clouddreamai-cicd-setup 1.5.25 → 1.5.27
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -24,8 +24,9 @@ FROM node:20-alpine AS production
|
|
|
24
24
|
RUN addgroup -g 1001 -S nodejs && \
|
|
25
25
|
adduser -S nestjs -u 1001
|
|
26
26
|
|
|
27
|
-
#
|
|
27
|
+
# 设置工作目录并确保 nestjs 用户拥有完整权限
|
|
28
28
|
WORKDIR /app
|
|
29
|
+
RUN chown nestjs:nodejs /app
|
|
29
30
|
|
|
30
31
|
# 从构建阶段复制 node_modules 和构建产物
|
|
31
32
|
COPY --from=builder --chown=nestjs:nodejs /app/node_modules ./node_modules
|
|
@@ -82,6 +82,77 @@ EOF
|
|
|
82
82
|
fi
|
|
83
83
|
}
|
|
84
84
|
|
|
85
|
+
# 配置 HTTPS Nginx(使用已有证书)
|
|
86
|
+
configure_ssl_nginx() {
|
|
87
|
+
local DOMAIN=$1
|
|
88
|
+
local PORT=$2
|
|
89
|
+
|
|
90
|
+
cat > /www/server/panel/vhost/nginx/${DOMAIN}.conf << EOF
|
|
91
|
+
# 由 CloudDreamAI CI/CD 自动生成 - $(date) - HTTPS
|
|
92
|
+
server {
|
|
93
|
+
listen 80;
|
|
94
|
+
server_name ${DOMAIN};
|
|
95
|
+
|
|
96
|
+
location /.well-known/acme-challenge/ {
|
|
97
|
+
root /www/wwwroot/acme-challenge;
|
|
98
|
+
}
|
|
99
|
+
|
|
100
|
+
location / {
|
|
101
|
+
return 301 https://\$host\$request_uri;
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
server {
|
|
106
|
+
listen 443 ssl;
|
|
107
|
+
http2 on;
|
|
108
|
+
server_name ${DOMAIN};
|
|
109
|
+
|
|
110
|
+
ssl_certificate /www/server/panel/vhost/cert/${DOMAIN}/fullchain.pem;
|
|
111
|
+
ssl_certificate_key /www/server/panel/vhost/cert/${DOMAIN}/privkey.pem;
|
|
112
|
+
ssl_protocols TLSv1.2 TLSv1.3;
|
|
113
|
+
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
|
|
114
|
+
ssl_prefer_server_ciphers off;
|
|
115
|
+
|
|
116
|
+
access_log /www/wwwlogs/${DOMAIN}.log;
|
|
117
|
+
error_log /www/wwwlogs/${DOMAIN}.error.log;
|
|
118
|
+
|
|
119
|
+
location / {
|
|
120
|
+
proxy_pass http://127.0.0.1:${PORT};
|
|
121
|
+
proxy_set_header Host \$host;
|
|
122
|
+
proxy_set_header X-Real-IP \$remote_addr;
|
|
123
|
+
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
124
|
+
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
125
|
+
proxy_http_version 1.1;
|
|
126
|
+
proxy_set_header Upgrade \$http_upgrade;
|
|
127
|
+
proxy_set_header Connection "upgrade";
|
|
128
|
+
proxy_connect_timeout 60s;
|
|
129
|
+
proxy_send_timeout 60s;
|
|
130
|
+
proxy_read_timeout 60s;
|
|
131
|
+
}
|
|
132
|
+
}
|
|
133
|
+
EOF
|
|
134
|
+
|
|
135
|
+
nginx -t && nginx -s reload
|
|
136
|
+
echo "✓ HTTPS 配置完成: https://$DOMAIN"
|
|
137
|
+
}
|
|
138
|
+
|
|
139
|
+
# 检查 SSL 证书是否有效(存在且未过期)
|
|
140
|
+
check_ssl_valid() {
|
|
141
|
+
local DOMAIN=$1
|
|
142
|
+
local CERT_FILE="/www/server/panel/vhost/cert/${DOMAIN}/fullchain.pem"
|
|
143
|
+
|
|
144
|
+
if [ ! -f "$CERT_FILE" ]; then
|
|
145
|
+
return 1 # 证书不存在
|
|
146
|
+
fi
|
|
147
|
+
|
|
148
|
+
# 检查证书是否在 7 天内过期
|
|
149
|
+
if openssl x509 -checkend 604800 -noout -in "$CERT_FILE" 2>/dev/null; then
|
|
150
|
+
return 0 # 证书有效
|
|
151
|
+
else
|
|
152
|
+
return 1 # 证书即将过期或已过期
|
|
153
|
+
fi
|
|
154
|
+
}
|
|
155
|
+
|
|
85
156
|
# SSL 证书配置函数(使用 acme.sh + Let's Encrypt)
|
|
86
157
|
configure_ssl() {
|
|
87
158
|
local DOMAIN=$1
|
|
@@ -106,6 +177,14 @@ configure_ssl() {
|
|
|
106
177
|
|
|
107
178
|
echo "配置 SSL 证书: $DOMAIN"
|
|
108
179
|
|
|
180
|
+
# 检查证书是否已存在且有效
|
|
181
|
+
if check_ssl_valid "$DOMAIN"; then
|
|
182
|
+
echo "✓ SSL 证书已存在且有效,跳过申请"
|
|
183
|
+
# 直接配置 HTTPS(使用现有证书)
|
|
184
|
+
configure_ssl_nginx "$DOMAIN" "$PORT"
|
|
185
|
+
return
|
|
186
|
+
fi
|
|
187
|
+
|
|
109
188
|
# 安装 acme.sh(如果没有)
|
|
110
189
|
if [ ! -f ~/.acme.sh/acme.sh ]; then
|
|
111
190
|
echo "安装 acme.sh..."
|