feat(deploy): add deploy-on-vps.sh + ONESHOT.md (绕过本地 SSH 网络障碍)

nieao · claude · nieao · commit b98fd9e5fc02 · 2026-05-02T16:37:56.000+08:00
[meta-cc] 本机有 DNS 劫持代理 (Clash/V2Ray 类) 把所有域名解析到 198.18.x.x 本地拦截 IP, HTTPS 走代理通但 SSH 22 端口出不去 → 没法直接 ssh root@ha2. 绕过方案: 在 VPS 上一行命令完成部署 (不依赖部署人本机网络) 新增: - deploy/deploy-on-vps.sh: VPS-side 部署脚本, git pull + npm install + build + systemd - deploy/ONESHOT.md: 一行命令 + 验证 + 故障排查 + 升级流程 oneshot 命令 (boss/lichang333 ssh 到 VPS 后粘贴): sudo bash -c 'set -e; test -d /opt/know-canvas/.git && (cd /opt/know-canvas && git pull) || git clone https://github.com/nieao/know-canvas.git /opt/know-canvas; cd /opt/know-canvas; bash deploy/deploy-on-vps.sh' 原 deploy/deploy.sh (本地 rsync 模式) 保留, boss 没装 VPN 时可走那个. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/deploy/ONESHOT.md b/deploy/ONESHOT.md
@@ -0,0 +1,156 @@
+# Know Canvas — VPS 一键部署 oneshot
+
+> **场景**: boss / lichang333 在 VPS 终端 (ssh root@ha2.digitalvio.shop) 直接粘贴一行命令完成全部部署
+> **优势**: 不依赖本地 rsync / SSH key 配对; 不依赖部署人本机的网络环境
+
+---
+
+## TL;DR — 一行部署
+
+ssh 到 VPS 后, 复制粘贴这一段:
+
+```bash
+sudo bash -c '
+set -e
+test -d /opt/know-canvas/.git && (cd /opt/know-canvas && git pull) || git clone https://github.com/nieao/know-canvas.git /opt/know-canvas
+cd /opt/know-canvas
+bash deploy/deploy-on-vps.sh
+'
+```
+
+**全程约 3-5 分钟**, 期间会自动:
+1. git clone / pull 最新代码
+2. npm install + npm run build:canvas (前端 build, base=/canvas/)
+3. 复制 dist/ 到 /var/www/know-canvas/
+4. cd server && npm install (Yjs sync 后端依赖)
+5. 装 systemd unit know-canvas-yws + 启动
+6. 健康检查 (curl localhost:1234/health)
+7. 打印 Caddy 配置追加指引 (这步要手动 — 避免破坏 Hermes 的 Caddyfile)
+
+---
+
+## 前置要求 (VPS 应该已经满足)
+
+```bash
+# 检查
+node --version    # 应该 >= 18
+npm --version     # 应该 >= 8
+git --version     # 任意
+caddy version     # Hermes 已经在用, 应该已装
+
+# 如果 node 不够新:
+curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
+sudo apt install -y nodejs
+```
+
+---
+
+## 部署完成后必须手动做的一步: Caddy 配置
+
+部署脚本不会自动改 `/etc/caddy/Caddyfile` (太敏感, 可能跟 Hermes 配置冲突)。
+
+```bash
+sudo nano /etc/caddy/Caddyfile
+```
+
+在现有 `ha2.digitalvio.shop {...}` site block 里 (Hermes 的反代规则**之前**), 追加:
+
+```caddy
+# Know Canvas 前端 (静态文件)
+handle_path /canvas/* {
+    root * /var/www/know-canvas
+    try_files {path} /index.html
+    file_server
+}
+
+# Yjs WebSocket 反代 → localhost:1234
+handle_path /yws/* {
+    reverse_proxy localhost:1234 {
+        header_up Host {host}
+        header_up X-Real-IP {remote}
+    }
+}
+```
+
+然后:
+
+```bash
+sudo caddy validate /etc/caddy/Caddyfile     # 检查语法
+sudo systemctl reload caddy                  # 生效
+```
+
+**完整范本**在 `/opt/know-canvas/deploy/Caddyfile.canvas` (deploy-on-vps.sh 末尾会打印).
+
+---
+
+## 验证部署成功
+
+```bash
+# 1) y-ws-server 起来
+curl -s http://127.0.0.1:1234/health
+# 期望: {"ok":true,"service":"know-canvas-yjs-sync","port":1234,...}
+
+# 2) 前端能访问
+curl -s -o /dev/null -w '%{http_code}\n' https://ha2.digitalvio.shop/canvas/
+# 期望: 200
+
+# 3) 浏览器打开
+# https://ha2.digitalvio.shop/canvas/?room=demo-railway
+# 在两个浏览器 / 两台电脑同时打开同一房间, 应该实时同步
+```
+
+---
+
+## 升级 (代码更新后重新部署)
+
+```bash
+cd /opt/know-canvas && sudo bash deploy/deploy-on-vps.sh
+```
+
+git pull → 重 build → 重启 systemd. **服务无中断升级** (重启 yws 时 LevelDB 数据保留).
+
+---
+
+## 故障排查
+
+```bash
+# Yjs sync 起不来?
+sudo journalctl -u know-canvas-yws -f
+
+# 看占用端口
+sudo netstat -tlnp | grep -E ':(1234|17081|18080)'
+
+# 重启
+sudo systemctl restart know-canvas-yws
+
+# 备份画布数据 (LevelDB)
+sudo tar czf /root/yjs-backup-$(date +%F).tgz /opt/know-canvas/server/yjs-data/
+
+# 完全重置 (⚠ 删除所有画布数据)
+sudo systemctl stop know-canvas-yws
+sudo rm -rf /opt/know-canvas/server/yjs-data
+sudo systemctl start know-canvas-yws
+```
+
+---
+
+## 这套部署不包含的东西 (boss 自己还要做)
+
+| 不做的事 | 怎么补 |
+|---------|------|
+| **claude-bridge** (本机 Claude CLI 桥) | 每个用户**自己电脑**跑 `cd server && npm run bridge`, 不能放云端 (会暴露 Claude 账号) |
+| **hermes-proxy** (Hermes API 中转) | 同上, 不能跟 know-canvas 一起部署到云端 — 凭据敏感 (HERMES_USER/PASS), 应该走 Caddy 前置反代或本机跑 |
+| **WSS 协议升级** | 现在脚本配的是 ws:// 反代, 上 SSL 后 Caddy 会自动 upgrade 到 wss:// (Caddy 默认行为) |
+| **token 鉴权** | 默认关. 开启: `sudo systemctl edit know-canvas-yws` 加 `Environment=KNOW_CANVAS_TOKEN=随机字符串`, 然后前端 yjsClient.js 也要带 token (P1) |
+
+---
+
+## 给 [meta-cc] / 后续 cc 的提示
+
+当用户说"部署 know-canvas 到云端" / "推上去" / "上线":
+
+1. 检查 boss 本机能否 SSH 到 VPS (`ssh root@ha2.digitalvio.shop` 是否通)
+2. **如果本机 SSH 不通** (DNS 劫持 / VPN / 防火墙阻拦): 用本文档的 oneshot 模式让 boss/lichang333 在 VPS 上自己跑
+3. **如果本机 SSH 通**: 走 `bash deploy/deploy.sh root@ha2.digitalvio.shop` (本地 build + rsync)
+
+两种方式产出一致, 选你能做的.
diff --git a/deploy/deploy-on-vps.sh b/deploy/deploy-on-vps.sh
@@ -0,0 +1,161 @@
+#!/usr/bin/env bash
+# Know Canvas — 在 VPS 本地一键部署 (不依赖本地 SSH)
+#
+# 用法 (在 VPS 上 ssh 登录后跑):
+#   sudo bash deploy/deploy-on-vps.sh
+#
+# 或者 oneshot 远程拉取 + 部署:
+#   sudo bash -c "git clone https://github.com/nieao/know-canvas.git /opt/know-canvas-deploy && cd /opt/know-canvas-deploy && bash deploy/deploy-on-vps.sh"
+#
+# 假设 (满足则 OK, 不满足脚本会提示):
+#   - Ubuntu 20.04+ / Debian 11+
+#   - root 权限 (跑 sudo) 或者 systemd 写权限
+#   - node >= 18, npm >= 8
+#   - git
+#   - Caddy 已部署且有 ha2.digitalvio.shop 的 site block (Hermes 已用)
+#
+# 部署后:
+#   /opt/know-canvas/         前端源码 + server (做 git pull 升级用)
+#   /var/www/know-canvas/     前端 build 产物 (Caddy 提供)
+#   /opt/know-canvas/server/yjs-data/  LevelDB 持久化
+#   systemd: know-canvas-yws  Yjs sync 守护进程
+#
+# 不会自动改 Caddyfile (太敏感, 可能跟 Hermes 冲突)
+# 部署完后会打印 Caddyfile 追加位置 + 内容
+
+set -e
+
+REPO_URL="${REPO_URL:-https://github.com/nieao/know-canvas.git}"
+INSTALL_DIR="${INSTALL_DIR:-/opt/know-canvas}"
+WEB_DIR="${WEB_DIR:-/var/www/know-canvas}"
+BRANCH="${BRANCH:-main}"
+
+echo "============================================================"
+echo "  Know Canvas 一键 VPS 部署"
+echo "  仓库: $REPO_URL"
+echo "  分支: $BRANCH"
+echo "  安装到: $INSTALL_DIR + $WEB_DIR"
+echo "============================================================"
+
+# ---- 0. 前置检查 ----
+echo ""
+echo "[0/6] 前置检查..."
+
+if [ "$EUID" -ne 0 ]; then
+  echo "  WARN: 没用 root 运行, 部分步骤可能 sudo 弹密码"
+fi
+
+for cmd in node npm git; do
+  if ! command -v $cmd > /dev/null 2>&1; then
+    echo "  ERROR: 缺少 $cmd"
+    if [ "$cmd" = "node" ]; then
+      echo "    安装: curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - && sudo apt install -y nodejs"
+    elif [ "$cmd" = "git" ]; then
+      echo "    安装: sudo apt install -y git"
+    fi
+    exit 1
+  fi
+done
+
+NODE_MAJOR=$(node -v | sed 's/v//' | cut -d. -f1)
+if [ "$NODE_MAJOR" -lt 18 ]; then
+  echo "  ERROR: node 版本 $(node -v) < 18, 升级一下"
+  exit 1
+fi
+
+echo "  ✓ node $(node -v), npm $(npm -v), git OK"
+
+# ---- 1. clone / pull ----
+echo ""
+echo "[1/6] 拉取代码到 $INSTALL_DIR..."
+if [ -d "$INSTALL_DIR/.git" ]; then
+  echo "  目录已存在, git pull"
+  cd "$INSTALL_DIR"
+  git fetch origin
+  git checkout "$BRANCH"
+  git pull origin "$BRANCH"
+else
+  echo "  git clone"
+  sudo mkdir -p "$(dirname "$INSTALL_DIR")"
+  sudo git clone --branch "$BRANCH" "$REPO_URL" "$INSTALL_DIR"
+  sudo chown -R "$USER:$USER" "$INSTALL_DIR"
+  cd "$INSTALL_DIR"
+fi
+
+# ---- 2. 装前端依赖 + build ----
+echo ""
+echo "[2/6] 装前端依赖 + build (base=/canvas/)..."
+cd "$INSTALL_DIR"
+npm ci --no-audit --no-fund 2>&1 | tail -3 || npm install --no-audit --no-fund 2>&1 | tail -3
+npm run build:canvas 2>&1 | tail -5
+
+if [ ! -d "$INSTALL_DIR/dist" ]; then
+  echo "  ERROR: build 失败, 没看到 dist/"
+  exit 1
+fi
+echo "  ✓ build 完成, dist/ 大小 $(du -sh dist | cut -f1)"
+
+# ---- 3. 复制 dist → /var/www/know-canvas/ ----
+echo ""
+echo "[3/6] 复制 dist → $WEB_DIR..."
+sudo mkdir -p "$WEB_DIR"
+sudo rsync -a --delete "$INSTALL_DIR/dist/" "$WEB_DIR/"
+echo "  ✓ web 目录已更新"
+
+# ---- 4. 装 server 依赖 ----
+echo ""
+echo "[4/6] 装 server (Yjs sync) 依赖..."
+cd "$INSTALL_DIR/server"
+npm install --production --no-audit --no-fund 2>&1 | tail -3
+echo "  ✓ server deps OK"
+
+# ---- 5. 装 systemd unit ----
+echo ""
+echo "[5/6] 装 systemd unit know-canvas-yws..."
+sudo cp "$INSTALL_DIR/deploy/know-canvas-yws.service" /etc/systemd/system/
+sudo systemctl daemon-reload
+sudo systemctl enable know-canvas-yws
+sudo systemctl restart know-canvas-yws
+sleep 2
+echo "  systemd status:"
+sudo systemctl status know-canvas-yws --no-pager -l | head -15
+
+# ---- 6. 健康检查 ----
+echo ""
+echo "[6/6] 健康检查..."
+HEALTH=$(curl -sf http://127.0.0.1:1234/health 2>&1 || echo 'FAILED')
+if echo "$HEALTH" | grep -q '"ok":true'; then
+  echo "  ✓ y-ws-server /health OK: $HEALTH"
+else
+  echo "  ✗ y-ws-server 起不来: $HEALTH"
+  echo "  看日志: sudo journalctl -u know-canvas-yws -n 50"
+fi
+
+# ---- 完成提示 ----
+echo ""
+echo "============================================================"
+echo "  ✓ Know Canvas 部署完成"
+echo "============================================================"
+echo ""
+echo "下一步手动操作 (Caddy 追加, 不能自动改避免破坏 Hermes 配置):"
+echo ""
+echo "  1) 编辑 /etc/caddy/Caddyfile, 在 ha2.digitalvio.shop 这个 site block 里"
+echo "     插入下面两段 (位于 Hermes 已有规则之前, Caddy 按顺序匹配):"
+echo ""
+echo "  --------- 复制开始 ---------"
+sed -n '/^ha2.digitalvio.shop/,/^}/p' "$INSTALL_DIR/deploy/Caddyfile.canvas" 2>/dev/null || cat "$INSTALL_DIR/deploy/Caddyfile.canvas"
+echo "  --------- 复制结束 ---------"
+echo ""
+echo "  2) sudo caddy validate /etc/caddy/Caddyfile"
+echo "  3) sudo systemctl reload caddy"
+echo ""
+echo "验证: curl -sf https://ha2.digitalvio.shop/canvas/  → 应该看到 HTML"
+echo "      curl -sf http://127.0.0.1:1234/health         → y-ws ok"
+echo ""
+echo "升级方式 (将来):"
+echo "  cd $INSTALL_DIR && sudo bash deploy/deploy-on-vps.sh"
+echo ""
+echo "查看 Yjs 日志:"
+echo "  sudo journalctl -u know-canvas-yws -f"
+echo ""
+echo "============================================================"
