[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-75060":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":16,"stars7d":15,"stars30d":17,"stars90d":16,"forks30d":16,"starsTrendScore":16,"compositeScore":18,"rankGlobal":10,"rankLanguage":10,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":20,"hasPages":20,"topics":22,"createdAt":10,"pushedAt":10,"updatedAt":28,"readmeContent":29,"aiSummary":30,"trendingCount":16,"starSnapshotCount":16,"syncStatus":31,"lastSyncTime":32,"discoverSource":33},75060,"telemt-docker","An0nX\u002Ftelemt-docker","An0nX","Secure multi-arch (amd64\u002Farm64) Docker image for Telemt — a fast Rust-based MTProxy (MTProto) server, shipped as a static binary in a distroless non-root container.","",null,"Dockerfile",1272,56,16,1,0,12,54.97,"GNU General Public License v3.0",false,"master",[23,24,25,26,27],"docker","mtproto-proxy","mtproxy","rust","telegram","2026-06-12 04:01:17","# 🐳 telemt-docker\n\n> **📢 Сборка образов перенесена в GitLab**\n>\n> Из-за перманентной блокировки GitHub Actions образы теперь собираются в\n> **[GitLab CI](https:\u002F\u002Fgitlab.com\u002FAn0nX\u002Ftelemt-docker)**. GitHub-репозиторий\n> продолжает существовать как зеркало GitLab.\n>\n> Подробности: [An0nX\u002Ftelemt-docker#14](https:\u002F\u002Fgithub.com\u002FAn0nX\u002Ftelemt-docker\u002Fissues\u002F14)\n\n---\n\n[![Docker Image Size](https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fimage-size\u002Fwhn0thacked\u002Ftelemt-docker\u002Flatest?style=flat-square&logo=docker&color=blue)](https:\u002F\u002Fhub.docker.com\u002Fr\u002Fwhn0thacked\u002Ftelemt-docker)\n[![Docker Pulls](https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fpulls\u002Fwhn0thacked\u002Ftelemt-docker?style=flat-square&logo=docker)](https:\u002F\u002Fhub.docker.com\u002Fr\u002Fwhn0thacked\u002Ftelemt-docker)\n[![Architecture](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Farch-amd64%20%7C%20arm64-important?style=flat-square)](#)\n[![Security: non-root](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fsecurity-non--root-success?style=flat-square)](#)\n[![Base Image](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fbase-distroless%2Fstatic%3Anonroot-blue?style=flat-square)](https:\u002F\u002Fgithub.com\u002FGoogleContainerTools\u002Fdistroless)\n[![Upstream](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fupstream-telemt-orange?style=flat-square)](https:\u002F\u002Fgithub.com\u002Ftelemt\u002Ftelemt)\n\nA minimal, secure, and production-oriented Docker image for **Telemt** — a fast MTProto proxy server (MTProxy) written in **Rust + Tokio**.\n\nBuilt as a **fully static** binary and shipped in a **distroless** runtime image, running as **non-root** by default.\n\n---\n\n## ✨ Features\n\n- **🔐 Secure by default:** Distroless runtime + non-root user.\n- **🏗 Multi-arch:** Supports `amd64` and `arm64`.\n- **📦 Fully static binary:** Designed for `gcr.io\u002Fdistroless\u002Fstatic:nonroot`.\n- **🧾 Config-driven:** You mount a single configuration file directory and go.\n- **📈 Metrics-ready:** Supports Telemt metrics port (`9090`) via config.\n- **🧰 Build-time pinning:** Upstream repo\u002Fref are configurable via build args.\n\n---\n\n## ⚠️ Important Notice\n\nTelemt is a Telegram proxy (MTProto). Operating proxies may be restricted or monitored depending on your country\u002FISP and may carry legal\u002Foperational risks.\n\nYou are responsible for compliance with local laws and for safe deployment (firewalling, access control, logs, monitoring).\n\n---\n\n## 🚀 Quick Start (Docker Compose)\n\n### 1. Generate a Secret\nTelemt users require a **32-hex-char secret** (16 bytes):\n\n```bash\nopenssl rand -hex 16\n```\n\n### 2. Create Configuration Directory\n\nRefer to the upstream repository for the configuration format and examples:\n\n👉 **https:\u002F\u002Fgithub.com\u002Ftelemt\u002Ftelemt**\n\nTo allow the Telemt API to write configuration changes dynamically (e.g. creating users), you **must mount a directory**, not just the file. The API performs atomic saves by creating a temporary `.tmp` file in the same directory and renaming it. \n\nCreate the directory, place your config inside, and ensure it is writable by the container:\n\n```bash\nmkdir .\u002Ftelemt-config\n# Create and edit your config inside\ntouch .\u002Ftelemt-config\u002Ftelemt.toml\n# Grant write permissions so the container's non-root user can modify the config\nchmod 777 .\u002Ftelemt-config\nchmod 666 .\u002Ftelemt-config\u002Ftelemt.toml\n```\n\n### 3. Create `docker-compose.yml`\n\n> **⚠️ Network mode note:**\n> This configuration uses `network_mode: host`, which means the container shares\n> the host's network stack directly. **Published ports (`ports:` section) are\n> discarded when using host network mode** — port exposure is controlled entirely\n> by your `telemt.toml` configuration (i.e. whichever port Telemt listens on will\n> be available on the host automatically).\n>\n> If you need Docker-managed port mapping (e.g. remapping ports, or binding only\n> to `127.0.0.1`), remove `network_mode: host` to use the default **bridge** mode\n> and uncomment the `ports` section below.\n\n> **⚠️ Privileged Ports (443) Binding Note:**\n> The base image uses a non-root user by default to minimize the attack vector. If your configuration binds Telemt to port `443` (or any port \u003C 1024), you will encounter a `Permission denied (os error 13)` error. To fix this, you need to run the container as `root` by uncommenting `user: \"root\"` and commenting out the `security_opt: no-new-privileges:true` block in the example below.\n\n```yaml\nservices:\n  telemt:\n    image: whn0thacked\u002Ftelemt-docker:latest\n    container_name: telemt\n    restart: unless-stopped\n\n    # ---------------------------------------------------------------\n    # Root user requirement for binding privileged ports (\u003C1024)\n    # The default image runs as 'nonroot' to minimize attack vectors.\n    # Uncomment the line below to run as root ONLY if you need to bind\n    # to port 443 and encounter 'os error 13'.\n    # ---------------------------------------------------------------\n    # user: \"root\"\n\n    # Telemt uses RUST_LOG for verbosity (optional)\n    environment:\n      RUST_LOG: \"info\"\n\n    # ---------------------------------------------------------------\n    # API Configuration writes (Atomic Config Save)\n    # The API performs atomic writes (creates a .tmp file and renames it).\n    # To allow the API to save changes to the config, we MUST mount the \n    # ENTIRE directory (not just the file) and ensure it is writable.\n    # We override the default command to point to the mounted file.\n    # ---------------------------------------------------------------\n    command: [\"\u002Fetc\u002Ftelemt\u002Ftelemt.toml\"]\n    volumes:\n      - .\u002Ftelemt-config:\u002Fetc\u002Ftelemt\n\n    # ---------------------------------------------------------------\n    # Host network mode: the container uses the host's network stack\n    # directly. The \"ports\" section is IGNORED in this mode — Telemt\n    # binds to host ports as specified in telemt.toml.\n    #\n    # To use Docker-managed port mapping instead, comment out\n    # \"network_mode: host\" and uncomment the \"ports\" section below.\n    # ---------------------------------------------------------------\n    network_mode: host\n\n    # ports:\n    #   - \"443:443\u002Ftcp\"\n    #   # If you enable metrics_port=9090 in config:\n    #   # - \"127.0.0.1:9090:9090\u002Ftcp\"\n\n    # Hardening\n    # ---------------------------------------------------------------\n    # ⚠️ If you uncommented `user: \"root\"` above to bind to port 443,\n    # you MUST comment out the two lines below, as they prevent\n    # gaining the necessary privileges for binding restricted ports.\n    # ---------------------------------------------------------------\n    security_opt:\n      - no-new-privileges:true\n    cap_drop:\n      - ALL\n    cap_add:\n      - NET_BIND_SERVICE\n    read_only: true\n    tmpfs:\n      - \u002Ftmp:rw,nosuid,nodev,noexec,size=16m\n\n    # Resource limits (optional)\n    deploy:\n      resources:\n        limits:\n          cpus: \"0.50\"\n          memory: 256M\n        reservations:\n          cpus: \"0.25\"\n          memory: 128M\n\n    # File descriptor limits (critical for a high-load server!)\n    ulimits:\n      nofile:\n        soft: 65536\n        hard: 65536\n\n    logging:\n      driver: json-file\n      options:\n        max-size: \"10m\"\n        max-file: \"3\"\n```\n\n### 4. Start\n\n```bash\ndocker compose up -d\n```\n\nLogs:\n\n```bash\ndocker compose logs -f\n```\n\n---\n\n## ⚙️ Configuration\n\n### Environment Variables\n\n| Variable | Mandatory | Default | Description |\n|---|:---:|---|---|\n| `RUST_LOG` | No | — | Telemt log level (e.g. `info`, `debug`, `trace`). |\n\n### Volumes\n\n| Container Path | Purpose |\n|---|---|\n| **`\u002Fetc\u002Ftelemt`** | Directory containing the `telemt.toml` config file. Mounted as a directory (without `:ro`) to allow the API to securely perform atomic writes. |\n\n### Ports\n\n| Port | Purpose |\n|---:|---|\n| `443\u002Ftcp` | Main MTProxy listener (commonly used for TLS-like traffic). |\n| `9090\u002Ftcp` | Metrics port (only if enabled in `telemt.toml`). |\n| `9091\u002Ftcp` | API port (only if enabled in `telemt.toml`). |\n\n> **Note:** When using `network_mode: host`, Docker does not manage port mapping.\n> Telemt binds directly to host interfaces\u002Fports as configured in `telemt.toml`.\n> The table above lists the default ports for reference only.\n\n---\n\n## 🧠 Container Behavior\n\n- **ENTRYPOINT:** `telemt`\n- **CMD:** Extracted from the `docker-compose.yml` (`[\"\u002Fetc\u002Ftelemt\u002Ftelemt.toml\"]`)\n\nSo the container effectively runs:\n\n```text\ntelemt \u002Fetc\u002Ftelemt\u002Ftelemt.toml\n```\n\nTo run a raw docker command without Compose:\n\n```bash\ndocker build -t telemt:local .\ndocker run --name telemt --restart unless-stopped \\\n  -p 443:443 \\\n  -e RUST_LOG=info \\\n  -v \"$PWD\u002Ftelemt-config:\u002Fetc\u002Ftelemt\" \\\n  --read-only \\\n  --cap-drop ALL --cap-add NET_BIND_SERVICE \\\n  --ulimit nofile=65536:65536 \\\n  telemt:local \u002Fetc\u002Ftelemt\u002Ftelemt.toml\n```\n\n---\n\n## 🛠 Build\n\nThis Dockerfile supports pinning upstream Telemt source:\n\n- `TELEMT_REPO` (default: `https:\u002F\u002Fgithub.com\u002Ftelemt\u002Ftelemt.git`)\n- `TELEMT_REF` (default: `main`)\n\n### Multi-arch build (amd64 + arm64)\n\n```bash\ndocker buildx build \\\n  --platform linux\u002Famd64,linux\u002Farm64 \\\n  -t whn0thacked\u002Ftelemt-docker:latest \\\n  --push .\n```\n\n### Build a specific upstream tag\u002Fbranch\u002Fcommit\n\n```bash\ndocker buildx build \\\n  --build-arg TELEMT_REF=v1.1.0.0 \\\n  -t whn0thacked\u002Ftelemt-docker:v1.1.0.0 \\\n  --push .\n```\n\n---\n\n## 🔗 Useful Links\n\n- **Telemt upstream:** https:\u002F\u002Fgithub.com\u002Ftelemt\u002Ftelemt\n- **MTProxy ad tag bot:** https:\u002F\u002Ft.me\u002Fmtproxybot\n- **Distroless images:** https:\u002F\u002Fgithub.com\u002FGoogleContainerTools\u002Fdistroless\n","telemt-docker 是一个为 Telemt 提供的安全多架构 Docker 镜像，Telemt 是一个基于 Rust 语言的快速 MTProto 代理服务器。该项目的核心功能包括支持 amd64 和 arm64 架构、完全静态编译的二进制文件以及在非 root 用户下运行的无发行版容器环境，确保了安全性和高效性。适用于需要部署 Telegram 代理服务且重视安全性的场景，如开发测试或生产环境中对数据传输有加密需求的情况。使用时需注意遵守当地法律法规，并做好相应的安全措施。",2,"2026-06-11 03:52:07","high_star"]