  { id: 'sub_builder', label: '订阅构建服务 (29100)', group: '代理订阅服务', deps: ['sub_source'] },
+  { id: 'sub_nginx', label: '订阅公网出口 nginx /sub/', group: '代理订阅服务', deps: ['sub_builder'] },
+  { id: 'sub_policy', label: '订阅内容策略 (Clash/Stash)', group: '代理订阅服务', deps: ['sub_builder'] },
+  { id: 'vm', label: '安装 VictoriaMetrics', group: 'IPhealth 监控栈' },
+  { id: 'blackbox', label: '安装 blackbox_exporter', group: 'IPhealth 监控栈' },
+  { id: 'vmagent', label: '安装 vmagent', group: 'IPhealth 监控栈', deps: ['vm', 'blackbox'] },
+  { id: 'nginx_vm', label: 'nginx 暴露 /vm (X-VM-Token)', group: 'IPhealth 监控栈', deps: ['vm'] },
+];
+
+const GROUPS = [...new Set(MODULES.map((m) => m.group))];
+
+function getModules() {
+  return MODULES;
+}
+
+function getModuleById(id) {
+  return MODULES.find((m) => m.id === id);
+}
+
+/** Resolve selection: add required deps (by id), return ordered list */
+function resolveSelection(selectedIds) {
+  const set = new Set(selectedIds);
+  let changed = true;
+  while (changed) {
+    changed = false;
+    for (const m of MODULES) {
+      if (!set.has(m.id)) continue;
+      const deps = m.deps || [];
+      for (const d of deps) {
+        if (!set.has(d)) {
+          set.add(d);
+          changed = true;
+        }
+      }
+    }
+  }
+  const order = [];
+  const added = new Set();
+  function add(id) {
+    if (added.has(id)) return;
+    const m = getModuleById(id);
+    (m.deps || []).forEach(add);
+    order.push(id);
+    added.add(id);
+  }
+  [...set].forEach(add);
+  return order;
+}
+
+/** Print module list by group for checkbox-style selection */
+function printModuleList() {
+  console.log('\n可选模块（按组）：\n');
+  for (const g of GROUPS) {
+    console.log(`[${g}]`);
+    MODULES.filter((m) => m.group === g).forEach((m, i) => {
+      const dep = m.deps && m.deps.length ? ` (依赖: ${m.deps.join(', ')})` : '';
+      console.log(`  ${m.id}: ${m.label}${dep}`);
+    });
+    console.log('');
+  }
+}
+
+module.exports = {
+  getModules,
+  getModuleById,
+  resolveSelection,
+  printModuleList,
+  MODULES,
+  GROUPS,
+};

package/lib/plan.js

@@ -0,0 +1,81 @@
+'use strict';
+
+/**
+ * Build plan.json (human-readable, no plaintext secrets).
+ * Secrets are written to files under secretsDir; plan only stores paths in secretRefs.
+ */
+function buildPlan(selectedModules, options, secretRefs) {
+  const plan = {
+    version: '1.0',
+    generatedAt: new Date().toISOString(),
+    modules: selectedModules,
+    options: { ...options },
+    secretRefs: { ...secretRefs },
+    summary: {
+      ports: [],
+      files: [],
+      services: [],
+    },
+  };
+
+  if (selectedModules.includes('firewall')) {
+    plan.summary.ports.push('22 (SSH), 80, 443');
+  }
+  if (selectedModules.includes('xray_config')) {
+    plan.summary.ports.push(`${options.xray_port || 443} (Xray)`);
+  }
+  if (selectedModules.includes('sub_builder')) {
+    plan.summary.ports.push('29100 (subscription, 127.0.0.1)');
+  }
+  if (selectedModules.includes('sub_nginx')) {
+    plan.summary.ports.push('80 /sub/');
+  }
+  if (selectedModules.includes('vm')) {
+    plan.summary.ports.push('8428 (VictoriaMetrics, 127.0.0.1)');
+  }
+  if (selectedModules.includes('nginx_vm')) {
+    plan.summary.ports.push('80 /vm (X-VM-Token)');
+  }
+  if (selectedModules.includes('blackbox')) {
+    plan.summary.ports.push('9115 (blackbox, 127.0.0.1)');
+  }
+  if (selectedModules.includes('vmagent')) {
+    plan.summary.ports.push('8429 (vmagent, 127.0.0.1)');
+  }
+
+  const files = [];
+  if (selectedModules.includes('bbr')) files.push('/etc/sysctl.d/99-iphealth.conf');
+  if (selectedModules.includes('xray_config')) files.push('/etc/xray/config.json');
+  if (selectedModules.includes('sub_source')) files.push('/etc/iphealth/subscription/source.json');
+  if (selectedModules.includes('sub_builder')) {
+    files.push('/etc/iphealth/subscription/token');
+    files.push('/etc/systemd/system/iphealth-sub.service');
+  }
+  if (selectedModules.includes('sub_nginx')) files.push('/etc/nginx/conf.d/iphealth-sub.conf');
+  if (selectedModules.includes('vm')) files.push('/etc/systemd/system/victoriametrics.service');
+  if (selectedModules.includes('blackbox')) {
+    files.push('/etc/blackbox_exporter/blackbox.yml');
+    files.push('/etc/systemd/system/blackbox_exporter.service');
+  }
+  if (selectedModules.includes('vmagent')) {
+    files.push('/etc/vmagent/vmagent.yml');
+    files.push('/etc/systemd/system/vmagent.service');
+  }
+  if (selectedModules.includes('nginx_vm')) {
+    files.push('/etc/nginx/conf.d/iphealth-vm-readonly.conf');
+    files.push('/etc/nginx/conf.d/iphealth-vm-80.conf');
+  }
+  plan.summary.files = [...new Set(files)];
+
+  const services = [];
+  if (selectedModules.includes('xray_core') || selectedModules.includes('xray_config')) services.push('xray');
+  if (selectedModules.includes('sub_builder')) services.push('iphealth-sub');
+  if (selectedModules.includes('vm')) services.push('victoriametrics');
+  if (selectedModules.includes('blackbox')) services.push('blackbox_exporter');
+  if (selectedModules.includes('vmagent')) services.push('vmagent');
+  plan.summary.services = services;
+
+  return plan;
+}
+
+module.exports = { buildPlan };