jim800121chen
eb66a7287a
新增雲端版部署設定(Phase 0.6 dev + Phase 0.7 stage 分兩套): dev 環境(docker-compose.dev.yml): - 5 service all-in-one(postgres + member-center + visionA-backend + frontend + Caddy) - Caddy 自動 HTTPS for localhost - .env.dev.example 範本(使用者拷出 .env.dev 後 docker compose up -d) - Makefile dev-with-mc 9 個 target stage 環境(docker-compose.stage.yml + docker/Dockerfile.stage): - multi-stage build(node22 frontend + go1.26 backend × 2 + nginx-alpine runtime) 最終 image 319 MB,含 nginx + nodejs + tini + bash - entrypoint.stage.sh 4 process 共命運(nginx + api-server + remote-proxy + next.js standalone)用 wait -n + SIGTERM trap - nginx.stage.conf:白名單 server_name stage-9527.innovedus.com + 444 default_server + /healthz 例外(127.0.0.0/8 only)+ /api/ 與 /storage/ 強制 no-store + /tunnel/connect WS upgrade + 100M body / 3600s timeout - 對外 mapping 0.0.0.0:9527:80(公司 host nginx 在外層處理 HTTPS termination — Let's Encrypt stage-9527.innovedus.com 自動續簽) - named volume visiona-data(不用 bind mount,因 stage docker daemon 在 host root 無 mkdir 權限) 部署腳本(scripts/deploy-stage.sh): - 仿 edge-ai-platform/scripts/deploy-docker.sh 早期 save/load 模式 - 為什麼不用 internal registry:公司 192.168.0.130:5000 開了 auth、無帳密 - 流程:buildx --load → docker save | gzip → DOCKER_HOST docker load → compose up - 含 --rollback <tag> / --skip-build / --no-push / --skip-deploy 選項 - timestamp + git SHA tag 留 rollback 餘地 文件(docs/): - DEV-SETUP.md:dev 環境一鍵起步驟 - SMOKE-TEST.md:手動煙測 checklist(OIDC flow / pairing / tunnel) - STAGE-DEPLOY.md:stage 完整手冊(架構圖 / 環境前置 / 部署 step / rollback / 7 種故障排除 / 緊急救回 POC) .env.stage.example 對齊 backend A1 改造: - VISIONA_OIDC_CLIENT_SECRET 留空(PKCE-only public client) - VISIONA_OIDC_SERVICE_CLIENT_ID/_SECRET 留空(Phase 1 預留鉤子) - 所有 secret 用 placeholder(CHANGE_ME_OPENSSL_RAND_HEX_32) .dockerignore:避免 node_modules / .next / .git 等進 build context Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
79 lines
3.2 KiB
Plaintext
79 lines
3.2 KiB
Plaintext
# visionA dev 環境變數範本
|
||
#
|
||
# 使用方式:
|
||
# cp .env.dev.example .env.dev
|
||
# # 編輯 .env.dev,填入 OAuth client_id / client_secret(手動 seed 後產生)
|
||
# docker compose -f docker-compose.dev.yml --env-file .env.dev up -d
|
||
#
|
||
# 詳細步驟:見 docs/DEV-SETUP.md
|
||
#
|
||
# ⚠️ 不要 commit .env.dev(已在 .gitignore 中排除)
|
||
|
||
# ============================================================
|
||
# Member Center
|
||
# ============================================================
|
||
# 預設用 ../member_center 路徑 build。如果你的 member_center 在別處,改這個。
|
||
# 例:MEMBER_CENTER_PATH=/Users/me/code/member_center
|
||
MEMBER_CENTER_PATH=../member_center
|
||
|
||
# Member Center admin 帳號(installer init 會建立)
|
||
# 之後可用這組帳密登入 MC admin UI / 拿 admin API token
|
||
MC_ADMIN_EMAIL=admin@visiona.local
|
||
MC_ADMIN_PASSWORD=Admin12345!
|
||
|
||
|
||
# ============================================================
|
||
# visionA OIDC client(必須先在 MC 註冊,詳見 docs/DEV-SETUP.md)
|
||
# ============================================================
|
||
# 第一次起來時這兩個值還沒有 → 先用 static auth 跑(VISIONA_AUTH_TYPE=static)
|
||
# OAuth client 註冊完後填入這兩個值 + 改 VISIONA_AUTH_TYPE=oidc → docker compose up -d 重啟
|
||
VISIONA_OIDC_CLIENT_ID=CHANGE_ME
|
||
VISIONA_OIDC_CLIENT_SECRET=CHANGE_ME
|
||
|
||
# auth mode 切換:static(雛形預設)/ oidc(接 MC)
|
||
VISIONA_AUTH_TYPE=static
|
||
|
||
# OIDC issuer / redirect — 預設值已對齊 MC 的 dev port
|
||
# ⚠️ trailing slash 不可省(MC discovery 回的 issuer 帶 slash,否則 client init 會 reject)
|
||
VISIONA_OIDC_ISSUER_URL=http://localhost:5050/
|
||
VISIONA_OIDC_REDIRECT_URL=http://localhost:3721/api/auth/callback
|
||
|
||
|
||
# ============================================================
|
||
# Cookie / session
|
||
# ============================================================
|
||
# 至少 32 byte 隨機字串(建議:openssl rand -hex 32)
|
||
VISIONA_SESSION_SECRET=please-change-me-32-bytes-random-dev-secret
|
||
|
||
# Frontend URL(OIDC callback 完成後 redirect 回的目標)
|
||
VISIONA_FRONTEND_URL=http://localhost:3000
|
||
|
||
|
||
# ============================================================
|
||
# 既有 visionA-backend 環境變數(與 visionA-backend/.env.example 一致)
|
||
# ============================================================
|
||
VISIONA_LOG_LEVEL=info
|
||
VISIONA_API_PORT=3721
|
||
VISIONA_TUNNEL_PORT=3800
|
||
# Phase 0.7 security audit (2026-05-01) 後僅供 dev seed (VISIONA_SEED_DEMO_DATA=true) 與 unit test fixture 用;
|
||
# 已從 api.Deps 移除(見 .autoflow/05-implementation/review/phase-0.7-security-audit.md C1);
|
||
# stage / prod 不需設定。
|
||
VISIONA_STATIC_USER_ID=demo-user
|
||
|
||
VISIONA_CORS_ALLOWED_ORIGINS=http://localhost:3000
|
||
VISIONA_SEED_DEMO_DATA=true
|
||
|
||
VISIONA_STORAGE_BASE_URL=http://localhost:3721/storage
|
||
# ⚠️ 生產必改:openssl rand -hex 32
|
||
VISIONA_STORAGE_SIGNING_SECRET=dev-signing-secret-change-me-32-bytes
|
||
|
||
# Pairing token(雛形仍用 static;留空則動態配發)
|
||
VISIONA_PAIRING_TOKEN=
|
||
|
||
|
||
# ============================================================
|
||
# 進階:port 衝突時可改
|
||
# ============================================================
|
||
# POSTGRES_PORT=5432
|
||
# MEMBER_CENTER_PORT=5050
|