341 lines
12 KiB
YAML
341 lines
12 KiB
YAML
# ═══════════════════════════════════════════════
|
|
# 🔺 Sovereign: TCS-0002∞ | Root: SYS-GLW-0001
|
|
# 📜 Copyright: 国作登字-2026-A-00037559
|
|
# ═══════════════════════════════════════════════
|
|
# 🌐 铸渊专线 · 部署与管理
|
|
#
|
|
# 铸渊核心身体 · 锻心器官扩展
|
|
# 管理代理服务的安装、更新、订阅发送
|
|
# ═══════════════════════════════════════════════
|
|
|
|
name: '🌐 铸渊专线 · 部署'
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
action:
|
|
description: '操作类型'
|
|
required: true
|
|
type: choice
|
|
options:
|
|
- install
|
|
- update
|
|
- status
|
|
- restart
|
|
- send-subscription
|
|
- update-dashboard
|
|
- setup-cn-relay
|
|
default: 'status'
|
|
email:
|
|
description: '目标邮箱 (仅send-subscription时需要)'
|
|
required: false
|
|
type: string
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
# ═══ §1 代理服务部署 ═══
|
|
deploy-proxy:
|
|
name: '🌐 代理服务 · ${{ github.event.inputs.action }}'
|
|
runs-on: ubuntu-latest
|
|
if: >-
|
|
github.event.inputs.action == 'install' ||
|
|
github.event.inputs.action == 'update' ||
|
|
github.event.inputs.action == 'status' ||
|
|
github.event.inputs.action == 'restart'
|
|
|
|
steps:
|
|
- name: '📥 检出代码'
|
|
uses: actions/checkout@v4
|
|
|
|
- name: '🔑 配置SSH密钥'
|
|
env:
|
|
SSH_KEY: ${{ secrets.ZY_SERVER_KEY }}
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "$SSH_KEY" > ~/.ssh/id_deploy
|
|
chmod 600 ~/.ssh/id_deploy
|
|
|
|
# 验证密钥格式
|
|
if ! head -1 ~/.ssh/id_deploy | grep -q "BEGIN"; then
|
|
echo "❌ SSH密钥格式异常"
|
|
exit 1
|
|
fi
|
|
|
|
ssh-keyscan -H ${{ secrets.ZY_SERVER_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
|
|
|
|
# 连接测试
|
|
ssh -i ~/.ssh/id_deploy \
|
|
-o StrictHostKeyChecking=accept-new \
|
|
-o BatchMode=yes \
|
|
-o ConnectTimeout=15 \
|
|
${{ secrets.ZY_SERVER_USER }}@${{ secrets.ZY_SERVER_HOST }} \
|
|
"echo '✅ SSH连接成功'"
|
|
|
|
- name: '📦 上传代理服务代码'
|
|
if: >-
|
|
github.event.inputs.action == 'install' ||
|
|
github.event.inputs.action == 'update'
|
|
run: |
|
|
rsync -avz --delete \
|
|
-e "ssh -i ~/.ssh/id_deploy -o StrictHostKeyChecking=accept-new" \
|
|
server/proxy/ \
|
|
${{ secrets.ZY_SERVER_USER }}@${{ secrets.ZY_SERVER_HOST }}:/opt/zhuyuan/proxy-deploy/
|
|
|
|
- name: '🚀 执行部署'
|
|
run: |
|
|
ssh -i ~/.ssh/id_deploy \
|
|
-o StrictHostKeyChecking=accept-new \
|
|
${{ secrets.ZY_SERVER_USER }}@${{ secrets.ZY_SERVER_HOST }} \
|
|
"cd /opt/zhuyuan/proxy-deploy && \
|
|
export ZY_SERVER_HOST='${{ secrets.ZY_SERVER_HOST }}' && \
|
|
export ZY_CN_RELAY_HOST='${{ secrets.ZY_CN_SERVER_HOST }}' && \
|
|
bash deploy-proxy.sh ${{ github.event.inputs.action }}"
|
|
|
|
- name: '🧹 清理SSH密钥'
|
|
if: always()
|
|
run: rm -f ~/.ssh/id_deploy
|
|
|
|
# ═══ §2 发送订阅链接 ═══
|
|
send-subscription:
|
|
name: '📧 发送订阅链接'
|
|
runs-on: ubuntu-latest
|
|
if: github.event.inputs.action == 'send-subscription'
|
|
|
|
steps:
|
|
- name: '📥 检出代码'
|
|
uses: actions/checkout@v4
|
|
|
|
- name: '🔑 配置SSH密钥'
|
|
env:
|
|
SSH_KEY: ${{ secrets.ZY_SERVER_KEY }}
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "$SSH_KEY" > ~/.ssh/id_deploy
|
|
chmod 600 ~/.ssh/id_deploy
|
|
ssh-keyscan -H ${{ secrets.ZY_SERVER_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
|
|
|
|
- name: '📧 发送订阅邮件'
|
|
run: |
|
|
TARGET_EMAIL="${{ github.event.inputs.email }}"
|
|
if [ -z "$TARGET_EMAIL" ]; then
|
|
TARGET_EMAIL="${{ secrets.ZY_SMTP_USER }}"
|
|
fi
|
|
|
|
echo "📧 发送订阅到: $TARGET_EMAIL"
|
|
|
|
ssh -i ~/.ssh/id_deploy \
|
|
-o StrictHostKeyChecking=accept-new \
|
|
${{ secrets.ZY_SERVER_USER }}@${{ secrets.ZY_SERVER_HOST }} \
|
|
"cd /opt/zhuyuan/proxy && \
|
|
ZY_SMTP_USER='${{ secrets.ZY_SMTP_USER }}' \
|
|
ZY_SMTP_PASS='${{ secrets.ZY_SMTP_PASS }}' \
|
|
ZY_SERVER_HOST='${{ secrets.ZY_SERVER_HOST }}' \
|
|
node service/send-subscription.js send '$TARGET_EMAIL'"
|
|
|
|
- name: '🧹 清理SSH密钥'
|
|
if: always()
|
|
run: rm -f ~/.ssh/id_deploy
|
|
|
|
# ═══ §3 更新仪表盘 ═══
|
|
update-dashboard:
|
|
name: '📊 更新仪表盘'
|
|
runs-on: ubuntu-latest
|
|
if: github.event.inputs.action == 'update-dashboard'
|
|
|
|
steps:
|
|
- name: '📥 检出代码'
|
|
uses: actions/checkout@v4
|
|
with:
|
|
token: ${{ secrets.ZY_GITHUB_PAT }}
|
|
|
|
- name: '🔑 配置SSH密钥'
|
|
env:
|
|
SSH_KEY: ${{ secrets.ZY_SERVER_KEY }}
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "$SSH_KEY" > ~/.ssh/id_deploy
|
|
chmod 600 ~/.ssh/id_deploy
|
|
ssh-keyscan -H ${{ secrets.ZY_SERVER_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
|
|
|
|
- name: '📊 获取流量数据'
|
|
run: |
|
|
# 从服务器获取配额数据
|
|
ssh -i ~/.ssh/id_deploy \
|
|
-o StrictHostKeyChecking=accept-new \
|
|
${{ secrets.ZY_SERVER_USER }}@${{ secrets.ZY_SERVER_HOST }} \
|
|
"cat /opt/zhuyuan/proxy/data/quota-status.json 2>/dev/null || echo '{}'" \
|
|
> /tmp/quota-status.json
|
|
|
|
cat /tmp/quota-status.json
|
|
|
|
- name: '📝 更新README仪表盘'
|
|
run: |
|
|
node server/proxy/dashboard/update-dashboard.js --json /tmp/quota-status.json
|
|
|
|
- name: '📤 提交更新'
|
|
run: |
|
|
git config user.name "铸渊 · ZhuYuan"
|
|
git config user.email "zhuyuan-bot@guanghulab.com"
|
|
|
|
if git diff --quiet README.md; then
|
|
echo "仪表盘无变化"
|
|
else
|
|
git add README.md
|
|
git commit -m "📊 铸渊专线仪表盘更新 · $(date -u +%Y-%m-%d)"
|
|
git push
|
|
echo "✅ 仪表盘已更新并推送"
|
|
fi
|
|
|
|
- name: '🧹 清理'
|
|
if: always()
|
|
run: rm -f ~/.ssh/id_deploy /tmp/quota-status.json
|
|
|
|
# ═══ §4 CN中转配置 ═══
|
|
# 架构: GitHub Actions(美国) → SG(新加坡·跳板) → CN(广州·目标)
|
|
# 原因: GitHub Actions无法直接SSH到中国服务器(网络路由/GFW)
|
|
# 方案: 通过已连通的SG服务器作为SSH ProxyJump跳板
|
|
setup-cn-relay:
|
|
name: '🇨🇳 CN中转配置'
|
|
runs-on: ubuntu-latest
|
|
if: github.event.inputs.action == 'setup-cn-relay'
|
|
|
|
steps:
|
|
- name: '📥 检出代码'
|
|
uses: actions/checkout@v4
|
|
|
|
- name: '🔑 配置SSH跳板 (SG→CN)'
|
|
env:
|
|
SG_SSH_KEY: ${{ secrets.ZY_SERVER_KEY }}
|
|
CN_SSH_KEY: ${{ secrets.ZY_CN_SERVER_KEY }}
|
|
CN_SSH_PORT: ${{ secrets.ZY_CN_SSH_PORT }}
|
|
run: |
|
|
CN_PORT="${CN_SSH_PORT:-22}"
|
|
echo "🔧 SSH跳板架构: GitHub Actions → SG → CN (端口 ${CN_PORT})"
|
|
|
|
mkdir -p ~/.ssh
|
|
|
|
# SG跳板机密钥
|
|
echo "$SG_SSH_KEY" > ~/.ssh/id_sg
|
|
chmod 600 ~/.ssh/id_sg
|
|
|
|
# CN目标机密钥
|
|
echo "$CN_SSH_KEY" > ~/.ssh/id_cn
|
|
chmod 600 ~/.ssh/id_cn
|
|
|
|
# 验证两把密钥格式
|
|
for key_file in id_sg id_cn; do
|
|
if ! head -1 ~/.ssh/${key_file} | grep -q "BEGIN"; then
|
|
echo "❌ SSH密钥格式异常: ${key_file}"
|
|
exit 1
|
|
fi
|
|
done
|
|
echo "✅ SG + CN 密钥格式正确"
|
|
|
|
# 扫描SG跳板机主机密钥
|
|
ssh-keyscan -H ${{ secrets.ZY_SERVER_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
|
|
|
|
# 配置SSH跳板 (ProxyJump: GitHub Actions → SG → CN)
|
|
cat > ~/.ssh/config << EOF
|
|
Host sg-jump
|
|
HostName ${{ secrets.ZY_SERVER_HOST }}
|
|
User ${{ secrets.ZY_SERVER_USER }}
|
|
IdentityFile ~/.ssh/id_sg
|
|
StrictHostKeyChecking accept-new
|
|
BatchMode yes
|
|
|
|
Host cn-target
|
|
HostName ${{ secrets.ZY_CN_SERVER_HOST }}
|
|
User ${{ secrets.ZY_CN_SERVER_USER }}
|
|
Port ${CN_PORT}
|
|
IdentityFile ~/.ssh/id_cn
|
|
ProxyJump sg-jump
|
|
StrictHostKeyChecking accept-new
|
|
BatchMode yes
|
|
ConnectTimeout 30
|
|
EOF
|
|
chmod 600 ~/.ssh/config
|
|
|
|
# 测试跳板连接
|
|
echo "🔗 测试SSH跳板连接: GitHub Actions → SG → CN..."
|
|
ssh cn-target "echo '✅ CN服务器SSH连接成功 (通过SG跳板)'" || {
|
|
echo ""
|
|
echo "❌ SSH跳板连接失败 · 排查清单:"
|
|
echo " 1. 确认SG服务器SSH可达 (ZY_SERVER_KEY / ZY_SERVER_HOST)"
|
|
echo " 2. 确认CN服务器从SG可达 (ZY_CN_SERVER_HOST: ${{ secrets.ZY_CN_SERVER_HOST }})"
|
|
echo " 3. 确认CN服务器SSH密钥正确 (ZY_CN_SERVER_KEY)"
|
|
echo " 4. 确认CN服务器SSH端口 (ZY_CN_SSH_PORT, 当前: ${CN_PORT})"
|
|
echo " 5. 腾讯云防火墙 → 确认端口 ${CN_PORT} 对SG服务器IP开放"
|
|
exit 1
|
|
}
|
|
|
|
- name: '📦 上传CN中转脚本'
|
|
run: |
|
|
scp server/proxy/setup/setup-cn-relay.sh \
|
|
cn-target:/tmp/setup-cn-relay.sh
|
|
|
|
- name: '🇨🇳 执行CN中转配置'
|
|
run: |
|
|
ssh cn-target \
|
|
"chmod +x /tmp/setup-cn-relay.sh && \
|
|
export ZY_SG_SERVER_HOST='${{ secrets.ZY_SERVER_HOST }}' && \
|
|
sudo -E bash /tmp/setup-cn-relay.sh"
|
|
|
|
- name: '💚 CN中转验证'
|
|
run: |
|
|
# 通过SG跳板验证CN中转服务状态
|
|
echo "🔍 通过SG跳板验证CN中转..."
|
|
|
|
VERIFY_RESULT=$(ssh cn-target "
|
|
FAIL=0
|
|
|
|
echo '§1 Nginx状态:'
|
|
if systemctl is-active --quiet nginx; then
|
|
echo ' ✅ Nginx运行中'
|
|
else
|
|
echo ' ❌ Nginx未运行'
|
|
FAIL=1
|
|
fi
|
|
|
|
echo '§2 中转端口 2053:'
|
|
if ss -tlnp | grep -q ':2053'; then
|
|
echo ' ✅ 端口2053监听中'
|
|
else
|
|
echo ' ❌ 端口2053未监听'
|
|
FAIL=1
|
|
fi
|
|
|
|
echo '§3 HTTP健康检查:'
|
|
if curl -sf http://127.0.0.1/health >/dev/null 2>&1; then
|
|
echo ' ✅ HTTP健康检查正常'
|
|
else
|
|
echo ' ⚠️ HTTP健康检查未响应'
|
|
fi
|
|
|
|
exit \$FAIL
|
|
" 2>&1) && CN_OK=true || CN_OK=false
|
|
|
|
echo "$VERIFY_RESULT"
|
|
|
|
# 从外部验证CN HTTP (GitHub Actions可以通过HTTP访问中国服务器)
|
|
CN_HOST="${{ secrets.ZY_CN_SERVER_HOST }}"
|
|
HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" "http://${CN_HOST}/health" 2>/dev/null || echo "000")
|
|
if [ "$HTTP_CODE" = "200" ]; then
|
|
echo "✅ CN HTTP外部健康检查: 正常"
|
|
else
|
|
echo "⚠️ CN HTTP外部检查: 状态码 $HTTP_CODE (可能需要等待或在防火墙开放80端口)"
|
|
fi
|
|
|
|
# 关键服务必须运行
|
|
if [ "$CN_OK" = "false" ]; then
|
|
echo ""
|
|
echo "❌ CN中转关键服务未就绪 (Nginx未运行或端口2053未监听)"
|
|
echo " 请检查CN服务器Nginx状态和腾讯云安全组2053端口"
|
|
exit 1
|
|
fi
|
|
|
|
- name: '🧹 清理SSH密钥'
|
|
if: always()
|
|
run: rm -f ~/.ssh/id_sg ~/.ssh/id_cn ~/.ssh/config
|