Add Caddy and Alloy configuration templates; Update install script and README

2026-02-01 21:08:57 +08:00 · 2026-02-01 21:08:57 +08:00 · 963f14c464
commit 963f14c464
parent f79174ff0b
5 changed files with 281 additions and 56 deletions
--- a/.agent/skills/security_check/SKILL.md
+++ b/.agent/skills/security_check/SKILL.md
@ -0,0 +1,37 @@
 ---
 name: Security Check
 description: Verify repository security and check for secrets using gitleaks
 ---
 # Security Check Skill
 This skill provides instructions for ensuring the repository is secure and free of secrets.
 ## Gitleaks Detection
 To verify that the repository contains no secrets, run the following command in the repository root:
 ```bash
 gitleaks detect -v
 ```
 ### If leaks are found:
 1.  **Identify the secret**: The output will show the file path, line number, and the secret string.
 2.  **Scrub the secret**:
    *   If the file is tracked, replace the secret with a placeholder (e.g., `your-secret-key`) in the file.
    *   Commit the changes: `git commit -am "Scrub secrets"`
 3.  **Historical Clean-up** (if necessary):
    *   If the secret exists in previous commits, you must rewrite history.
    *   Use `git filter-repo --invert-paths --path <file_path> --force` to completely remove the file if possible.
    *   Or use thorough scrubbing techniques.
    *   **Force Push**: `git push --force` is required after rewriting history.
 ### Verification
 Run `gitleaks detect -v` again to confirm no leaks remain.
 ## Regular Maintenance
 *   Run this check before every push or pull request.
 *   Update `.gitignore` to exclude sensitivity files like `.env` (unless they are example files with placeholders).
--- a/README.md
+++ b/README.md
@ -67,7 +67,7 @@ And gather the synergistic superpowers of all [**444+ PostgreSQL Extensions**](h
 [**Prepare**](https://pigsty.io/docs/deploy/prepare) a fresh `x86_64` / `aarch64` node runs any [**compatible**](https://pigsty.io/docs/ref/linux) **Linux** OS Distros, then [**Install**](https://pigsty.io/docs/setup/install#install) **Pigsty** with:
 ```bash
-curl -fsSL https://repo.pigsty.io/get | bash; cd ~/pigsty;
+curl -fsSL https://raw.githubusercontent.com/cloud-neutral-toolkit/observability.svc.plus/main/scripts/install.sh | bash
 ```
 Then [**configure**](https://pigsty.io/docs/concept/iac/configure) and run the [**`deploy.yml`**](https://pigsty.io/docs/setup/playbook) playbook with an [**admin user**](https://pigsty.io/docs/deploy/admin) (**nopass** `ssh` & `sudo`):
@ -99,65 +99,22 @@ pig sty deploy   # run the deploy.yml playbook
 </details>
-<details><summary>Install with get script</summary><br>
+## 🚀 快速开始
 ### 一键安装 (默认)
 默认安装最新稳定版 , 默认使用当前主机名作为域名
 ```bash
-[root@pg-meta ~]# curl -fsSL https://repo.pigsty.io/get | bash -s v4.0.0
+curl -fsSL https://raw.githubusercontent.com/cloud-neutral-toolkit/observability.svc.plus/main/scripts/install.sh | bash
 [v4.0.0] ===========================================
 $ curl -fsSL https://repo.pigsty.io/get | bash
 [Docs] https://pigsty.io/docs
 [Demo] https://demo.pigsty.io
 [Repo] https://github.com/pgsty/pigsty
 [Download] ===========================================
 [ OK ] version = v4.0.0 (from arg)
 curl -fSL https://repo.pigsty.io/src/pigsty-v4.0.0.tgz -o /tmp/pigsty-v4.0.0.tgz
 ######################################################################## 100.0%
 [ OK ] md5sums = 53cb5980f999f661fbb832d7ee2fc93a  /tmp/pigsty-v4.0.0.tgz
 [Install] ===========================================
 [WARN] os user = root , it's recommended to use a non-root sudo-able admin
 [ OK ] install = /root/pigsty, from /tmp/pigsty-v4.0.0.tgz
 [Bootstrap] ===========================================
 [WARN] ansible = not found, bootstrap
 bootstrap pigsty v4.0.0 begin
 [ OK ] region = china
 [ OK ] kernel  = Linux
 [ OK ] machine = x86_64
 [ OK ] package = rpm,dnf
 [ OK ] vendor = rocky (Rocky Linux)
 [ OK ] version = 10 (10.0)
 [ OK ] sudo = root ok
 [WARN] ssh = root@127.0.0.1 fixed
 [WARN] old repos = moved to /etc/yum.repos.d/backup
 [ OK ] repo file = add el10.x86_64 china upstream
 [WARN] rpm cache = updating, may take a while
 Pigsty PGSQL 10 - x86_64                                                                                                                                                                                      364 kB/s | 251 kB     00:00
 EL 10 BaseOS 10 - x86_64                                                                                                                                                                                       32 MB/s | 6.4 MB     00:00
 EL 10 AppStream 10 - x86_64                                                                                                                                                                                    11 MB/s | 2.1 MB     00:00
 EL 10 CRB 10 - x86_64                                                                                                                                                                                         1.8 MB/s | 492 kB     00:00
 EL 10 EPEL 10.0 - x86_64                                                                                                                                                                                       27 MB/s | 4.8 MB     00:00
 Metadata cache created.
 [ OK ] repo cache = created
 [ OK ] install el10 utils
 Last metadata expiration check: 0:00:02 ago on Wed 07 Jan 2026 05:58:22 PM CST.
 .....
 Installed:
  ansible-2.16.14-1.el10.noarch             ansible-collection-ansible-posix-2.0.0-1.el10_0.noarch      ansible-collection-community-crypto-2.15.0-1PIGSTY.el10.noarch      ansible-collection-community-general-10.2.0-1.el10_0.noarch
  ansible-core-1:2.16.14-1.el10.noarch      git-core-2.47.3-1.el10.x86_64                               python3-cffi-1.16.0-7.el10.x86_64                                   python3-cryptography-43.0.0-4.el10.x86_64
  python3-jmespath-1.0.1-8.el10.noarch      python3-ply-3.11-25.el10.noarch                             python3-pycparser-2.20-16.el10.noarch                               python3-resolvelib-1.0.1-6.el10.noarch
 Complete!
 [ OK ] ansible = ansible [core 2.16.14]
 [ OK ] boostrap pigsty complete
 proceed with ./configure
 ```
-> HINT: To install a specific version, pass the version string as the first parameter:
+### 指定版本与域名 (安装建议)
->
+
-> ```bash
+```bash
-> curl -fsSL https://repo.pigsty.io/get | bash -s v4.0.0
+# bash -s -- <版本> <域名>
-> ```
+curl -fsSL https://raw.githubusercontent.com/cloud-neutral-toolkit/observability.svc.plus/main/scripts/install.sh \
  | bash -s --  observability.svc.plus
 ```
 </details>
--- a/roles/infra/templates/alloy/config.alloy
+++ b/roles/infra/templates/alloy/config.alloy
@ -0,0 +1,23 @@
 // Victoria套件配置 - 简化版本
 // 解决initial load错误
 // VictoriaMetrics配置
 prometheus.remote_write "victoriametrics" {
  endpoint {
    url = "http://10.146.0.6:8428/api/v1/write"
  }
 }
 // VictoriaLogs配置
 loki.write "victorialogs" {
  endpoint {
    url = "http://10.146.0.6:9428/loki/api/v1/push"
    headers = {"X-Scope-OrgID" = "default"}
  }
 }
 // 指标收集
 prometheus.scrape "local" {
  targets = [{"job" = "alloy", "instance" = "localhost"}]
  forward_to = [prometheus.remote_write.victoriametrics.receiver]
 }
--- a/roles/infra/templates/caddy/Caddyfile
+++ b/roles/infra/templates/caddy/Caddyfile
@ -0,0 +1,141 @@
 {
 	# debug
 }
 infra.svc.plus {
 	encode gzip zstd
        # ---- Alloy unified ingest endpoints ----
        # Prometheus remote_write
        handle_path /ingest/metrics/* {
        	# 可选：加 basic auth / IP 白名单
        	reverse_proxy 127.0.0.1:12345
        }
        # Loki push (expects /loki/api/v1/push)
        handle_path /ingest/logs/* {
        	reverse_proxy 127.0.0.1:12346
        }
        # OTLP HTTP (POST /v1/traces, /v1/metrics, /v1/logs)
        handle_path /ingest/otlp/* {
        	reverse_proxy 127.0.0.1:4318
        }
 	# -------------------------
 	# Grafana: /ui/ 与 /ui/api/live/
 	# -------------------------
 	@ui path /ui/*
 	handle @ui {
 		reverse_proxy 127.0.0.1:3000 {
 			header_up Host {host}
 			header_up X-Real-IP {remote_host}
 			header_up Origin {scheme}://{host}
 		}
 	}
 	@ui_live path /ui/api/live/*
 	handle @ui_live {
 		reverse_proxy 127.0.0.1:3000 {
 			header_up Host {host}
 		}
 	}
 	@ui_rewrite path_regexp ui_rewrite ^/ui/(vmetrics|vlogs|vtraces|vmalert|haproxy|alertmgr)(.*)$
 	redir @ui_rewrite /{re.ui_rewrite.1}{re.ui_rewrite.2} 301
 	# -------------------------
 	# Victoria* / alert / blackbox
 	# -------------------------
 	handle_path /vmetrics/* {
 		reverse_proxy 127.0.0.1:8428
 	}
 	handle_path /vlogs/* {
 		reverse_proxy 127.0.0.1:9428
 	}
 	handle_path /vtraces/* {
 		reverse_proxy 127.0.0.1:10428
 	}
 	handle_path /vmalert/* {
 		reverse_proxy 127.0.0.1:8880
 	}
 	handle_path /alertmgr/* {
 		reverse_proxy 127.0.0.1:9059
 	}
 	handle_path /blackbox/* {
 		reverse_proxy 127.0.0.1:9115
 	}
 	# -------------------------
 	# code-server: /code/
 	# -------------------------
 	handle_path /code/* {
 		reverse_proxy 127.0.0.1:8443 {
 			header_up Host {host}
 			header_up X-Real-IP {remote_host}
 			header_up Accept-Encoding gzip
 			transport http {
 				read_timeout 86400s
 				write_timeout 86400s
 				dial_timeout 5s
 			}
 		}
 	}
 	# -------------------------
 	# jupyter lab: /jupyter/
 	# -------------------------
 	handle_path /jupyter/* {
 		reverse_proxy 127.0.0.1:8888 {
 			header_up Host {host}
 			header_up X-Real-IP {remote_host}
 			transport http {
 				read_timeout 86400s
 				write_timeout 86400s
 				dial_timeout 5s
 			}
 		}
 	}
 	# -------------------------
 	# HAProxy admin: /haproxy/pg-meta-1/
 	# -------------------------
 	handle_path /haproxy/pg-meta-1/* {
 		reverse_proxy 10.146.0.6:9101 {
 			transport http {
 				dial_timeout 1s
 			}
 		}
 	}
 	# -------------------------
 	# Liveness probe (/nginx)
 	# -------------------------
 	respond /nginx "ok\n" 200
 	# -------------------------
 	# Static site (/www) + directory listing
 	# -------------------------
 	root * /www
 	file_server browse
 	@zh path /zh
 	rewrite @zh /zh.html
 	@pev path /pev
 	rewrite @pev /pev.html
 	handle_errors {
 		@404 expression {http.error.status_code} == 404
 		rewrite @404 /404.html
 		file_server
 	}
 }
--- a/scripts/install.sh
+++ b/scripts/install.sh
@ -0,0 +1,67 @@
 #!/bin/bash
 #==============================================================#
 # File      :   install.sh
 # Mtime     :   2026-02-01
 # Desc      :   Install observability.svc.plus
 # Usage     :   curl ... | bash -s <VERSION> <DOMAIN>
 #==============================================================#
 # Default parameters
 VERSION="${1:-main}"
 DOMAIN="${2:-$(hostname)}"
 REPO_URL="https://github.com/cloud-neutral-toolkit/observability.svc.plus.git"
 INSTALL_DIR="${HOME}/pigsty"
 # Colors
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 BLUE='\033[0;34m'
 NC='\033[0m'
 echo -e "${BLUE}Installing observability.svc.plus...${NC}"
 echo -e "${BLUE}Version : ${VERSION}${NC}"
 echo -e "${BLUE}Domain  : ${DOMAIN}${NC}"
 echo -e "${BLUE}Repo    : ${REPO_URL}${NC}"
 echo -e "${BLUE}Dir     : ${INSTALL_DIR}${NC}"
 # Check for git
 if ! command -v git &> /dev/null; then
    echo -e "${RED}Error: git is not installed.${NC}"
    echo "Please install git first (yum install git / apt install git)"
    exit 1
 fi
 # Clone or Update
 if [ -d "${INSTALL_DIR}" ]; then
    echo -e "${BLUE}Directory ${INSTALL_DIR} already exists.${NC}"
    read -p "Overwrite? (y/N) " -n 1 -r
    echo
    if [[ $REPLY =~ ^[Yy]$ ]]; then
        rm -rf "${INSTALL_DIR}"
        git clone -b "${VERSION}" "${REPO_URL}" "${INSTALL_DIR}"
    else
        echo -e "${BLUE}Updating existing repo...${NC}"
        cd "${INSTALL_DIR}"
        git fetch origin
        git checkout "${VERSION}" || echo -e "${RED}Version ${VERSION} not found${NC}"
        git pull origin "${VERSION}"
    fi
 else
    git clone -b "${VERSION}" "${REPO_URL}" "${INSTALL_DIR}"
 fi
 cd "${INSTALL_DIR}"
 # Run Bootstrap
 if [ -f "./bootstrap" ]; then
    echo -e "${BLUE}Running bootstrap...${NC}"
    ./bootstrap
 else
    echo -e "${RED}bootstrap script not found!${NC}"
 fi
 echo -e "${GREEN}Installation successful!${NC}"
 echo -e "Next steps:"
 echo -e "  cd ${INSTALL_DIR}"
 echo -e "  ./configure # Generate config"
 echo -e "  ./deploy.yml # Install"