Merge remote-tracking branch 'origin/master' into codex/wooden-fish-template

scripts/deploy/production-api-deploy.sh

@@ -120,6 +120,115 @@ PY
   fi
 }
 
+read_env_value() {
+  local file_path="$1"
+  local key="$2"
+
+  if [[ ! -f "${file_path}" ]]; then
+    return 0
+  fi
+
+  local python_script='
+import sys
+from pathlib import Path
+
+path = Path(sys.argv[1])
+key = sys.argv[2]
+if not path.exists():
+    raise SystemExit(0)
+for raw_line in path.read_text(encoding="utf-8").splitlines():
+    line = raw_line.strip()
+    if not line or line.startswith("#") or "=" not in line:
+        continue
+    current_key, value = line.split("=", 1)
+    if current_key == key:
+        value = value.strip()
+        if len(value) >= 2 and value[0] == value[-1] and value[0] in ("\"", "'\''"):
+            value = value[1:-1]
+        print(value)
+        raise SystemExit(0)
+'
+
+  if [[ -r "${file_path}" ]]; then
+    python3 -c "${python_script}" "${file_path}" "${key}"
+  else
+    if ! sudo -n true >/dev/null 2>&1; then
+      echo "[production-api-deploy] 当前用户无权读取 ${file_path}，且 sudo -n 不可用；无法检查运行态环境变量。" >&2
+      exit 1
+    fi
+    sudo -n python3 -c "${python_script}" "${file_path}" "${key}"
+  fi
+}
+
+ensure_env_value() {
+  local file_path="$1"
+  local key="$2"
+  local default_value="$3"
+  local current_value
+
+  current_value="$(read_env_value "${file_path}" "${key}")"
+  if [[ -n "${current_value}" ]]; then
+    return
+  fi
+
+  echo "[production-api-deploy] 补齐 api-server 环境变量: ${key} -> ${file_path}"
+  write_env_value "${file_path}" "${key}" "${default_value}"
+}
+
+run_privileged() {
+  if [[ "$(id -u)" -eq 0 ]]; then
+    "$@"
+    return
+  fi
+  if ! sudo -n true >/dev/null 2>&1; then
+    echo "[production-api-deploy] 当前用户不是 root，且 sudo -n 不可用；无法执行: $*" >&2
+    exit 1
+  fi
+  sudo -n "$@"
+}
+
+ensure_runtime_dir() {
+  local path="$1"
+  local mode="$2"
+
+  if [[ -z "${path}" ]]; then
+    return
+  fi
+  if [[ "${path}" != /* ]]; then
+    echo "[production-api-deploy] 运行态目录必须使用绝对路径，避免写入只读发布目录: ${path}" >&2
+    exit 1
+  fi
+
+  echo "[production-api-deploy] 确保运行态目录可写: ${path}"
+  run_privileged install -d -o genarrative -g genarrative -m "${mode}" "${path}"
+}
+
+ensure_runtime_env_and_dirs() {
+  local api_env_file="$1"
+  local tracking_enabled tracking_outbox_dir auth_store_path auth_store_dir
+
+  # 旧生产环境文件会被 server-provision 保留，不一定包含新增的运行态写入路径。
+  # 发布前只补缺省值，不覆盖线上已经定制过的目录或开关。
+  ensure_env_value "${api_env_file}" "GENARRATIVE_TRACKING_OUTBOX_ENABLED" "true"
+  ensure_env_value "${api_env_file}" "GENARRATIVE_TRACKING_OUTBOX_DIR" "/var/lib/genarrative/tracking-outbox"
+  ensure_env_value "${api_env_file}" "GENARRATIVE_TRACKING_OUTBOX_BATCH_SIZE" "500"
+  ensure_env_value "${api_env_file}" "GENARRATIVE_TRACKING_OUTBOX_FLUSH_INTERVAL_MS" "1000"
+  ensure_env_value "${api_env_file}" "GENARRATIVE_TRACKING_OUTBOX_MAX_BYTES" "268435456"
+  ensure_env_value "${api_env_file}" "GENARRATIVE_AUTH_STORE_PATH" "/var/lib/genarrative/auth/auth-store.json"
+
+  tracking_enabled="$(read_env_value "${api_env_file}" "GENARRATIVE_TRACKING_OUTBOX_ENABLED")"
+  tracking_outbox_dir="$(read_env_value "${api_env_file}" "GENARRATIVE_TRACKING_OUTBOX_DIR")"
+  if [[ "$(printf "%s" "${tracking_enabled}" | tr '[:upper:]' '[:lower:]')" != "false" ]]; then
+    ensure_runtime_dir "${tracking_outbox_dir}" "0750"
+  fi
+
+  auth_store_path="$(read_env_value "${api_env_file}" "GENARRATIVE_AUTH_STORE_PATH")"
+  if [[ -n "${auth_store_path}" ]]; then
+    auth_store_dir="$(dirname "${auth_store_path}")"
+    ensure_runtime_dir "${auth_store_dir}" "0750"
+  fi
+}
+
 SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
 SOURCE_DIR=""
 VERSION=""
@@ -243,6 +352,8 @@ if [[ -n "${SPACETIME_SERVER_URL}" ]]; then
   write_env_value "${API_ENV_FILE}" "GENARRATIVE_SPACETIME_SERVER_URL" "${SPACETIME_SERVER_URL}"
 fi
 
+ensure_runtime_env_and_dirs "${API_ENV_FILE}"
+
 mkdir -p "$(dirname "${CURRENT_LINK}")"
 ln -sfn "${RELEASE_DIR}" "${CURRENT_LINK}"
 

scripts/jenkins-server-provision.sh

@@ -292,6 +292,42 @@ write_env_value() {
   chown root:root "${file}"
 }
 
+ensure_env_value() {
+  local file="$1"
+  local key="$2"
+  local default_value="$3"
+  local current_value
+
+  current_value="$(read_env_value "${file}" "${key}")"
+  if [[ -n "${current_value}" ]]; then
+    return
+  fi
+
+  echo "[server-provision] 补齐 api-server 环境变量: ${key} -> ${file}"
+  if [[ "${DRY_RUN}" != "true" ]]; then
+    write_env_value "${file}" "${key}" "${default_value}"
+  fi
+}
+
+ensure_api_runtime_env_defaults() {
+  if [[ "${DRY_RUN}" == "true" ]]; then
+    echo "+ ensure api-server runtime env defaults in ${API_ENV_FILE}"
+    return
+  fi
+  if [[ ! -f "${API_ENV_FILE}" ]]; then
+    echo "[server-provision] 环境文件不存在，无法补齐 api-server 运行态目录变量: ${API_ENV_FILE}" >&2
+    exit 1
+  fi
+
+  # 已存在的生产 env 会被保留，不会整文件覆盖；这里仅补后续版本新增的运行态写入路径。
+  ensure_env_value "${API_ENV_FILE}" "GENARRATIVE_TRACKING_OUTBOX_ENABLED" "true"
+  ensure_env_value "${API_ENV_FILE}" "GENARRATIVE_TRACKING_OUTBOX_DIR" "/var/lib/genarrative/tracking-outbox"
+  ensure_env_value "${API_ENV_FILE}" "GENARRATIVE_TRACKING_OUTBOX_BATCH_SIZE" "500"
+  ensure_env_value "${API_ENV_FILE}" "GENARRATIVE_TRACKING_OUTBOX_FLUSH_INTERVAL_MS" "1000"
+  ensure_env_value "${API_ENV_FILE}" "GENARRATIVE_TRACKING_OUTBOX_MAX_BYTES" "268435456"
+  ensure_env_value "${API_ENV_FILE}" "GENARRATIVE_AUTH_STORE_PATH" "/var/lib/genarrative/auth/auth-store.json"
+}
+
 parse_json_string_field() {
   local json="$1"
   local key="$2"
@@ -437,11 +473,55 @@ validate_nginx_tls() {
   fi
 }
 
+disable_nginx_default_sites_enabled() {
+  local moves_file="$1"
+  local sites_enabled="/etc/nginx/sites-enabled"
+  local sites_disabled="/etc/nginx/sites-disabled"
+  local stamp source target base
+  local candidates=("${sites_enabled}/default" "${sites_enabled}/default."*)
+
+  stamp="$(date +%Y%m%d%H%M%S)"
+  for source in "${candidates[@]}"; do
+    if [[ ! -e "${source}" && ! -L "${source}" ]]; then
+      continue
+    fi
+
+    base="$(basename "${source}")"
+    target="${sites_disabled}/${base}.disabled-${stamp}"
+    echo "[server-provision] 禁用 Debian 默认 Nginx 站点，避免与 Genarrative server_name 冲突: ${source} -> ${target}"
+    mkdir -p "${sites_disabled}"
+    mv "${source}" "${target}"
+    printf "%s\t%s\n" "${target}" "${source}" >>"${moves_file}"
+  done
+}
+
+restore_nginx_default_sites_enabled() {
+  local moves_file="$1"
+  local target source
+
+  if [[ ! -f "${moves_file}" ]]; then
+    return
+  fi
+
+  while IFS=$'\t' read -r target source || [[ -n "${target:-}" ]]; do
+    if [[ -z "${target:-}" || -z "${source:-}" ]]; then
+      continue
+    fi
+    if [[ -e "${target}" || -L "${target}" ]]; then
+      mkdir -p "$(dirname "${source}")"
+      if [[ ! -e "${source}" && ! -L "${source}" ]]; then
+        echo "[server-provision] 恢复 Debian 默认 Nginx 站点: ${target} -> ${source}"
+        mv "${target}" "${source}"
+      fi
+    fi
+  done <"${moves_file}"
+}
+
 install_nginx_config_with_rollback() {
   local config_target="/etc/nginx/conf.d/genarrative.conf"
   local snippet_target="/etc/nginx/snippets/genarrative-maintenance.conf"
   local config_source
-  local rendered_config rendered_snippet config_backup snippet_backup
+  local rendered_config rendered_snippet config_backup snippet_backup disabled_sites
   local had_config="false"
   local had_snippet="false"
 
@@ -459,6 +539,7 @@ install_nginx_config_with_rollback() {
   echo "+ install -m 0644 deploy/nginx/snippets/genarrative-maintenance.conf ${snippet_target}"
 
   if [[ "${DRY_RUN}" == "true" ]]; then
+    echo "+ disable /etc/nginx/sites-enabled/default* if present"
     echo "+ nginx -t"
     echo "+ nginx -s reload"
     return
@@ -468,6 +549,7 @@ install_nginx_config_with_rollback() {
   rendered_snippet="$(mktemp)"
   config_backup="$(mktemp)"
   snippet_backup="$(mktemp)"
+  disabled_sites="$(mktemp)"
   if [[ "${NGINX_CONFIG_MODE}" == "production-https" ]]; then
     validate_nginx_tls
     render_nginx_https_config >"${rendered_config}"
@@ -487,6 +569,7 @@ install_nginx_config_with_rollback() {
 
   install -m 0644 "${rendered_config}" "${config_target}"
   install -m 0644 "${rendered_snippet}" "${snippet_target}"
+  disable_nginx_default_sites_enabled "${disabled_sites}"
 
   if ! nginx -t; then
     echo "[server-provision] nginx -t 失败，恢复写入前的 Nginx 配置。" >&2
@@ -500,13 +583,14 @@ install_nginx_config_with_rollback() {
     else
       rm -f "${snippet_target}"
     fi
-    rm -f "${rendered_config}" "${rendered_snippet}" "${config_backup}" "${snippet_backup}"
+    restore_nginx_default_sites_enabled "${disabled_sites}"
+    rm -f "${rendered_config}" "${rendered_snippet}" "${config_backup}" "${snippet_backup}" "${disabled_sites}"
     exit 1
   fi
   echo "+ nginx -s reload"
   nginx -s reload
 
-  rm -f "${rendered_config}" "${rendered_snippet}" "${config_backup}" "${snippet_backup}"
+  rm -f "${rendered_config}" "${rendered_snippet}" "${config_backup}" "${snippet_backup}" "${disabled_sites}"
 }
 
 cleanup_placeholder_nginx_config() {
@@ -625,6 +709,7 @@ if [[ ! -f "${API_ENV_FILE}" ]]; then
 else
   echo "[server-provision] 已存在环境文件，保留不覆盖: ${API_ENV_FILE}"
 fi
+ensure_api_runtime_env_defaults
 
 if [[ "${ENABLE_OTELCOL:-true}" == "true" ]]; then
   sync_otelcol_install