novalon/novalon-website
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 修复Woodpecker CI配置文件中的linter错误
ci/woodpecker/manual/woodpecker Pipeline was successful
Details

Browse Source 
- 移除未使用的YAML锚点定义
- 替换commands字段中的锚点引用为实际值
- 移除有问题的通知步骤
- 修复测试文件中的问题
- 添加新的测试用例和配置文件
This commit is contained in:
张翔
2026-03-28 09:42:45 +08:00
parent a5ee6489a1
commit ebaa7f3c50
53 changed files with 4564 additions and 818 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/deploy-subdomain-ssl.sh
+137
View File
@@ -0,0 +1,137 @@
#!/bin/bash
set -e
echo "========================================="
echo "二级域名SSL证书配置部署脚本"
echo "========================================="
echo ""
echo "请选择SSL证书申请方案:"
echo ""
echo "方案A: 通配符证书 (DNS验证)"
echo " - 一个证书覆盖所有 *.f.novalon.cn"
echo " - 需要腾讯云API密钥"
echo " - 适合: 有API密钥且希望简化证书管理"
echo ""
echo "方案B: 单独证书 (HTTP验证)"
echo " - 为每个域名单独申请证书"
echo " - 无需API密钥"
echo " - 适合: 没有API密钥或希望独立管理每个域名"
echo ""
read -p "请选择方案 [A/B]: " choice
case $choice in
[Aa])
echo ""
echo "选择方案A: 通配符证书"
if [ -f "scripts/ssl-wildcard-dns.sh" ]; then
echo ""
echo "上传SSL证书申请脚本..."
scp scripts/ssl-wildcard-dns.sh root@139.155.109.62:/home/novalon/docker-app/
ssh root@139.155.109.62 "chmod +x /home/novalon/docker-app/ssl-wildcard-dns.sh"
echo "✓ SSL证书申请脚本已上传"
else
echo "✗ 找不到ssl-wildcard-dns.sh文件"
exit 1
fi
echo ""
echo "上传Nginx配置..."
if [ -f "nginx-wildcard.conf" ]; then
scp nginx-wildcard.conf root@139.155.109.62:/home/novalon/docker-app/novalon-nginx/nginx.conf
echo "✓ Nginx配置已上传"
else
echo "✗ 找不到nginx-wildcard.conf文件"
exit 1
fi
echo ""
echo "========================================="
echo "请在服务器上执行以下命令:"
echo "========================================="
echo ""
echo "ssh root@139.155.109.62"
echo ""
echo "export TENCENTCLOUD_SECRET_ID=your-secret-id"
echo "export TENCENTCLOUD_SECRET_KEY=your-secret-key"
echo ""
echo "cd /home/novalon/docker-app"
echo "./ssl-wildcard-dns.sh"
echo ""
echo "docker restart novalon-nginx"
echo ""
echo "========================================="
;;
[Bb])
echo ""
echo "选择方案B: 单独证书"
if [ -f "scripts/ssl-individual-http.sh" ]; then
echo ""
echo "上传SSL证书申请脚本..."
scp scripts/ssl-individual-http.sh root@139.155.109.62:/home/novalon/docker-app/
ssh root@139.155.109.62 "chmod +x /home/novalon/docker-app/ssl-individual-http.sh"
echo "✓ SSL证书申请脚本已上传"
else
echo "✗ 找不到ssl-individual-http.sh文件"
exit 1
fi
echo ""
echo "上传Nginx配置..."
if [ -f "nginx-individual.conf" ]; then
scp nginx-individual.conf root@139.155.109.62:/home/novalon/docker-app/novalon-nginx/nginx.conf
echo "✓ Nginx配置已上传"
else
echo "✗ 找不到nginx-individual.conf文件"
exit 1
fi
echo ""
read -p "是否现在申请证书? [y/N]: " confirm
if [ "$confirm" = "y" ] || [ "$confirm" = "Y" ]; then
echo ""
echo "申请SSL证书..."
ssh root@139.155.109.62 "cd /home/novalon/docker-app && ./ssl-individual-http.sh"
echo ""
echo "重启Nginx容器..."
ssh root@139.155.109.62 "docker restart novalon-nginx"
else
echo ""
echo "========================================="
echo "请在服务器上执行以下命令:"
echo "========================================="
echo ""
echo "ssh root@139.155.109.62"
echo ""
echo "cd /home/novalon/docker-app"
echo "./ssl-individual-http.sh"
echo ""
echo "docker restart novalon-nginx"
echo ""
echo "========================================="
fi
;;
*)
echo "无效选择"
exit 1
;;
esac
echo ""
echo "========================================="
echo "部署完成!"
echo "========================================="
echo ""
echo "测试访问:"
echo " - https://git.f.novalon.cn"
echo " - https://ci.f.novalon.cn"
echo " - https://registry.f.novalon.cn"
echo ""
echo "检查SSL证书:"
echo " openssl s_client -connect git.f.novalon.cn:443 -servername git.f.novalon.cn | openssl x509 -noout -text | grep -A 1 'Subject Alternative Name'"
echo "========================================="
scripts/deploy-wildcard-domain.sh
Executable
+73
View File
@@ -0,0 +1,73 @@
#!/bin/bash
set -e
echo "========================================="
echo "二级域名配置部署脚本"
echo "========================================="
echo ""
echo "步骤1: 验证DNS解析..."
echo "检查 *.f.novalon.cn 解析..."
if nslookup git.f.novalon.cn | grep -q "139.155.109.62"; then
echo "✓ DNS解析正常"
else
echo "✗ DNS解析未生效,请等待DNS传播"
exit 1
fi
echo ""
echo "步骤2: 上传Nginx配置..."
if [ -f "nginx-wildcard.conf" ]; then
scp nginx-wildcard.conf root@139.155.109.62:/home/novalon/docker-app/nginx.conf
echo "✓ Nginx配置已上传"
else
echo "✗ 找不到nginx-wildcard.conf文件"
exit 1
fi
echo ""
echo "步骤3: 上传SSL证书申请脚本..."
if [ -f "scripts/setup-wildcard-ssl.sh" ]; then
scp scripts/setup-wildcard-ssl.sh root@139.155.109.62:/home/novalon/docker-app/
ssh root@139.155.109.62 "chmod +x /home/novalon/docker-app/setup-wildcard-ssl.sh"
echo "✓ SSL证书申请脚本已上传"
else
echo "✗ 找不到setup-wildcard-ssl.sh文件"
exit 1
fi
echo ""
echo "步骤4: 申请通配符SSL证书..."
echo "注意: 需要腾讯云API密钥"
echo ""
echo "请在服务器上执行以下命令:"
echo "ssh root@139.155.109.62"
echo "export TENCENTCLOUD_SECRET_ID=your-secret-id"
echo "export TENCENTCLOUD_SECRET_KEY=your-secret-key"
echo "cd /home/novalon/docker-app && ./setup-wildcard-ssl.sh"
echo ""
echo "或者直接运行 (需要提供密钥):"
read -p "是否现在申请证书? (需要腾讯云API密钥) [y/N]: " confirm
if [ "$confirm" = "y" ] || [ "$confirm" = "Y" ]; then
read -p "请输入腾讯云Secret ID: " secret_id
read -p "请输入腾讯云Secret Key: " secret_key
ssh root@139.155.109.62 "export TENCENTCLOUD_SECRET_ID='$secret_id' && export TENCENTCLOUD_SECRET_KEY='$secret_key' && cd /home/novalon/docker-app && ./setup-wildcard-ssl.sh"
fi
echo ""
echo "========================================="
echo "部署完成!"
echo "========================================="
echo ""
echo "后续步骤:"
echo "1. 如果未自动申请证书,请手动执行SSL证书申请脚本"
echo "2. 重启Nginx容器: docker restart novalon-nginx"
echo "3. 测试访问:"
echo " - https://git.f.novalon.cn"
echo " - https://ci.f.novalon.cn"
echo " - https://registry.f.novalon.cn"
echo "========================================="
scripts/setup-gitea-oauth2-auto.sh
+83
View File
@@ -0,0 +1,83 @@
#!/bin/bash
echo "========================================="
echo "Gitea OAuth2应用自动配置"
echo "========================================="
echo ""
echo "步骤1: 生成管理员Access Token..."
# 使用正确的scope (all包含所有权限)
OUTPUT=$(docker exec -u git forgejo gitea admin user generate-access-token \
--username novalon-admin \
--token-name oauth2-setup-$(date +%s) \
--scopes all 2>&1)
echo "$OUTPUT"
# 从输出中提取token
TOKEN=$(echo "$OUTPUT" | grep -oP 'Access token: \K.*' || echo "")
echo ""
echo "步骤2: 使用Token创建OAuth2应用..."
if [ -n "$TOKEN" ]; then
echo "Token已生成: ${TOKEN:0:20}..."
# 使用API创建OAuth2应用
RESPONSE=$(docker exec forgejo curl -s -X POST "http://localhost:3000/api/v1/applications/oauth2" \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Woodpecker CI",
"redirect_uri": "https://ci.f.novalon.cn/authorize",
"confidential_client": true
}')
echo "API响应: $RESPONSE"
# 提取Client ID和Secret
CLIENT_ID=$(echo "$RESPONSE" | grep -oP '"client_id":"\K[^"]+' || echo "")
CLIENT_SECRET=$(echo "$RESPONSE" | grep -oP '"client_secret":"\K[^"]+' || echo "")
if [ -n "$CLIENT_ID" ] && [ -n "$CLIENT_SECRET" ]; then
echo ""
echo "========================================="
echo "✅ OAuth2应用创建成功!"
echo "========================================="
echo ""
echo "Client ID: $CLIENT_ID"
echo "Client Secret: $CLIENT_SECRET"
echo ""
echo "请将以下内容添加到.env文件:"
echo "WOODPECKER_FORGEJO_CLIENT=$CLIENT_ID"
echo "WOODPECKER_FORGEJO_SECRET=$CLIENT_SECRET"
echo ""
echo "然后重启Woodpecker服务:"
echo "cd /home/novalon/docker-app/novalon-cicd"
echo "docker-compose restart woodpecker-server"
echo "========================================="
exit 0
else
echo "警告: 无法从API响应中提取凭证"
fi
else
echo "警告: 无法生成Token"
fi
echo ""
echo "========================================="
echo "⚠️ 自动配置失败,请手动完成"
echo "========================================="
echo ""
echo "1. 访问 https://git.f.novalon.cn"
echo "2. 登录凭证:"
echo " 用户名: novalon-admin"
echo " 密码: Novalon@Admin2026"
echo ""
echo "3. 创建OAuth2应用:"
echo " 头像 -> 设置 -> 应用 -> OAuth2应用 -> 创建应用"
echo " 名称: Woodpecker CI"
echo " 重定向URI: https://ci.f.novalon.cn/authorize"
echo ""
echo "4. 记录Client ID和Secret并更新.env文件"
echo "========================================="
scripts/setup-gitea-oauth2.sh
+51
View File
@@ -0,0 +1,51 @@
#!/bin/bash
echo "========================================="
echo "Gitea OAuth2应用配置"
echo "========================================="
echo ""
echo "步骤1: 生成管理员Access Token..."
# 生成access token
docker exec -u git forgejo gitea admin user generate-access-token \
--username novalon-admin \
--token-name oauth2-setup \
--scopes write:application,read:application,write:user,read:user
echo ""
echo "步骤2: 从数据库获取Token..."
# 从数据库获取token (Gitea存储的是hash,我们需要原始token)
# 查看access_token表
docker exec postgresql psql -U forgejo -d forgejo -c \
"SELECT id, uid, name, created_unix FROM access_token WHERE name='oauth2-setup' ORDER BY created_unix DESC LIMIT 1;"
echo ""
echo "步骤3: 尝试使用API创建OAuth2应用..."
# 由于我们无法直接获取原始token,让我们使用Web UI方式
echo ""
echo "========================================="
echo "请手动完成以下步骤:"
echo "========================================="
echo ""
echo "1. 访问 https://git.f.novalon.cn"
echo "2. 使用以下凭证登录:"
echo " 用户名: novalon-admin"
echo " 密码: Novalon@Admin2026"
echo ""
echo "3. 点击右上角头像 -> 设置 -> 应用 -> OAuth2应用"
echo "4. 点击'创建新的OAuth2应用'"
echo "5. 填写以下信息:"
echo " 应用名称: Woodpecker CI"
echo " 重定向URI: https://ci.f.novalon.cn/authorize"
echo "6. 点击'创建应用'"
echo "7. 记录生成的Client ID和Client Secret"
echo ""
echo "8. 将凭证更新到.env文件:"
echo " WOODPECKER_FORGEJO_CLIENT=<Client ID>"
echo " WOODPECKER_FORGEJO_SECRET=<Client Secret>"
echo ""
echo "9. 重启Woodpecker服务:"
echo " cd /home/novalon/docker-app/novalon-cicd"
echo " docker-compose restart woodpecker-server"
echo ""
echo "========================================="
scripts/setup-gitea-sso.sh
+60
View File
@@ -0,0 +1,60 @@
#!/bin/bash
echo "========================================="
echo "Gitea SSO集成配置脚本"
echo "========================================="
echo ""
echo "步骤1: 创建Gitea管理员账户..."
# 创建管理员账户(使用novalon-admin而不是admin
docker exec -u git forgejo gitea admin user create \
--username novalon-admin \
--password Novalon@Admin2026 \
--email admin@novalon.cn \
--admin \
--must-change-password=false
echo ""
echo "步骤2: 创建Woodpecker CI OAuth2应用..."
# 使用Gitea API创建OAuth2应用
# 首先获取管理员token
TOKEN=$(docker exec -u git forgejo gitea admin user generate-access-token \
--username novalon-admin \
--token-name woodpecker-setup \
--scopes write:application,read:application 2>&1 | grep -oP 'Access token: \K.*')
echo "管理员Token: $TOKEN"
# 使用API创建OAuth2应用
RESPONSE=$(curl -s -X POST "http://localhost:3001/api/v1/applications/oauth2" \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Woodpecker CI",
"redirect_uri": "https://ci.f.novalon.cn/authorize"
}')
echo "OAuth2应用创建响应: $RESPONSE"
# 提取Client ID和Secret
CLIENT_ID=$(echo "$RESPONSE" | grep -oP '"client_id":"\K[^"]+')
CLIENT_SECRET=$(echo "$RESPONSE" | grep -oP '"client_secret":"\K[^"]+')
echo ""
echo "========================================="
echo "配置完成!"
echo "========================================="
echo ""
echo "管理员账户:"
echo " 用户名: novalon-admin"
echo " 密码: Novalon@Admin2026"
echo " 邮箱: admin@novalon.cn"
echo ""
echo "OAuth2凭证:"
echo " Client ID: $CLIENT_ID"
echo " Client Secret: $CLIENT_SECRET"
echo ""
echo "请将以下内容添加到.env文件:"
echo " WOODPECKER_FORGEJO_CLIENT=$CLIENT_ID"
echo " WOODPECKER_FORGEJO_SECRET=$CLIENT_SECRET"
echo "========================================="
scripts/setup-registry-auth.sh
+31
View File
@@ -0,0 +1,31 @@
#!/bin/bash
echo "========================================="
echo "Docker Registry认证配置"
echo "========================================="
echo ""
echo "方案1: 使用htpasswd基础认证(推荐用于快速部署)"
echo "----------------------------------------"
# 创建htpasswd文件
echo "创建Registry用户..."
docker run --rm -v /home/novalon/docker-app/novalon-cicd/registry_auth:/auth httpd:alpine htpasswd -Bbn novalon-admin Novalon@Registry2026 > /home/novalon/docker-app/novalon-cicd/registry_auth/htpasswd
echo "✅ htpasswd文件已创建"
echo ""
echo "方案2: 使用Gitea Token认证(高级方案)"
echo "----------------------------------------"
echo "Docker Registry支持Token认证,可以与Gitea OAuth2集成。"
echo "但这需要额外的Token服务(如docker_auth)。"
echo ""
echo "当前配置:"
echo " Registry OAuth2 Client ID: 58c26bfc-f3f7-46f4-9096-3b532d6ab154"
echo " Registry OAuth2 Secret: gto_cc5cntwcds5lna66yjnlzlt5y5vkm2i272p2bqt6zxwwxi57cmfa"
echo ""
echo "建议:"
echo "1. 当前使用htpasswd认证(用户名/密码)"
echo "2. 后续可部署docker_auth实现OAuth2集成"
echo ""
echo "========================================="
scripts/setup-wildcard-ssl.sh
+78
View File
@@ -0,0 +1,78 @@
#!/bin/bash
set -e
DOMAIN="f.novalon.cn"
EMAIL="ops@novalon.cn"
DNS_PROVIDER="dns-tencentcloud"
echo "========================================="
echo "申请通配符SSL证书"
echo "========================================="
echo "域名: *.${DOMAIN}"
echo "邮箱: ${EMAIL}"
echo "========================================="
if [ -z "$TENCENTCLOUD_SECRET_ID" ] || [ -z "$TENCENTCLOUD_SECRET_KEY" ]; then
echo "错误: 请设置腾讯云API密钥环境变量"
echo "export TENCENTCLOUD_SECRET_ID=your-secret-id"
echo "export TENCENTCLOUD_SECRET_KEY=your-secret-key"
exit 1
fi
echo ""
echo "步骤1: 安装certbot-dns-tencentcloud插件..."
if ! command -v pip3 &> /dev/null; then
yum install -y python3-pip
fi
pip3 install certbot-dns-tencentcloud
echo ""
echo "步骤2: 创建腾讯云DNS配置文件..."
mkdir -p /root/.secrets
cat > /root/.secrets/tencentcloud.ini <<EOF
dns_tencentcloud_secret_id = ${TENCENTCLOUD_SECRET_ID}
dns_tencentcloud_secret_key = ${TENCENTCLOUD_SECRET_KEY}
EOF
chmod 600 /root/.secrets/tencentcloud.ini
echo ""
echo "步骤3: 申请通配符证书..."
certbot certonly \
--authenticator dns-tencentcloud \
--dns-tencentcloud-credentials /root/.secrets/tencentcloud.ini \
--dns-tencentcloud-cleanup-interval 120 \
--server https://acme-v02.api.letsencrypt.org/directory \
--email ${EMAIL} \
--agree-tos \
--no-eff-email \
-d "*.${DOMAIN}" \
-d "${DOMAIN}"
echo ""
echo "步骤4: 复制证书到nginx目录..."
mkdir -p /home/novalon/docker-app/ssl/wildcard
cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem /home/novalon/docker-app/ssl/wildcard/
cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem /home/novalon/docker-app/ssl/wildcard/
chmod 644 /home/novalon/docker-app/ssl/wildcard/fullchain.pem
chmod 600 /home/novalon/docker-app/ssl/wildcard/privkey.pem
echo ""
echo "步骤5: 设置自动续期..."
(crontab -l 2>/dev/null | grep -v "certbot.*${DOMAIN}"; echo "0 3 * * * certbot renew --quiet --cert-name ${DOMAIN} --post-hook 'docker restart novalon-nginx' >> /var/log/certbot-renew-${DOMAIN}.log 2>&1") | crontab -
echo ""
echo "========================================="
echo "证书申请成功!"
echo "========================================="
echo "证书路径:"
echo " - /home/novalon/docker-app/ssl/wildcard/fullchain.pem"
echo " - /home/novalon/docker-app/ssl/wildcard/privkey.pem"
echo ""
echo "证书有效期: 90天"
echo "自动续期: 每天凌晨3点检查并续期"
echo "========================================="
scripts/setup-woodpecker-secrets.sh
+125
View File
@@ -0,0 +1,125 @@
#!/bin/bash
echo "========================================="
echo "Woodpecker CI密钥配置脚本"
echo "========================================="
echo ""
echo "此脚本将帮助您配置Woodpecker CI所需的密钥"
echo ""
# 检查是否在服务器上
if [ "$HOSTNAME" != "novalon-server" ]; then
echo "⚠️ 请在服务器上运行此脚本"
echo " ssh root@139.155.109.62"
echo " 然后运行: bash /home/novalon/scripts/setup-woodpecker-secrets.sh"
exit 1
fi
# Woodpecker CI CLI命令
WOODPECKER_CLI="woodpecker-cli"
# 检查woodpecker-cli是否安装
if ! command -v $WOODPECKER_CLI &> /dev/null; then
echo "❌ woodpecker-cli未安装"
echo " 请先安装: https://woodpecker-ci.org/docs/cli"
exit 1
fi
echo "步骤1: 配置SSH私钥"
echo "----------------------------------------"
echo "请确保您已经生成了SSH密钥对"
echo "公钥已添加到服务器的authorized_keys中"
echo ""
# 读取SSH私钥
if [ -f ~/.ssh/id_rsa ]; then
echo "✅ 找到SSH私钥: ~/.ssh/id_rsa"
SSH_KEY=$(cat ~/.ssh/id_rsa)
else
echo "❌ 未找到SSH私钥"
echo " 请先生成SSH密钥对: ssh-keygen -t rsa -b 4096"
exit 1
fi
echo ""
echo "步骤2: 配置企业微信通知"
echo "----------------------------------------"
echo "已配置企业微信Webhook URL:"
echo "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=bb7efcdc-c32f-47b7-a437-d76cab9fba74"
echo ""
WEBHOOK_URL="https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=bb7efcdc-c32f-47b7-a437-d76cab9fba74"
echo "✅ 企业微信通知已配置"
echo ""
echo "步骤3: 配置Docker Registry密码"
echo "----------------------------------------"
echo "请输入Docker Registry密码:"
echo "用于推送到 registry.f.novalon.cn"
read -s -p "密码: " REGISTRY_PASSWORD
echo ""
echo ""
echo "步骤4: 设置Woodpecker CI密钥"
echo "----------------------------------------"
# 设置SSH私钥
echo "设置SSH_PRIVATE_KEY..."
echo "$SSH_KEY" | $WOODPECKER_CLI secret add \
--repository novalon/novalon-website \
--name ssh_private_key \
--value @-
if [ $? -eq 0 ]; then
echo "✅ SSH_PRIVATE_KEY设置成功"
else
echo "❌ SSH_PRIVATE_KEY设置失败"
exit 1
fi
# 设置Registry密码
echo "设置REGISTRY_PASSWORD..."
echo "$REGISTRY_PASSWORD" | $WOODPECKER_CLI secret add \
--repository novalon/novalon-website \
--name registry_password \
--value @-
if [ $? -eq 0 ]; then
echo "✅ REGISTRY_PASSWORD设置成功"
else
echo "❌ REGISTRY_PASSWORD设置失败"
exit 1
fi
# 设置Webhook URL
if [ -n "$WEBHOOK_URL" ]; then
echo "设置WEBHOOK_URL..."
echo "$WEBHOOK_URL" | $WOODPECKER_CLI secret add \
--repository novalon/novalon-website \
--name webhook_url \
--value @-
if [ $? -eq 0 ]; then
echo "✅ WEBHOOK_URL设置成功"
else
echo "❌ WEBHOOK_URL设置失败"
exit 1
fi
fi
echo ""
echo "========================================="
echo "✅ 密钥配置完成!"
echo "========================================="
echo ""
echo "已配置的密钥:"
echo " - SSH_PRIVATE_KEY ✅"
echo " - REGISTRY_PASSWORD ✅"
if [ -n "$WEBHOOK_URL" ]; then
echo " - WEBHOOK_URL ✅"
fi
echo ""
echo "下一步:"
echo " 1. 提交.woodpecker.yml到代码仓库"
echo " 2. 在Woodpecker CI中激活仓库"
echo " 3. 推送代码触发CI/CD流水线"
echo ""
echo "========================================="
scripts/ssl-individual-http-v2.sh
+97
View File
@@ -0,0 +1,97 @@
#!/bin/bash
set -e
echo "========================================="
echo "方案B: 单独域名SSL证书申请 (HTTP验证)"
echo "========================================="
echo "说明: 使用Let's Encrypt HTTP验证方式"
echo "优点: 无需API密钥,配置简单"
echo "缺点: 需要为每个域名单独申请证书"
echo ""
NGINX_CONTAINER="novalon-nginx"
EMAIL="ops@novalon.cn"
SSL_BASE_DIR="/home/novalon/docker-app/novalon-nginx/ssl"
DOMAINS=(
"git.f.novalon.cn"
"ci.f.novalon.cn"
"registry.f.novalon.cn"
)
echo "前置条件检查:"
echo "1. 确保Nginx容器正在运行"
if ! docker ps | grep -q ${NGINX_CONTAINER}; then
echo "错误: Nginx容器未运行"
exit 1
fi
echo "2. 确保DNS解析已配置"
for domain in "${DOMAINS[@]}"; do
echo "检查 ${domain}..."
if ! nslookup ${domain} | grep -q "139.155.109.62"; then
echo "警告: ${domain} DNS解析未生效"
fi
done
echo ""
echo "步骤1: 创建certbot验证目录..."
mkdir -p /home/novalon/docker-app/certbot
docker exec ${NGINX_CONTAINER} mkdir -p /var/www/certbot
echo ""
echo "步骤2: 为每个域名申请证书..."
for domain in "${DOMAINS[@]}"; do
echo ""
echo "申请证书: ${domain}"
certbot certonly \
--webroot \
--webroot-path /home/novalon/docker-app/certbot \
--email ${EMAIL} \
--agree-tos \
--no-eff-email \
-d ${domain} || {
echo "警告: ${domain} 证书申请失败,跳过"
continue
}
echo "复制证书到nginx SSL目录..."
mkdir -p ${SSL_BASE_DIR}/${domain}
cp /etc/letsencrypt/live/${domain}/fullchain.pem ${SSL_BASE_DIR}/${domain}/
cp /etc/letsencrypt/live/${domain}/privkey.pem ${SSL_BASE_DIR}/${domain}/
chmod 644 ${SSL_BASE_DIR}/${domain}/fullchain.pem
chmod 600 ${SSL_BASE_DIR}/${domain}/privkey.pem
echo "${domain} 证书申请成功"
done
echo ""
echo "步骤3: 设置自动续期..."
(crontab -l 2>/dev/null | grep -v "certbot renew"; echo "0 3 * * * certbot renew --quiet --post-hook 'docker restart novalon-nginx' >> /var/log/certbot-renew.log 2>&1") | crontab -
echo ""
echo "========================================="
echo "证书申请完成!"
echo "========================================="
echo ""
echo "证书路径:"
for domain in "${DOMAINS[@]}"; do
if [ -f "${SSL_BASE_DIR}/${domain}/fullchain.pem" ]; then
echo " ${domain}:"
echo " - ${SSL_BASE_DIR}/${domain}/fullchain.pem"
echo " - ${SSL_BASE_DIR}/${domain}/privkey.pem"
fi
done
echo ""
echo "容器内路径: /etc/nginx/ssl/{domain}/"
echo "有效期: 90天"
echo "自动续期: 每天凌晨3点检查"
echo ""
echo "下一步: 更新Nginx配置并重启容器"
echo "========================================="
scripts/ssl-individual-http.sh
Executable
+96
View File
@@ -0,0 +1,96 @@
#!/bin/bash
set -e
echo "========================================="
echo "方案B: 单独域名SSL证书申请 (HTTP验证)"
echo "========================================="
echo "说明: 使用Let's Encrypt HTTP验证方式"
echo "优点: 无需API密钥,配置简单"
echo "缺点: 需要为每个域名单独申请证书"
echo ""
NGINX_CONTAINER="novalon-nginx"
EMAIL="ops@novalon.cn"
SSL_BASE_DIR="/home/novalon/docker-app/novalon-nginx/ssl"
DOMAINS=(
"git.f.novalon.cn"
"ci.f.novalon.cn"
"registry.f.novalon.cn"
)
echo "前置条件检查:"
echo "1. 确保Nginx容器正在运行"
if ! docker ps | grep -q ${NGINX_CONTAINER}; then
echo "错误: Nginx容器未运行"
exit 1
fi
echo "2. 确保DNS解析已配置"
for domain in "${DOMAINS[@]}"; do
echo "检查 ${domain}..."
if ! nslookup ${domain} | grep -q "139.155.109.62"; then
echo "警告: ${domain} DNS解析未生效"
fi
done
echo ""
echo "步骤1: 创建certbot验证目录..."
mkdir -p /var/www/certbot
docker exec ${NGINX_CONTAINER} mkdir -p /var/www/certbot
echo ""
echo "步骤2: 确保Nginx配置包含ACME验证路径..."
echo "检查Nginx配置..."
echo ""
echo "步骤3: 为每个域名申请证书..."
for domain in "${DOMAINS[@]}"; do
echo ""
echo "申请证书: ${domain}"
certbot certonly \
--webroot \
--webroot-path /var/www/certbot \
--email ${EMAIL} \
--agree-tos \
--no-eff-email \
-d ${domain}
echo "复制证书到nginx SSL目录..."
mkdir -p ${SSL_BASE_DIR}/${domain}
cp /etc/letsencrypt/live/${domain}/fullchain.pem ${SSL_BASE_DIR}/${domain}/
cp /etc/letsencrypt/live/${domain}/privkey.pem ${SSL_BASE_DIR}/${domain}/
chmod 644 ${SSL_BASE_DIR}/${domain}/fullchain.pem
chmod 600 ${SSL_BASE_DIR}/${domain}/privkey.pem
echo "${domain} 证书申请成功"
done
echo ""
echo "步骤4: 设置自动续期..."
(crontab -l 2>/dev/null | grep -v "certbot renew"; echo "0 3 * * * certbot renew --quiet --post-hook 'docker restart novalon-nginx' >> /var/log/certbot-renew.log 2>&1") | crontab -
echo ""
echo "========================================="
echo "证书申请完成!"
echo "========================================="
echo ""
echo "证书路径:"
for domain in "${DOMAINS[@]}"; do
echo " ${domain}:"
echo " - ${SSL_BASE_DIR}/${domain}/fullchain.pem"
echo " - ${SSL_BASE_DIR}/${domain}/privkey.pem"
done
echo ""
echo "容器内路径: /etc/nginx/ssl/{domain}/"
echo "有效期: 90天"
echo "自动续期: 每天凌晨3点检查"
echo ""
echo "下一步: 更新Nginx配置并重启容器"
echo "========================================="
scripts/ssl-wildcard-dns.sh
+92
View File
@@ -0,0 +1,92 @@
#!/bin/bash
set -e
echo "========================================="
echo "方案A: 通配符SSL证书申请 (DNS验证)"
echo "========================================="
echo "说明: 使用Let's Encrypt申请通配符证书"
echo "优点: 一个证书覆盖所有二级域名"
echo "缺点: 需要腾讯云API密钥和DNS插件"
echo ""
DOMAIN="f.novalon.cn"
EMAIL="ops@novalon.cn"
SSL_BASE_DIR="/home/novalon/docker-app/novalon-nginx/ssl"
if [ -z "$TENCENTCLOUD_SECRET_ID" ] || [ -z "$TENCENTCLOUD_SECRET_KEY" ]; then
echo "错误: 需要腾讯云API密钥"
echo ""
echo "请设置环境变量:"
echo "export TENCENTCLOUD_SECRET_ID=your-secret-id"
echo "export TENCENTCLOUD_SECRET_KEY=your-secret-key"
echo ""
echo "获取密钥:"
echo "1. 登录腾讯云控制台: https://console.cloud.tencent.com"
echo "2. 访问管理 > API密钥管理"
echo "3. 创建或查看密钥"
exit 1
fi
echo "步骤1: 安装certbot和腾讯云DNS插件..."
if ! command -v certbot &> /dev/null; then
yum install -y certbot
fi
if ! python3 -c "import certbot_dns_tencentcloud" 2>/dev/null; then
pip3 install certbot-dns-tencentcloud
fi
echo ""
echo "步骤2: 创建腾讯云DNS配置文件..."
mkdir -p /root/.secrets
cat > /root/.secrets/tencentcloud.ini <<EOF
dns_tencentcloud_secret_id = ${TENCENTCLOUD_SECRET_ID}
dns_tencentcloud_secret_key = ${TENCENTCLOUD_SECRET_KEY}
EOF
chmod 600 /root/.secrets/tencentcloud.ini
echo ""
echo "步骤3: 申请通配符证书..."
certbot certonly \
--authenticator dns-tencentcloud \
--dns-tencentcloud-credentials /root/.secrets/tencentcloud.ini \
--dns-tencentcloud-cleanup-interval 120 \
--server https://acme-v02.api.letsencrypt.org/directory \
--email ${EMAIL} \
--agree-tos \
--no-eff-email \
-d "*.${DOMAIN}" \
-d "${DOMAIN}"
echo ""
echo "步骤4: 复制证书到nginx SSL目录..."
mkdir -p ${SSL_BASE_DIR}/wildcard
cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem ${SSL_BASE_DIR}/wildcard/
cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem ${SSL_BASE_DIR}/wildcard/
chmod 644 ${SSL_BASE_DIR}/wildcard/fullchain.pem
chmod 600 ${SSL_BASE_DIR}/wildcard/privkey.pem
echo ""
echo "步骤5: 设置自动续期..."
(crontab -l 2>/dev/null | grep -v "certbot.*${DOMAIN}"; echo "0 3 * * * certbot renew --quiet --cert-name ${DOMAIN} --post-hook 'docker restart novalon-nginx' >> /var/log/certbot-renew-wildcard.log 2>&1") | crontab -
echo ""
echo "========================================="
echo "通配符证书申请成功!"
echo "========================================="
echo "证书路径:"
echo " - ${SSL_BASE_DIR}/wildcard/fullchain.pem"
echo " - ${SSL_BASE_DIR}/wildcard/privkey.pem"
echo ""
echo "容器内路径: /etc/nginx/ssl/wildcard/"
echo ""
echo "覆盖域名:"
echo " - *.f.novalon.cn"
echo " - f.novalon.cn"
echo ""
echo "有效期: 90天"
echo "自动续期: 每天凌晨3点检查"
echo "========================================="