guanghulab/scripts/deploy-sandbox-server.sh
Guanghu Domestic Migration d1e47f4565
Some checks are pending
自动更新代码和重启 / update-and-restart (push) Waiting to run
CI检查 + 自动部署 / check (push) Waiting to run
CI检查 + 自动部署 / deploy (push) Blocked by required conditions
重启聊天服务 / restart (push) Waiting to run
chore: import sanitized domestic snapshot for REPO-002
Source snapshot: ca48d3ddf926d79aa138306164169baf764bb829
2026-07-17 15:54:41 +08:00

144 lines
5.4 KiB
Bash
Executable File
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
# ═══════════════════════════════════════════════════════════════
# deploy-sandbox-server.sh — 子域名沙箱服务器部署
# 指令ZY-AGEOS-TOWER-2026-0326-001-S1 · Phase S2
# 版权:国作登字-2026-A-00037559
# 执行AG-ZY-01 铸渊
#
# 🛡️ 核心原则:绝对不能破坏主站 guanghulab.com
# 所有操作内置安全回滚机制。
#
# 用法: bash scripts/deploy-sandbox-server.sh
# 必须在服务器上以 root 权限运行
# ═══════════════════════════════════════════════════════════════
set -euo pipefail
echo "═══════════════════════════════════════════"
echo " 铸渊 · 子域名沙箱部署 · Phase S2"
echo " 指令: ZY-AGEOS-TOWER-2026-0326-001-S1"
echo "═══════════════════════════════════════════"
echo ""
# ─── S2-1 · 前置验证(全部通过才能继续) ───
echo "===== S2-1 · 前置验证 ====="
# DNS 检查 — 铸渊主权服务器 ZY-SVR-002
DNS=$(dig +short dev-004.guanghulab.com A 2>/dev/null || echo "")
if [ "$DNS" = "43.134.16.246" ]; then
echo "✅ DNS OK ($DNS) — 铸渊主权服务器"
elif [ "$DNS" = "8.155.62.235" ]; then
echo "⚠️ DNS 仍指向旧服务器 ($DNS),请更新 DNS 到 43.134.16.246"
exit 1
else
echo "❌ DNS 失败: dev-004.guanghulab.com → '$DNS' (期望 43.134.16.246)"
exit 1
fi
# SSL 证书检查
if [ -f /etc/letsencrypt/live/guanghulab.com/fullchain.pem ]; then
echo "✅ SSL OK"
else
echo "❌ SSL 证书不存在: /etc/letsencrypt/live/guanghulab.com/fullchain.pem"
exit 1
fi
# 主站安全检查
MAIN=$(curl -so/dev/null -w"%{http_code}" --max-time 10 https://guanghulab.com/ 2>/dev/null || echo "000")
if [ "$MAIN" = "200" ]; then
echo "✅ 主站 OK (HTTP $MAIN)"
else
echo "❌ 主站异常 HTTP $MAIN"
exit 1
fi
echo "===== ✅ 前置全部通过 ====="
echo ""
# ─── S2-2 · 创建沙箱目录 ───
echo "===== S2-2 · 创建沙箱目录 ====="
mkdir -p /var/www/sandbox
for ID in dev-002 dev-004 dev-005 dev-009 dev-010 dev-011 dev-012 dev-013 dev-014; do
mkdir -p /var/www/sandbox/$ID
cat > /var/www/sandbox/$ID/index.html << 'EOF'
<!DOCTYPE html>
<html lang="zh"><head><meta charset="UTF-8"><title>开发者沙箱</title>
<style>body{font-family:system-ui;display:flex;justify-content:center;align-items:center;min-height:100vh;margin:0;background:#1a1a2e;color:#e0e0e0}.c{text-align:center;padding:3rem;border-radius:16px;background:rgba(255,255,255,.05)}</style>
</head><body><div class="c"><h1>🏗️ 开发者沙箱</h1><p>子域名已激活 · 等待项目部署</p><p style="color:#7fba42">✅ DNS + SSL + Nginx 就绪</p></div></body></html>
EOF
echo "✅ /var/www/sandbox/$ID 已创建"
done
chown -R root:root /var/www/sandbox && chmod -R 755 /var/www/sandbox
echo "===== ✅ 沙箱目录创建完成 ====="
echo ""
# ─── S2-3 · 部署 Nginx 子域名配置 ───
echo "===== S2-3 · 部署 Nginx 配置 ====="
# Step 1: 备份
BK="/etc/nginx/conf.d/backup-$(date +%Y%m%d%H%M%S)"
mkdir -p "$BK" && cp -a /etc/nginx/conf.d/*.conf "$BK/" 2>/dev/null
echo "✅ 已备份到 $BK"
# Step 2: 写入 dev-sandbox.conf
cat > /etc/nginx/conf.d/dev-sandbox.conf << 'CONF'
# 开发者子域名沙箱 · ZY-AGEOS-TOWER-2026-0326-001-S1
# 铸渊统一管理 · 人类不得手动修改
server {
listen 80;
server_name ~^(?<devid>dev-\d{3})\.guanghulab\.com$;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name ~^(?<devid>dev-\d{3})\.guanghulab\.com$;
ssl_certificate /etc/letsencrypt/live/guanghulab.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/guanghulab.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
root /var/www/sandbox/$devid;
index index.html;
location / { try_files $uri $uri/ /index.html; }
add_header X-Sandbox-DevId $devid;
access_log /var/log/nginx/sandbox-$devid-access.log;
error_log /var/log/nginx/sandbox-error.log;
}
CONF
echo "✅ dev-sandbox.conf 已写入"
# Step 3: 语法检测(安全门)
echo "--- nginx -t ---"
if ! nginx -t 2>&1; then
echo "❌ nginx -t 失败!回滚!"
rm -f /etc/nginx/conf.d/dev-sandbox.conf
cp -a "$BK/"*.conf /etc/nginx/conf.d/ 2>/dev/null
echo "🔙 已回滚到备份: $BK"
exit 1
fi
echo "✅ nginx -t 通过"
# Step 4: 优雅重载
nginx -s reload && echo "✅ nginx reload 成功"
# Step 5: 立即验证主站
MAIN=$(curl -so/dev/null -w"%{http_code}" --max-time 10 https://guanghulab.com/ 2>/dev/null || echo "000")
if [ "$MAIN" != "200" ]; then
echo "🚨 主站异常 HTTP $MAIN!紧急回滚!"
rm -f /etc/nginx/conf.d/dev-sandbox.conf
cp -a "$BK/"*.conf /etc/nginx/conf.d/ 2>/dev/null
nginx -t && nginx -s reload
echo "🔙 紧急回滚完成"
exit 1
fi
echo "✅ 主站安全 HTTP $MAIN"
echo ""
echo "═══════════════════════════════════════════"
echo " ✅ Phase S2 完成"
echo " 沙箱目录已创建 · Nginx 已重载 · 主站安全"
echo "═══════════════════════════════════════════"