PyPI - cancan-microstack - Versions diffs - 0.0.1__py3-none-any.whl - Mend

cancan-microstack 0.0.1__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (440) hide show

cancan_microstack/assets/ddl/ops/caddy_certificate_tbl.sql ADDED Viewed

@@ -0,0 +1,59 @@
+BEGIN;
+CREATE TABLE caddy_certificate_tbl
+(
+    id BIGSERIAL PRIMARY KEY,
+    -- 域名信息
+    domain VARCHAR(255) NOT NULL,
+    alt_domains TEXT[],
+    -- 证书信息
+    certificate_pem TEXT,
+    private_key_pem TEXT,
+    issuer VARCHAR(255),
+    -- 证书时间
+    issued_at TIMESTAMP WITH TIME ZONE,
+    expires_at TIMESTAMP WITH TIME ZONE,
+    auto_renew BOOLEAN DEFAULT true,
+    renew_before_days INTEGER DEFAULT 30,
+    -- 证书状态
+    status VARCHAR(50) DEFAULT 'pending',
+    last_renew_attempt TIMESTAMP WITH TIME ZONE,
+    last_renew_success TIMESTAMP WITH TIME ZONE,
+    renew_error TEXT,
+    -- ACME 配置
+    acme_provider VARCHAR(100) DEFAULT 'letsencrypt',
+    acme_email VARCHAR(255),
+    acme_challenge_type VARCHAR(50) DEFAULT 'http-01',
+    -- 元数据
+    certificate_metadata JSONB DEFAULT '{}',
+    -- 标准字段
+    flag SMALLINT DEFAULT 0,
+    created_time TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    update_time TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
+-- 唯一索引
+CREATE UNIQUE INDEX uk_caddy_certificate_tbl_domain ON caddy_certificate_tbl (domain);
+-- 提升按更新时间查询效率
+CREATE INDEX idx_caddy_certificate_tbl_update_time ON caddy_certificate_tbl (update_time);
+-- 其他业务索引
+CREATE INDEX idx_caddy_certificate_tbl_status ON caddy_certificate_tbl (status);
+CREATE INDEX idx_caddy_certificate_tbl_expires_at ON caddy_certificate_tbl (expires_at);
+-- 自动更新时间戳触发器
+CREATE TRIGGER t_upd_caddy_certificate_tbl
+    BEFORE UPDATE
+    ON caddy_certificate_tbl
+    FOR EACH ROW
+EXECUTE PROCEDURE upd_timestamp();
+COMMIT;

cancan_microstack/assets/ddl/ops/caddy_rate_limit_tbl.sql ADDED Viewed

@@ -0,0 +1,64 @@
+BEGIN;
+CREATE TABLE caddy_rate_limit_tbl
+(
+    id BIGSERIAL PRIMARY KEY,
+    -- 限流规则基本信息
+    rule_name VARCHAR(100) NOT NULL,
+    description TEXT,
+    -- 匹配条件
+    match_type VARCHAR(50) NOT NULL,
+    match_pattern VARCHAR(500),
+    match_domain VARCHAR(255),
+    -- 限流配置
+    limit_type VARCHAR(50) NOT NULL DEFAULT 'request',
+    limit_value INTEGER NOT NULL,
+    limit_window INTEGER NOT NULL DEFAULT 60,
+    limit_key VARCHAR(50) DEFAULT 'ip',
+    -- 突发流量配置
+    burst_size INTEGER DEFAULT 0,
+    -- 响应配置
+    block_status_code INTEGER DEFAULT 429,
+    block_message VARCHAR(500) DEFAULT 'Too Many Requests',
+    -- 白名单/黑名单
+    whitelist_ips TEXT[],
+    blacklist_ips TEXT[],
+    -- 状态和优先级
+    is_enabled BOOLEAN DEFAULT true,
+    priority INTEGER DEFAULT 100,
+    -- 元数据
+    rule_metadata JSONB DEFAULT '{}',
+    -- 标准字段
+    flag SMALLINT DEFAULT 0,
+    created_time TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    update_time TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
+-- 唯一索引
+CREATE UNIQUE INDEX uk_caddy_rate_limit_tbl_rule_name ON caddy_rate_limit_tbl (rule_name);
+-- 提升按更新时间查询效率
+CREATE INDEX idx_caddy_rate_limit_tbl_update_time ON caddy_rate_limit_tbl (update_time);
+-- 其他业务索引
+CREATE INDEX idx_caddy_rate_limit_tbl_match_type ON caddy_rate_limit_tbl (match_type);
+CREATE INDEX idx_caddy_rate_limit_tbl_enabled ON caddy_rate_limit_tbl (is_enabled);
+CREATE INDEX idx_caddy_rate_limit_tbl_priority ON caddy_rate_limit_tbl (priority);
+-- 自动更新时间戳触发器
+CREATE TRIGGER t_upd_caddy_rate_limit_tbl
+    BEFORE UPDATE
+    ON caddy_rate_limit_tbl
+    FOR EACH ROW
+EXECUTE PROCEDURE upd_timestamp();
+COMMIT;

cancan_microstack/assets/ddl/ops/caddy_route_tbl.sql ADDED Viewed

@@ -0,0 +1,63 @@
+BEGIN;
+CREATE TABLE caddy_route_tbl
+(
+    id BIGSERIAL PRIMARY KEY,
+    -- 路由基本信息
+    route_name VARCHAR(100) NOT NULL,
+    domain VARCHAR(255) NOT NULL,
+    path_pattern VARCHAR(500) NOT NULL,
+    -- 上游服务配置
+    upstream_service VARCHAR(100) NOT NULL,
+    upstream_host VARCHAR(100) NOT NULL,
+    upstream_port INTEGER NOT NULL,
+    -- 路由选项
+    strip_path_prefix VARCHAR(200),
+    add_path_prefix VARCHAR(200),
+    enable_https BOOLEAN DEFAULT true,
+    force_https BOOLEAN DEFAULT true,
+    -- WAF 配置
+    enable_waf BOOLEAN DEFAULT true,
+    waf_rule_set VARCHAR(50) DEFAULT 'default',
+    -- 负载均衡配置
+    load_balance_strategy VARCHAR(50) DEFAULT 'round_robin',
+    health_check_path VARCHAR(200),
+    health_check_interval INTEGER DEFAULT 30,
+    -- 状态和元数据
+    is_enabled BOOLEAN DEFAULT true,
+    priority INTEGER DEFAULT 100,
+    route_metadata JSONB DEFAULT '{}',
+    description TEXT,
+    -- 标准字段
+    flag SMALLINT DEFAULT 0,
+    created_time TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    update_time TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
+-- 唯一索引
+CREATE UNIQUE INDEX uk_caddy_route_tbl_route_name ON caddy_route_tbl (route_name);
+-- 提升按更新时间查询效率
+CREATE INDEX idx_caddy_route_tbl_update_time ON caddy_route_tbl (update_time);
+-- 其他业务索引
+CREATE INDEX idx_caddy_route_tbl_domain ON caddy_route_tbl (domain);
+CREATE INDEX idx_caddy_route_tbl_upstream ON caddy_route_tbl (upstream_service);
+CREATE INDEX idx_caddy_route_tbl_enabled ON caddy_route_tbl (is_enabled);
+CREATE INDEX idx_caddy_route_tbl_priority ON caddy_route_tbl (priority);
+-- 自动更新时间戳触发器
+CREATE TRIGGER t_upd_caddy_route_tbl
+    BEFORE UPDATE
+    ON caddy_route_tbl
+    FOR EACH ROW
+EXECUTE PROCEDURE upd_timestamp();
+COMMIT;

cancan_microstack/assets/ddl/ops/caddy_stats_tbl.sql ADDED Viewed

@@ -0,0 +1,77 @@
+BEGIN;
+CREATE TABLE caddy_stats_tbl
+(
+    id BIGSERIAL PRIMARY KEY,
+    -- 时间维度
+    stat_time TIMESTAMP WITH TIME ZONE NOT NULL,
+    stat_period VARCHAR(20) NOT NULL,
+    -- 维度信息
+    dimension_type VARCHAR(50) NOT NULL,
+    dimension_value VARCHAR(255),
+    -- 请求统计
+    total_requests BIGINT DEFAULT 0,
+    success_requests BIGINT DEFAULT 0,
+    client_error_requests BIGINT DEFAULT 0,
+    server_error_requests BIGINT DEFAULT 0,
+    -- 流量统计
+    total_bytes_sent BIGINT DEFAULT 0,
+    total_bytes_received BIGINT DEFAULT 0,
+    -- 性能统计
+    avg_response_time INTEGER,
+    min_response_time INTEGER,
+    max_response_time INTEGER,
+    p50_response_time INTEGER,
+    p95_response_time INTEGER,
+    p99_response_time INTEGER,
+    -- WAF 统计
+    waf_blocked_requests BIGINT DEFAULT 0,
+    waf_logged_requests BIGINT DEFAULT 0,
+    -- 限流统计
+    rate_limited_requests BIGINT DEFAULT 0,
+    -- TLS 统计
+    tls_requests BIGINT DEFAULT 0,
+    non_tls_requests BIGINT DEFAULT 0,
+    -- 唯一访客统计
+    unique_ips INTEGER DEFAULT 0,
+    unique_user_agents INTEGER DEFAULT 0,
+    -- 元数据
+    stats_metadata JSONB DEFAULT '{}',
+    -- 标准字段
+    flag SMALLINT DEFAULT 0,
+    created_time TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    update_time TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
+-- 唯一索引（防止重复统计）
+CREATE UNIQUE INDEX uk_caddy_stats_tbl_unique ON caddy_stats_tbl (
+    stat_time, stat_period, dimension_type, COALESCE(dimension_value, '')
+);
+-- 提升按更新时间查询效率
+CREATE INDEX idx_caddy_stats_tbl_update_time ON caddy_stats_tbl (update_time);
+-- 其他业务索引
+CREATE INDEX idx_caddy_stats_tbl_time ON caddy_stats_tbl (stat_time DESC);
+CREATE INDEX idx_caddy_stats_tbl_period ON caddy_stats_tbl (stat_period);
+CREATE INDEX idx_caddy_stats_tbl_dimension ON caddy_stats_tbl (dimension_type, dimension_value);
+-- 自动更新时间戳触发器
+CREATE TRIGGER t_upd_caddy_stats_tbl
+    BEFORE UPDATE
+    ON caddy_stats_tbl
+    FOR EACH ROW
+EXECUTE PROCEDURE upd_timestamp();
+COMMIT;

cancan_microstack/assets/ddl/trigger.sql ADDED Viewed

@@ -0,0 +1,21 @@
+BEGIN;
+CREATE OR REPLACE FUNCTION upd_timestamp() RETURNS TRIGGER AS
+$$
+BEGIN
+    NEW.update_time = CURRENT_TIMESTAMP;
+    RETURN NEW;
+END
+$$
+    LANGUAGE plpgsql;
+CREATE OR REPLACE FUNCTION update_modified_column() RETURNS TRIGGER AS
+$$
+BEGIN
+    NEW.update_time = CURRENT_TIMESTAMP;
+    RETURN NEW;
+END
+$$
+    LANGUAGE plpgsql;
+COMMIT;

cancan_microstack/assets/docker/docker-compose.infra.yml ADDED Viewed

@@ -0,0 +1,401 @@
+# 通用 Python 服务镜像设置
+x-python-service-image: &python_service_image cancan_python_service:latest
+x-python-service-build: &python_service_build
+  context: ./builds/service
+  dockerfile: Dockerfile
+  args:
+    # Injected automatically by the cancan CLI (os.environ CANCAN_VERSION = package version).
+    CANCAN_VERSION: "${CANCAN_VERSION:?CANCAN_VERSION required — run via the cancan CLI (cancan stack up / cancan compose build)}"
+    CANCAN_PIP_SPEC: "${CANCAN_PIP_SPEC:-}"
+    PIP_INDEX_URL: "${PIP_INDEX_URL:-}"
+# ============================================
+# 基础设施 Docker Compose 配置
+# 包含: Caddy, PostgreSQL, Redis, infrasrv, opsbffsrv
+# 这些服务属于基础框架，一般不需要频繁调整
+# ============================================
+# 自定义网络 - 所有服务使用相同网络
+# 通过 CANCAN_STACK_PREFIX 环境变量隔离不同的 Podman/Docker 栈
+networks:
+  app_network:
+    driver: bridge
+    # 不指定 name，让 compose 使用项目级别的网络名，避免与已有网络冲突。
+    # Do not set a fixed network name; let Compose create a project-scoped network to avoid collisions.
+# 命名数据卷 - 用于持久化存储
+volumes:
+  postgres_data:
+    name: ${CANCAN_STACK_PREFIX:-cancan}_postgres_data
+  redis_data:
+    name: ${CANCAN_STACK_PREFIX:-cancan}_redis_data
+  caddy_data:
+    name: ${CANCAN_STACK_PREFIX:-cancan}_caddy_data
+  caddy_config:
+    name: ${CANCAN_STACK_PREFIX:-cancan}_caddy_config
+  rabbitmq_data:
+    name: ${CANCAN_STACK_PREFIX:-cancan}_rabbitmq_data
+  mongo_data:
+    name: ${CANCAN_STACK_PREFIX:-cancan}_mongo_data
+services:
+  # ==========================================
+  # Caddy - 反向代理和 WAF (带 Coraza WAF)
+  # ==========================================
+  caddy.internal:
+    build:
+      context: ./builds/caddy
+      dockerfile: Dockerfile
+      args:
+        GOPROXY: ${CADDY_GOPROXY:-https://goproxy.cn,https://proxy.golang.org,direct}
+        GOSUMDB: ${CADDY_GOSUMDB:-sum.golang.google.cn}
+    container_name: ${CANCAN_STACK_PREFIX:-cancan}_caddy
+    hostname: caddy.internal
+    ports:
+#      - "80:80"       # HTTP
+#      - "443:443"     # HTTPS
+      - "8080:8080"   # 本地开发访问（生产环境会被防火墙过滤）
+    volumes:
+      - ./builds/caddy/Caddyfile:/etc/caddy/Caddyfile
+      - caddy_data:/data
+      - caddy_config:/config
+      - ./builds/caddy/logs:/var/log/caddy
+      - ./builds/caddy/geoip:/usr/share/GeoIP  # GeoLite2 数据库
+      - ./builds/caddy/waf:/etc/caddy/waf      # Coraza WAF 配置和规则
+      - ./builds/caddy/www:/srv/www:ro         # 静态站点（adminops 等）/ Static sites (adminops, etc.)
+    networks:
+      app_network:
+        aliases:
+          - caddy.internal  # Podman DNS 别名
+    environment:
+      - TZ=Asia/Shanghai
+    # 注意：Podman 5.6.2 健康检查存在兼容性问题，但 Docker 正常
+    # Caddy 服务已验证正常运行，Admin API 可访问 http://localhost:2019/config/
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:2019/config/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    restart: unless-stopped
+    # 优雅关闭配置
+    stop_signal: SIGTERM
+    stop_grace_period: 30s
+  # ==========================================
+  # PostgreSQL - 主数据库
+  # ==========================================
+  postgres.internal:
+    image: postgres:18
+    container_name: ${CANCAN_STACK_PREFIX:-cancan}_postgres
+    hostname: postgres.internal
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres123}
+      POSTGRES_DB: main
+      TZ: Asia/Shanghai
+      # PG 18+ 建议挂载到 /var/lib/postgresql，数据会自动放在子目录
+      PGDATA: /var/lib/postgresql/data
+    # 端口映射：支持宿主机访问（out-pod 模式）
+    ports:
+      - "25432:5432"  # 宿主机可通过 localhost:5432 访问
+    volumes:
+      - postgres_data:/var/lib/postgresql  # 修改挂载点以兼容 PG 18+
+      - ./ddl:/docker-entrypoint-initdb.d
+    networks:
+      app_network:
+        aliases:
+          - postgres.internal  # Podman DNS 别名
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    restart: unless-stopped
+    # 优雅关闭配置
+    stop_signal: SIGTERM
+    stop_grace_period: 60s
+  # ==========================================
+  # Redis - 缓存和消息队列
+  # ==========================================
+  redis.internal:
+    image: redis:8.4-alpine
+    container_name: ${CANCAN_STACK_PREFIX:-cancan}_redis
+    hostname: redis.internal
+    # 端口映射：支持宿主机访问（out-pod 模式）
+    ports:
+      - "26379:6379"  # 宿主机可通过 localhost:6379 访问
+    volumes:
+      - redis_data:/data  # 使用命名卷
+    networks:
+      app_network:
+        aliases:
+          - redis.internal  # Podman DNS 别名
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 3s
+      retries: 5
+    restart: unless-stopped
+    command: redis-server --appendonly yes
+    # 优雅关闭配置
+    stop_signal: SIGTERM
+    stop_grace_period: 30s
+  # ==========================================
+  # RabbitMQ - 消息队列 + Management Plugin
+  # ==========================================
+  rabbitmq.internal:
+    image: rabbitmq:4-management
+    container_name: ${CANCAN_STACK_PREFIX:-cancan}_rabbitmq
+    hostname: rabbitmq.internal
+    environment:
+      - RABBITMQ_DEFAULT_USER=${RABBITMQ_USERNAME:-admin}
+      - RABBITMQ_DEFAULT_PASS=${RABBITMQ_PASSWORD:-admin123}
+      - TZ=Asia/Shanghai
+    ports:
+      - "35672:5672"
+      - "35673:15672"
+    expose:
+      - "5672"
+      - "15672"
+    volumes:
+      - rabbitmq_data:/var/lib/rabbitmq
+    networks:
+      app_network:
+        aliases:
+          - rabbitmq.internal
+    healthcheck:
+      test: ["CMD-SHELL", "rabbitmq-diagnostics -q status"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 15s
+    restart: unless-stopped
+    stop_signal: SIGTERM
+    stop_grace_period: 30s
+  # ==========================================
+  # MongoDB - 日志存储
+  # ==========================================
+  mongo.internal:
+    image: mongo:7.0
+    container_name: ${CANCAN_STACK_PREFIX:-cancan}_mongo
+    hostname: mongo.internal
+    environment:
+      - MONGO_INITDB_ROOT_USERNAME=admin
+      - MONGO_INITDB_ROOT_PASSWORD=${MONGO_INITDB_ROOT_PASSWORD:-admin123}
+      - TZ=Asia/Shanghai
+    ports:
+      - "27017:27017"
+    expose:
+      - "27017"
+    volumes:
+      - mongo_data:/data/db
+    networks:
+      app_network:
+        aliases:
+          - mongo.internal
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "mongosh --quiet --username admin --password ${MONGO_INITDB_ROOT_PASSWORD:-admin123} --authenticationDatabase admin --eval 'db.runCommand({ ping: 1 })'",
+        ]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 20s
+    restart: unless-stopped
+    stop_signal: SIGTERM
+    stop_grace_period: 30s
+  # ==========================================
+  # mongo-express - MongoDB Web UI
+  # ==========================================
+  mongo-express.internal:
+    image: mongo-express:1.0.2-20-alpine3.19
+    container_name: ${CANCAN_STACK_PREFIX:-cancan}_mongo_express
+    hostname: mongo-express.internal
+    environment:
+      - ME_CONFIG_MONGODB_SERVER=mongo.internal
+      - ME_CONFIG_MONGODB_PORT=27017
+      - ME_CONFIG_MONGODB_ADMINUSERNAME=admin
+      - ME_CONFIG_MONGODB_ADMINPASSWORD=${MONGO_INITDB_ROOT_PASSWORD:-admin123}
+      - ME_CONFIG_BASICAUTH_USERNAME=admin
+      - ME_CONFIG_BASICAUTH_PASSWORD=${MONGO_EXPRESS_PASSWORD:-admin123}
+      - ME_CONFIG_SITE_BASEURL=/v1/opsbffsrv/mongo_express/
+      - TZ=Asia/Shanghai
+    expose:
+      - "8081"
+    networks:
+      app_network:
+        aliases:
+          - mongo-express.internal
+    depends_on:
+      mongo.internal:
+        condition: service_healthy
+    restart: unless-stopped
+    stop_signal: SIGTERM
+    stop_grace_period: 30s
+  # ==========================================
+  # infrasrv - 基础设施服务
+  # ==========================================
+  infrasrv.service:
+    image: *python_service_image
+    build: *python_service_build
+    container_name: ${CANCAN_STACK_PREFIX:-cancan}_infrasrv
+    hostname: infrasrv.service
+    command: ["sh", "-c", "python -m cancan_microstack.cmd.infrasrv.run 2>&1 | tee -a /app/server_log_data/infrasrv.out.log"]
+    environment:
+      - NE_CONFIG=dev_in_pod
+      - PYTHONUNBUFFERED=1
+      # Mac/Docker Desktop: use host.docker.internal to access host services
+      - "CONTROLLERSRV_HOST=${CONTROLLERSRV_HOST:-http://host.containers.internal:22100}"
+      # 凭据从工作区 .env 注入；默认值与开箱即用一致 / Credentials from workspace .env; defaults match out-of-box
+      - "RABBITMQ_USERNAME=${RABBITMQ_USERNAME:-admin}"
+      - "RABBITMQ_PASSWORD=${RABBITMQ_PASSWORD:-admin123}"
+      - "MONGODB_URI=${MONGODB_URI:-mongodb://admin:admin123@mongo.internal:27017/admin?authSource=admin}"
+    # 不直接暴露端口，通过 Caddy 反向代理访问
+    expose:
+      - "8080"
+    networks:
+      app_network:
+        aliases:
+          - infrasrv.service  # Podman DNS 别名
+    depends_on:
+      postgres.internal:
+        condition: service_healthy
+      redis.internal:
+        condition: service_healthy
+      rabbitmq.internal:
+        condition: service_healthy
+      mongo.internal:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/internal/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    restart: unless-stopped
+    volumes:
+      - ./ddl:/app/ddl
+      - ./server_log_data:/app/server_log_data
+    # 优雅关闭配置
+    stop_signal: SIGTERM
+    stop_grace_period: 30s
+  # ==========================================
+  # opsbffsrv - 运营管理服务
+  # ==========================================
+  opsbffsrv.service:
+    image: *python_service_image
+    build: *python_service_build
+    container_name: ${CANCAN_STACK_PREFIX:-cancan}_opsbffsrv
+    hostname: opsbffsrv.service
+    command: ["sh", "-c", "python -m cancan_microstack.cmd.opsbffsrv.run 2>&1 | tee -a /app/server_log_data/opsbffsrv.out.log"]
+    environment:
+      - NE_CONFIG=dev_in_pod
+      - PYTHONUNBUFFERED=1
+      # 凭据/密钥从工作区 .env 注入；默认值与开箱即用一致 / From workspace .env; defaults match out-of-box
+      - "CONTROLLERSRV_HOST=${CONTROLLERSRV_HOST:-http://host.containers.internal:22100}"
+      - "MONGODB_URI=${MONGODB_URI:-mongodb://admin:admin123@mongo.internal:27017/admin?authSource=admin}"
+      - "AUTH_TOTP_FERNET_KEY=${AUTH_TOTP_FERNET_KEY:-}"
+      - "AUTH_COOKIE_SECURE=${AUTH_COOKIE_SECURE:-true}"
+      - "MONGO_EXPRESS_PASSWORD=${MONGO_EXPRESS_PASSWORD:-admin123}"
+      - "RABBITMQ_MGMT_PASSWORD=${RABBITMQ_MGMT_PASSWORD:-admin123}"
+      - "PROXY_CORS_ALLOWED_ORIGINS=${PROXY_CORS_ALLOWED_ORIGINS:-}"
+    # 不直接暴露端口，通过 Caddy 反向代理访问
+    expose:
+      - "8080"
+    networks:
+      app_network:
+        aliases:
+          - opsbffsrv.service  # Podman DNS 别名
+    depends_on:
+      postgres.internal:
+        condition: service_healthy
+      redis.internal:
+        condition: service_healthy
+      infrasrv.service:
+        condition: service_healthy
+      mongo.internal:
+        condition: service_healthy
+      rabbitmq.internal:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/internal/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    restart: unless-stopped
+    volumes:
+      - ./ddl:/app/ddl
+      - ./server_log_data:/app/server_log_data
+      - ./builds/caddy/geoip:/usr/share/GeoIP  # GeoIP 数据库（与 Caddy 共享）
+      - ./builds/caddy/logs:/app/builds/caddy/logs:ro  # Caddy access logs（供统计采集）
+    # 优雅关闭配置
+    stop_signal: SIGTERM
+    stop_grace_period: 30s
+  # ==========================================
+  # pgweb - PostgreSQL Web UI
+  # ==========================================
+  pgweb.internal:
+    image: sosedoff/pgweb:latest
+    container_name: ${CANCAN_STACK_PREFIX:-cancan}_pgweb
+    hostname: pgweb.internal
+    environment:
+      - PGWEB_DATABASE_URL=postgres://postgres:${POSTGRES_PASSWORD:-postgres123}@postgres.internal:5432/main?sslmode=disable
+      - TZ=Asia/Shanghai
+    # 不直接暴露端口，通过 opsbffsrv 转发访问
+    expose:
+      - "8081"
+    networks:
+      app_network:
+        aliases:
+          - pgweb.internal  # Podman DNS 别名
+    depends_on:
+      postgres.internal:
+        condition: service_healthy
+    # 注意：Podman 5.6.2 健康检查存在兼容性问题，但 Docker 正常
+    # pgweb 服务已验证正常运行，可通过 opsbffsrv 访问 http://localhost:8081/
+    healthcheck:
+      test: ["CMD", "nc", "-z", "localhost", "8081"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+    restart: unless-stopped
+  # ==========================================
+  # redis-commander - Redis Web UI
+  # ==========================================
+  redis-commander.internal:
+    image: rediscommander/redis-commander:latest
+    container_name: ${CANCAN_STACK_PREFIX:-cancan}_redis_commander
+    hostname: redis-commander.internal
+    environment:
+      - REDIS_HOSTS=local:redis.internal:6379
+      - TZ=Asia/Shanghai
+    # 不直接暴露端口，通过 opsbffsrv 转发访问
+    expose:
+      - "8081"
+    networks:
+      app_network:
+        aliases:
+          - redis-commander.internal
+    depends_on:
+      redis.internal:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8081"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+    restart: unless-stopped