devops: 割接后 server 部署轨道切为仅 Ali 主轨(移除 EC2 轨)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01JJ1g8XV1YhhmHRzhwWEW7o
This commit is contained in:
wangjia
2026-07-02 22:27:13 +08:00
parent 9099c4af99
commit 493e9b45b3
3 changed files with 56 additions and 48 deletions
+3 -16
View File
@@ -36,22 +36,9 @@ jobs:
GITEA_REPOSITORY: ${{ gitea.repository }}
run: sh scripts/ci/release-server.sh "${{ gitea.ref_name }}"
- name: Deploy → EC2
env:
FORGEJO_TOKEN: ${{ secrets.FORGEJO_TOKEN }}
FORGEJO_URL: ${{ secrets.FORGEJO_URL }}
GITEA_REPOSITORY: ${{ gitea.repository }}
DEPLOY_TARGET: ec2
EC2_SSH_KEY: ${{ secrets.EC2_SSH_KEY }}
EC2_HOST: ${{ secrets.EC2_HOST }}
EC2_USER: ${{ secrets.EC2_USER }}
run: sh scripts/ci/deploy-server.sh "${{ gitea.ref_name }}"
# 迁移期影子目标:部署到阿里机(只换二进制 + reload 独立 nginxjiu 保持 stopped)。
# if: always() → EC2 失败也照样尝试;continue-on-error → 阿里失败不让流水线变红。
- name: Deploy → Ali (migration shadow)
if: always()
continue-on-error: true
# 2026-07-02 割接后阿里机即线上主轨(EC2 jiu 已停用,Deploy→EC2 轨已移除,
# 绝不能再部署 EC2——那会把停用的后端对着过时旧库重新拉起)。
- name: Deploy → Ali
env:
FORGEJO_TOKEN: ${{ secrets.FORGEJO_TOKEN }}
FORGEJO_URL: ${{ secrets.FORGEJO_URL }}
+29 -19
View File
@@ -1,18 +1,27 @@
# 阿里云独立 nginx 版(宿主机直接终结 TLS,不经 pangolin)。
# 与 nginx-jiu.confEC2 pangolin 容器版,listen 127.0.0.1:8445)等价
# 仅入口监听改为对公网 443 直连。CI deploy-server.sh 的 ali 分支落到
# /etc/nginx/conf.d/jiu.conf。
# 与 nginx-jiu.confEC2 pangolin 容器版,listen 127.0.0.1:8445)等价
# CI deploy-server.sh 的 ali 分支落到 /etc/nginx/conf.d/jiu.conf。
#
# 过渡期入口 = 8443 明文 HTTP,裸 IP 直连 http://182.92.213.171:8443
#(备案未通过前 80/443/8080 被阿里云拦截,走非标端口;不建过渡子域,
# 证书签给域名对不上 IP,故过渡期不做 TLS——登录口令/JWT 明文传输,仅限过渡;
# 备案通过后改回 listen 443 ssl + 域名 + 80→443 跳转块)。
# 后端上游 = 127.0.0.1:8081(非 8080ali 上 8080 已被 pay 项目 payd 占用;
# 对应 /opt/jiu/config/production.env 的 SERVER_PORT=8081)。
limit_req_zone $binary_remote_addr zone=jiu_pub:10m rate=10r/s;
limit_req_status 429;
server {
listen 443 ssl http2;
server_name jiu.51yanmei.com;
listen 8443 default_server;
server_name _;
ssl_certificate /etc/letsencrypt/live/jiu.51yanmei.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jiu.51yanmei.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# 备案通过切回 443 时恢复(证书路径仍有效,jiu.51yanmei.com2026-09-21 到期):
# listen 443 ssl http2;
# server_name jiu.51yanmei.com;
# ssl_certificate /etc/letsencrypt/live/jiu.51yanmei.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/jiu.51yanmei.com/privkey.pem;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers HIGH:!aNULL:!MD5;
client_max_body_size 20m;
@@ -25,7 +34,7 @@ server {
# 文件导入接口(超时更长)
location ~ ^/api/v1/import/ {
proxy_pass http://127.0.0.1:8080;
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 300s;
@@ -34,7 +43,7 @@ server {
# 未鉴权公开/登录接口:加最外层 per-IP 限流
location ~ ^/api/v1/(public|auth)/ {
limit_req zone=jiu_pub burst=20 nodelay;
proxy_pass http://127.0.0.1:8080;
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 30s;
@@ -42,7 +51,7 @@ server {
# API 反向代理
location ~ ^/(api|health|version) {
proxy_pass http://127.0.0.1:8080;
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 30s;
@@ -65,7 +74,7 @@ server {
# 公开商品详情页(扫码跳转)→ 后端注入 OG 标签
location ~ ^/product/ {
limit_req zone=jiu_pub burst=20 nodelay;
proxy_pass http://127.0.0.1:8080;
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 30s;
@@ -75,7 +84,7 @@ server {
location ~ ^/app/product/ {
limit_req zone=jiu_pub burst=20 nodelay;
rewrite ^/app(/product/.+)$ $1 break;
proxy_pass http://127.0.0.1:8080;
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 30s;
@@ -96,8 +105,9 @@ server {
}
}
server {
listen 80;
server_name jiu.51yanmei.com;
return 301 https://$host$request_uri;
}
# 备案通过、入口切回 443 后再恢复此跳转块(80 未备案期间被拦截,挂了也无意义):
# server {
# listen 80;
# server_name jiu.51yanmei.com;
# return 301 https://$host$request_uri;
# }
+24 -13
View File
@@ -4,13 +4,14 @@
# assets by tag (manual rollback). Does NOT touch the web app, marketing site,
# or version.yaml.
#
# Target is EC2 by default. During the EC2→Ali migration, set DEPLOY_TARGET=ali
# plus DEPLOY_HOST/DEPLOY_USER/DEPLOY_SSH_KEY to deploy to the Alibaba Cloud box.
# - ec2 (default): stop jiu → swap binary → start jiu → health check →
# reload nginx inside the pangolin-edge container.
# - ali: swap binary only (jiu.service stays stopped — the Ali DB is a
# read-only replica until cutover; backend is started at cutover) →
# reload the host nginx with the standalone (listen 443) config.
# Targets (post-cutover 2026-07-02: Ali is the live primary; the EC2 jiu stack
# is decommissioned — deploying there would resurrect a backend against a stale
# database, so the workflow no longer calls the ec2 branch):
# - ali: stop jiu → swap binary → start jiu → health check (:8081) →
# reload the host nginx (transition listen-8443 config).
# - ec2 (legacy default, kept for manual rollback of pre-cutover tags only):
# stop jiu → swap binary → start jiu → health check → reload nginx
# inside the pangolin-edge container.
set -euo pipefail
# shellcheck source=scripts/ci/lib-forgejo.sh
@@ -53,14 +54,13 @@ if [ -f dist/jiu-gencode ]; then
fi
if [ "$DEPLOY_TARGET" = "ali" ]; then
# --- Alibaba Cloud (shadow target, pre-cutover) ---
# Swap the binary but DO NOT start jiu: the Ali DB is a read-only replica, so
# the backend's startup AutoMigrate/backfill would fail. jiu.service is started
# only at cutover (after the replica is promoted to primary). Reload the host
# nginx with the standalone listen-443 config.
# --- Alibaba Cloud (live primary since the 2026-07-02 cutover) ---
# Full swap-and-restart: jiu.service runs against the promoted local primary
# DB on :8081; nginx serves the transition listen-8443 config.
${SSH} "${TARGET_USER}@${TARGET_HOST}" << 'ENDSSH'
set -e
systemctl stop jiu
cp /tmp/jiu-server /opt/jiu/backend/jiu-server
chmod +x /opt/jiu/backend/jiu-server
@@ -73,10 +73,21 @@ if [ -f /tmp/jiu-gencode ]; then
fi
fi
systemctl start jiu
echo "Waiting for health check..."
for i in $(seq 1 30); do
if curl -f http://localhost:8081/health > /dev/null 2>&1; then
echo "Health check passed"
break
fi
sleep 2
done
curl -f http://localhost:8081/health > /dev/null || { echo "Health check failed!"; exit 1; }
cp /tmp/nginx-jiu.conf /etc/nginx/conf.d/jiu.conf
nginx -t && systemctl reload nginx
echo "Ali server staged (binary swapped, jiu.service left stopped, nginx reloaded)"
echo "Ali server deploy complete!"
ENDSSH
else
# --- EC2 (live primary) ---