jim800121chen
eb66a7287a
新增雲端版部署設定(Phase 0.6 dev + Phase 0.7 stage 分兩套): dev 環境(docker-compose.dev.yml): - 5 service all-in-one(postgres + member-center + visionA-backend + frontend + Caddy) - Caddy 自動 HTTPS for localhost - .env.dev.example 範本(使用者拷出 .env.dev 後 docker compose up -d) - Makefile dev-with-mc 9 個 target stage 環境(docker-compose.stage.yml + docker/Dockerfile.stage): - multi-stage build(node22 frontend + go1.26 backend × 2 + nginx-alpine runtime) 最終 image 319 MB,含 nginx + nodejs + tini + bash - entrypoint.stage.sh 4 process 共命運(nginx + api-server + remote-proxy + next.js standalone)用 wait -n + SIGTERM trap - nginx.stage.conf:白名單 server_name stage-9527.innovedus.com + 444 default_server + /healthz 例外(127.0.0.0/8 only)+ /api/ 與 /storage/ 強制 no-store + /tunnel/connect WS upgrade + 100M body / 3600s timeout - 對外 mapping 0.0.0.0:9527:80(公司 host nginx 在外層處理 HTTPS termination — Let's Encrypt stage-9527.innovedus.com 自動續簽) - named volume visiona-data(不用 bind mount,因 stage docker daemon 在 host root 無 mkdir 權限) 部署腳本(scripts/deploy-stage.sh): - 仿 edge-ai-platform/scripts/deploy-docker.sh 早期 save/load 模式 - 為什麼不用 internal registry:公司 192.168.0.130:5000 開了 auth、無帳密 - 流程:buildx --load → docker save | gzip → DOCKER_HOST docker load → compose up - 含 --rollback <tag> / --skip-build / --no-push / --skip-deploy 選項 - timestamp + git SHA tag 留 rollback 餘地 文件(docs/): - DEV-SETUP.md:dev 環境一鍵起步驟 - SMOKE-TEST.md:手動煙測 checklist(OIDC flow / pairing / tunnel) - STAGE-DEPLOY.md:stage 完整手冊(架構圖 / 環境前置 / 部署 step / rollback / 7 種故障排除 / 緊急救回 POC) .env.stage.example 對齊 backend A1 改造: - VISIONA_OIDC_CLIENT_SECRET 留空(PKCE-only public client) - VISIONA_OIDC_SERVICE_CLIENT_ID/_SECRET 留空(Phase 1 預留鉤子) - 所有 secret 用 placeholder(CHANGE_ME_OPENSSL_RAND_HEX_32) .dockerignore:避免 node_modules / .next / .git 等進 build context Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
116 lines
5.1 KiB
Plaintext
116 lines
5.1 KiB
Plaintext
# visionA — stage 環境變數範本
|
||
#
|
||
# 使用方式:
|
||
# 1. 在 stage host 上:
|
||
# cp .env.stage.example .env.stage
|
||
# nano .env.stage # 填入 secrets(見下方說明)
|
||
# 2. .env.stage 與 docker-compose.stage.yml 同目錄
|
||
# 3. ⚠️ 不進 git(.gitignore 已排除)
|
||
#
|
||
# Secret 產生方式:
|
||
# openssl rand -hex 32
|
||
#
|
||
# 對齊:
|
||
# - visionA-backend/internal/config/config.go(A1 後 ClientSecret 變選填、預留 ServiceClient*)
|
||
# - .autoflow/04-architecture/oidc-tdd.md §13.1
|
||
# - .autoflow/progress.md Phase 0.7 → S6(OIDC public PKCE-only client)
|
||
|
||
# ============================================================
|
||
# OIDC — Member Center @ stage
|
||
# ============================================================
|
||
# Issuer URL — 結尾斜線**必要**(MC discovery 回的 issuer 帶 slash,否則 client init reject)
|
||
VISIONA_OIDC_ISSUER_URL=https://stage-9527.innovedus.com:7850/
|
||
|
||
# Login client(public PKCE-only — 無 secret)
|
||
VISIONA_OIDC_CLIENT_ID=b8093fea1a504a5d8f0e04bee9f78f2e
|
||
# 留空 → backend 走 PKCE-only mode(A1 後支援;見 ADR-013)
|
||
VISIONA_OIDC_CLIENT_SECRET=
|
||
|
||
# Service-to-service client(client_credentials grant)
|
||
# Phase 0.7 預留,不啟用;填入也不會被 main.go wire(見 config.go ServiceClientID 註解)
|
||
# ⚠️ 兩個值都禁止寫死進 git tracked 檔;只在 stage host 的 .env.stage 才填入真值
|
||
VISIONA_OIDC_SERVICE_CLIENT_ID=
|
||
VISIONA_OIDC_SERVICE_CLIENT_SECRET=
|
||
|
||
# Callback URL — 必須與 MC 端 client 設定的 redirect_uri 完全一致
|
||
VISIONA_OIDC_REDIRECT_URL=https://stage-9527.innovedus.com:9527/api/auth/callback
|
||
|
||
# Frontend URL — OIDC callback 完成後 302 回的目標(同 host 同 port)
|
||
VISIONA_FRONTEND_URL=https://stage-9527.innovedus.com:9527
|
||
|
||
# ============================================================
|
||
# Cookie session(OIDC 登入後在 browser 端的 session cookie)
|
||
# ============================================================
|
||
# Cookie HMAC 簽章金鑰 — **必須換掉**
|
||
# 產生:openssl rand -hex 32
|
||
VISIONA_SESSION_SECRET=CHANGE_ME_OPENSSL_RAND_HEX_32
|
||
|
||
# CookieDomain:留空 = host-only cookie(推薦,stage 只有單一 host)
|
||
# 若未來要跨子網域共享 session 才設成 .innovedus.com 之類
|
||
VISIONA_SESSION_COOKIE_DOMAIN=
|
||
|
||
# CookieSecure:stage 走 HTTPS → 必須 true
|
||
VISIONA_SESSION_COOKIE_SECURE=true
|
||
|
||
# Session TTL(預設值。如要改,去掉註解填值)
|
||
# VISIONA_SESSION_ABSOLUTE_TTL=168h
|
||
# VISIONA_SESSION_IDLE_TTL=24h
|
||
|
||
# ============================================================
|
||
# Server — port 都對齊 nginx.stage.conf
|
||
# ============================================================
|
||
VISIONA_HOST=0.0.0.0
|
||
VISIONA_API_PORT=3721
|
||
VISIONA_TUNNEL_PORT=3800
|
||
VISIONA_PROXY_INTERNAL_PORT=3801
|
||
VISIONA_PROXY_INTERNAL_URL=http://127.0.0.1:3801
|
||
|
||
# api-server 端的 SessionStore backend:proxy-client = 透過 internal HTTP 查 remote-proxy
|
||
# remote-proxy 端的 SessionStore backend:inmemory = 自己持有 yamux session
|
||
# 兩個 binary 共讀此 .env,但各自只看自己需要的欄位
|
||
VISIONA_SESSION_BACKEND=proxy-client
|
||
|
||
# Agent 連 tunnel 用的對外 URL(/api/pairing/exchange 回給 agent)
|
||
# 注意 ws→wss、host:port 與對外 HTTPS 一致
|
||
VISIONA_RELAY_PUBLIC_URL=wss://stage-9527.innovedus.com:9527
|
||
|
||
# ============================================================
|
||
# CORS — stage 同 host 同源(frontend 與 backend 都從 :9527 出來),不需放
|
||
# ============================================================
|
||
VISIONA_CORS_ALLOWED_ORIGINS=
|
||
|
||
# ============================================================
|
||
# Storage — 雛形 LocalFS(host 的 /opt/visiona/data/ 掛進 container)
|
||
# ============================================================
|
||
VISIONA_STORAGE_BACKEND=localfs
|
||
VISIONA_STORAGE_LOCALFS_ROOT=/data/storage
|
||
# presigned URL 對外可達 base,與公司 host nginx 對外一致
|
||
VISIONA_STORAGE_LOCALFS_BASE_URL=https://stage-9527.innovedus.com:9527/storage
|
||
# presigned URL HMAC secret — **必須換掉**
|
||
# 產生:openssl rand -hex 32
|
||
VISIONA_STORAGE_SIGNING_SECRET=CHANGE_ME_OPENSSL_RAND_HEX_32
|
||
|
||
# ============================================================
|
||
# Model upload
|
||
# ============================================================
|
||
# 模型上傳大小上限(MB)— 注意要與 nginx.stage.conf 的 client_max_body_size 對齊
|
||
# 目前 nginx 設 100M,這裡也 100;要改大兩處要一起改
|
||
VISIONA_MODEL_MAX_SIZE_MB=100
|
||
|
||
# ============================================================
|
||
# Pairing token(雛形:留空 = 動態配發;填值 = 寫死)
|
||
# 對齊 .autoflow/02-prd/feature-pairing-token.md
|
||
# ============================================================
|
||
VISIONA_PAIRING_TOKEN=
|
||
|
||
# ============================================================
|
||
# Misc
|
||
# ============================================================
|
||
VISIONA_LOG_LEVEL=info
|
||
# stage 不塞 demo data(避免 storage 被假資料污染)
|
||
VISIONA_SEED_DEMO_DATA=false
|
||
|
||
# Phase 0.7 security audit (2026-05-01) 後 stage/prod 不再讀此值;
|
||
# 已從 api.Deps 移除(見 .autoflow/05-implementation/review/phase-0.7-security-audit.md C1)。
|
||
# 留註解作為 audit trail;stage 部署不需設定 VISIONA_STATIC_USER_ID。
|