feat: ship blog platform admin and deploy stack

2026-03-31 21:48:39 +08:00
parent a9a05aa105
commit 313f174fbc
210 changed files with 25476 additions and 5803 deletions
--- a/deploy/docker/compose.package.yml
+++ b/deploy/docker/compose.package.yml
@@ -0,0 +1,80 @@
+services:
+  backend:
+    image: ${BACKEND_IMAGE:-git.init.cool/cool/termi-astro-backend:latest}
+    pull_policy: always
+    restart: unless-stopped
+    environment:
+      PORT: 5150
+      APP_BASE_URL: ${APP_BASE_URL:-http://localhost:5150}
+      DATABASE_URL: ${DATABASE_URL:?DATABASE_URL is required}
+      REDIS_URL: ${REDIS_URL:?REDIS_URL is required}
+      JWT_SECRET: ${JWT_SECRET:?JWT_SECRET is required}
+      # 当前推荐把 admin 放在受保护的后台域名下（同域转发 /api 到 backend），
+      # 然后让 backend 信任 TinyAuth / Pocket ID 通过 Caddy 注入的认证头。
+      # 如启用代理 SSO，建议同时配置 TERMI_ADMIN_PROXY_SHARED_SECRET，
+      # 并让 Caddy 在转发 /api 到 backend 时附带 X-Termi-Proxy-Secret。
+      TERMI_ADMIN_TRUST_PROXY_AUTH: ${TERMI_ADMIN_TRUST_PROXY_AUTH:-false}
+      TERMI_ADMIN_LOCAL_LOGIN_ENABLED: ${TERMI_ADMIN_LOCAL_LOGIN_ENABLED:-true}
+      TERMI_ADMIN_PROXY_SHARED_SECRET: ${TERMI_ADMIN_PROXY_SHARED_SECRET:-}
+      RUST_LOG: ${RUST_LOG:-info}
+    ports:
+      # 这是“直连端口”示例；如果前面接 tohka 宿主机 Caddy，
+      # 推荐叠加 compose.tohka.override.yml，把 backend 只绑定到 127.0.0.1。
+      - '${BACKEND_PORT:-5150}:5150'
+
+  backend-worker:
+    image: ${BACKEND_IMAGE:-git.init.cool/cool/termi-astro-backend:latest}
+    pull_policy: always
+    restart: unless-stopped
+    depends_on:
+      backend:
+        condition: service_healthy
+    command: ['termi_api-cli', '-e', 'production', 'start', '--worker']
+    environment:
+      PORT: 5150
+      APP_BASE_URL: ${APP_BASE_URL:-http://localhost:5150}
+      DATABASE_URL: ${DATABASE_URL:?DATABASE_URL is required}
+      REDIS_URL: ${REDIS_URL:?REDIS_URL is required}
+      JWT_SECRET: ${JWT_SECRET:?JWT_SECRET is required}
+      TERMI_ADMIN_TRUST_PROXY_AUTH: ${TERMI_ADMIN_TRUST_PROXY_AUTH:-false}
+      TERMI_ADMIN_LOCAL_LOGIN_ENABLED: ${TERMI_ADMIN_LOCAL_LOGIN_ENABLED:-true}
+      TERMI_ADMIN_PROXY_SHARED_SECRET: ${TERMI_ADMIN_PROXY_SHARED_SECRET:-}
+      RUST_LOG: ${RUST_LOG:-info}
+      TERMI_SKIP_MIGRATIONS: 'true'
+
+  frontend:
+    image: ${FRONTEND_IMAGE:-git.init.cool/cool/termi-astro-frontend:latest}
+    pull_policy: always
+    restart: unless-stopped
+    depends_on:
+      backend:
+        condition: service_healthy
+    environment:
+      # frontend 是 Astro SSR(Node)：
+      # - INTERNAL_API_BASE_URL 给服务端渲染访问 backend 用
+      # - PUBLIC_API_BASE_URL 给浏览器里的评论 / AI 问答等请求用
+      # - PUBLIC_IMAGE_ALLOWED_HOSTS 给前台图片优化端点 /_img 放行额外图片域名
+      INTERNAL_API_BASE_URL: ${INTERNAL_API_BASE_URL:-http://backend:5150/api}
+      PUBLIC_API_BASE_URL: ${PUBLIC_API_BASE_URL:-}
+      PUBLIC_IMAGE_ALLOWED_HOSTS: ${PUBLIC_IMAGE_ALLOWED_HOSTS:-}
+    # frontend 是 Astro SSR(Node) 服务，容器内部监听 4321
+    # 生产建议由网关统一反代，仅对外开放 80/443
+    ports:
+      - '${FRONTEND_PORT:-4321}:4321'
+
+  admin:
+    image: ${ADMIN_IMAGE:-git.init.cool/cool/termi-astro-admin:latest}
+    pull_policy: always
+    restart: unless-stopped
+    depends_on:
+      backend:
+        condition: service_healthy
+    environment:
+      ADMIN_API_BASE_URL: ${ADMIN_API_BASE_URL:-}
+      ADMIN_FRONTEND_BASE_URL: ${ADMIN_FRONTEND_BASE_URL:-}
+    # admin 是静态 SPA，由 Nginx 在容器内监听 80
+    # API 与“打开前台 / AI 问答 / 文章预览”这类地址都优先读取运行时环境变量
+    # ADMIN_API_BASE_URL / ADMIN_FRONTEND_BASE_URL；未设置时再回退到构建期值 / 同主机默认端口
+    ports:
+      # 如果 admin 域名由宿主机 Caddy 统一反代，推荐改成 127.0.0.1 绑定。
+      - '${ADMIN_PORT:-4322}:80'