Add Caddy and Alloy configuration templates; Update install script and README

.agent/skills/security_check/SKILL.md

@@ -0,0 +1,37 @@
+---
+name: Security Check
+description: Verify repository security and check for secrets using gitleaks
+---
+
+# Security Check Skill
+
+This skill provides instructions for ensuring the repository is secure and free of secrets.
+
+## Gitleaks Detection
+
+To verify that the repository contains no secrets, run the following command in the repository root:
+
+```bash
+gitleaks detect -v
+```
+
+### If leaks are found:
+
+1.  **Identify the secret**: The output will show the file path, line number, and the secret string.
+2.  **Scrub the secret**:
+    *   If the file is tracked, replace the secret with a placeholder (e.g., `your-secret-key`) in the file.
+    *   Commit the changes: `git commit -am "Scrub secrets"`
+3.  **Historical Clean-up** (if necessary):
+    *   If the secret exists in previous commits, you must rewrite history.
+    *   Use `git filter-repo --invert-paths --path <file_path> --force` to completely remove the file if possible.
+    *   Or use thorough scrubbing techniques.
+    *   **Force Push**: `git push --force` is required after rewriting history.
+
+### Verification
+
+Run `gitleaks detect -v` again to confirm no leaks remain.
+
+## Regular Maintenance
+
+*   Run this check before every push or pull request.
+*   Update `.gitignore` to exclude sensitivity files like `.env` (unless they are example files with placeholders).

README.md

@@ -67,7 +67,7 @@ And gather the synergistic superpowers of all [**444+ PostgreSQL Extensions**](h
 [**Prepare**](https://pigsty.io/docs/deploy/prepare) a fresh `x86_64` / `aarch64` node runs any [**compatible**](https://pigsty.io/docs/ref/linux) **Linux** OS Distros, then [**Install**](https://pigsty.io/docs/setup/install#install) **Pigsty** with:
 
 ```bash
-curl -fsSL https://repo.pigsty.io/get | bash; cd ~/pigsty;
+curl -fsSL https://raw.githubusercontent.com/cloud-neutral-toolkit/observability.svc.plus/main/scripts/install.sh | bash
 ```
 
 Then [**configure**](https://pigsty.io/docs/concept/iac/configure) and run the [**`deploy.yml`**](https://pigsty.io/docs/setup/playbook) playbook with an [**admin user**](https://pigsty.io/docs/deploy/admin) (**nopass** `ssh` & `sudo`):
@@ -99,65 +99,22 @@ pig sty deploy   # run the deploy.yml playbook
 </details>
 
 
-<details><summary>Install with get script</summary><br>
+## 🚀 快速开始
+
+### 一键安装 (默认)
+默认安装最新稳定版 , 默认使用当前主机名作为域名
 
 ```bash
-[root@pg-meta ~]# curl -fsSL https://repo.pigsty.io/get | bash -s v4.0.0
-[v4.0.0] ===========================================
-$ curl -fsSL https://repo.pigsty.io/get | bash
-[Docs] https://pigsty.io/docs
-[Demo] https://demo.pigsty.io
-[Repo] https://github.com/pgsty/pigsty
-[Download] ===========================================
-[ OK ] version = v4.0.0 (from arg)
-curl -fSL https://repo.pigsty.io/src/pigsty-v4.0.0.tgz -o /tmp/pigsty-v4.0.0.tgz
-######################################################################## 100.0%
-[ OK ] md5sums = 53cb5980f999f661fbb832d7ee2fc93a  /tmp/pigsty-v4.0.0.tgz
-[Install] ===========================================
-[WARN] os user = root , it's recommended to use a non-root sudo-able admin
-[ OK ] install = /root/pigsty, from /tmp/pigsty-v4.0.0.tgz
-
-[Bootstrap] ===========================================
-[WARN] ansible = not found, bootstrap
-bootstrap pigsty v4.0.0 begin
-[ OK ] region = china
-[ OK ] kernel  = Linux
-[ OK ] machine = x86_64
-[ OK ] package = rpm,dnf
-[ OK ] vendor = rocky (Rocky Linux)
-[ OK ] version = 10 (10.0)
-[ OK ] sudo = root ok
-[WARN] ssh = root@127.0.0.1 fixed
-[WARN] old repos = moved to /etc/yum.repos.d/backup
-[ OK ] repo file = add el10.x86_64 china upstream
-[WARN] rpm cache = updating, may take a while
-Pigsty PGSQL 10 - x86_64                                                                                                                                                                                      364 kB/s | 251 kB     00:00
-EL 10 BaseOS 10 - x86_64                                                                                                                                                                                       32 MB/s | 6.4 MB     00:00
-EL 10 AppStream 10 - x86_64                                                                                                                                                                                    11 MB/s | 2.1 MB     00:00
-EL 10 CRB 10 - x86_64                                                                                                                                                                                         1.8 MB/s | 492 kB     00:00
-EL 10 EPEL 10.0 - x86_64                                                                                                                                                                                       27 MB/s | 4.8 MB     00:00
-Metadata cache created.
-[ OK ] repo cache = created
-[ OK ] install el10 utils
-Last metadata expiration check: 0:00:02 ago on Wed 07 Jan 2026 05:58:22 PM CST.
-.....
-
-Installed:
-  ansible-2.16.14-1.el10.noarch             ansible-collection-ansible-posix-2.0.0-1.el10_0.noarch      ansible-collection-community-crypto-2.15.0-1PIGSTY.el10.noarch      ansible-collection-community-general-10.2.0-1.el10_0.noarch
-  ansible-core-1:2.16.14-1.el10.noarch      git-core-2.47.3-1.el10.x86_64                               python3-cffi-1.16.0-7.el10.x86_64                                   python3-cryptography-43.0.0-4.el10.x86_64
-  python3-jmespath-1.0.1-8.el10.noarch      python3-ply-3.11-25.el10.noarch                             python3-pycparser-2.20-16.el10.noarch                               python3-resolvelib-1.0.1-6.el10.noarch
-
-Complete!
-[ OK ] ansible = ansible [core 2.16.14]
-[ OK ] boostrap pigsty complete
-proceed with ./configure
+curl -fsSL https://raw.githubusercontent.com/cloud-neutral-toolkit/observability.svc.plus/main/scripts/install.sh | bash
 ```
 
-> HINT: To install a specific version, pass the version string as the first parameter:
->
-> ```bash
-> curl -fsSL https://repo.pigsty.io/get | bash -s v4.0.0
-> ```
+### 指定版本与域名 (安装建议)
+
+```bash
+# bash -s -- <版本> <域名>
+curl -fsSL https://raw.githubusercontent.com/cloud-neutral-toolkit/observability.svc.plus/main/scripts/install.sh \
+  | bash -s --  observability.svc.plus
+```
 
 </details>
 

roles/infra/templates/alloy/config.alloy

@@ -0,0 +1,23 @@
+// Victoria套件配置 - 简化版本
+// 解决initial load错误
+
+// VictoriaMetrics配置
+prometheus.remote_write "victoriametrics" {
+  endpoint {
+    url = "http://10.146.0.6:8428/api/v1/write"
+  }
+}
+
+// VictoriaLogs配置
+loki.write "victorialogs" {
+  endpoint {
+    url = "http://10.146.0.6:9428/loki/api/v1/push"
+    headers = {"X-Scope-OrgID" = "default"}
+  }
+}
+
+// 指标收集
+prometheus.scrape "local" {
+  targets = [{"job" = "alloy", "instance" = "localhost"}]
+  forward_to = [prometheus.remote_write.victoriametrics.receiver]
+}

roles/infra/templates/caddy/Caddyfile

@@ -0,0 +1,141 @@
+{
+	# debug
+}
+
+infra.svc.plus {
+	encode gzip zstd
+
+        # ---- Alloy unified ingest endpoints ----
+
+        # Prometheus remote_write
+        handle_path /ingest/metrics/* {
+        	# 可选：加 basic auth / IP 白名单
+        	reverse_proxy 127.0.0.1:12345
+        }
+
+        # Loki push (expects /loki/api/v1/push)
+        handle_path /ingest/logs/* {
+        	reverse_proxy 127.0.0.1:12346
+        }
+
+        # OTLP HTTP (POST /v1/traces, /v1/metrics, /v1/logs)
+        handle_path /ingest/otlp/* {
+        	reverse_proxy 127.0.0.1:4318
+        }
+
+	# -------------------------
+	# Grafana: /ui/ 与 /ui/api/live/
+	# -------------------------
+	@ui path /ui/*
+	handle @ui {
+		reverse_proxy 127.0.0.1:3000 {
+			header_up Host {host}
+			header_up X-Real-IP {remote_host}
+			header_up Origin {scheme}://{host}
+		}
+	}
+
+	@ui_live path /ui/api/live/*
+	handle @ui_live {
+		reverse_proxy 127.0.0.1:3000 {
+			header_up Host {host}
+		}
+	}
+
+	@ui_rewrite path_regexp ui_rewrite ^/ui/(vmetrics|vlogs|vtraces|vmalert|haproxy|alertmgr)(.*)$
+	redir @ui_rewrite /{re.ui_rewrite.1}{re.ui_rewrite.2} 301
+
+	# -------------------------
+	# Victoria* / alert / blackbox
+	# -------------------------
+	handle_path /vmetrics/* {
+		reverse_proxy 127.0.0.1:8428
+	}
+
+	handle_path /vlogs/* {
+		reverse_proxy 127.0.0.1:9428
+	}
+
+	handle_path /vtraces/* {
+		reverse_proxy 127.0.0.1:10428
+	}
+
+	handle_path /vmalert/* {
+		reverse_proxy 127.0.0.1:8880
+	}
+
+	handle_path /alertmgr/* {
+		reverse_proxy 127.0.0.1:9059
+	}
+
+	handle_path /blackbox/* {
+		reverse_proxy 127.0.0.1:9115
+	}
+
+	# -------------------------
+	# code-server: /code/
+	# -------------------------
+	handle_path /code/* {
+		reverse_proxy 127.0.0.1:8443 {
+			header_up Host {host}
+			header_up X-Real-IP {remote_host}
+			header_up Accept-Encoding gzip
+
+			transport http {
+				read_timeout 86400s
+				write_timeout 86400s
+				dial_timeout 5s
+			}
+		}
+	}
+
+	# -------------------------
+	# jupyter lab: /jupyter/
+	# -------------------------
+	handle_path /jupyter/* {
+		reverse_proxy 127.0.0.1:8888 {
+			header_up Host {host}
+			header_up X-Real-IP {remote_host}
+
+			transport http {
+				read_timeout 86400s
+				write_timeout 86400s
+				dial_timeout 5s
+			}
+		}
+	}
+
+	# -------------------------
+	# HAProxy admin: /haproxy/pg-meta-1/
+	# -------------------------
+	handle_path /haproxy/pg-meta-1/* {
+		reverse_proxy 10.146.0.6:9101 {
+			transport http {
+				dial_timeout 1s
+			}
+		}
+	}
+
+	# -------------------------
+	# Liveness probe (/nginx)
+	# -------------------------
+	respond /nginx "ok\n" 200
+
+	# -------------------------
+	# Static site (/www) + directory listing
+	# -------------------------
+	root * /www
+	file_server browse
+
+	@zh path /zh
+	rewrite @zh /zh.html
+
+	@pev path /pev
+	rewrite @pev /pev.html
+
+	handle_errors {
+		@404 expression {http.error.status_code} == 404
+		rewrite @404 /404.html
+		file_server
+	}
+}

scripts/install.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+#==============================================================#
+# File      :   install.sh
+# Mtime     :   2026-02-01
+# Desc      :   Install observability.svc.plus
+# Usage     :   curl ... | bash -s <VERSION> <DOMAIN>
+#==============================================================#
+
+# Default parameters
+VERSION="${1:-main}"
+DOMAIN="${2:-$(hostname)}"
+REPO_URL="https://github.com/cloud-neutral-toolkit/observability.svc.plus.git"
+INSTALL_DIR="${HOME}/pigsty"
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+echo -e "${BLUE}Installing observability.svc.plus...${NC}"
+echo -e "${BLUE}Version : ${VERSION}${NC}"
+echo -e "${BLUE}Domain  : ${DOMAIN}${NC}"
+echo -e "${BLUE}Repo    : ${REPO_URL}${NC}"
+echo -e "${BLUE}Dir     : ${INSTALL_DIR}${NC}"
+
+# Check for git
+if ! command -v git &> /dev/null; then
+    echo -e "${RED}Error: git is not installed.${NC}"
+    echo "Please install git first (yum install git / apt install git)"
+    exit 1
+fi
+
+# Clone or Update
+if [ -d "${INSTALL_DIR}" ]; then
+    echo -e "${BLUE}Directory ${INSTALL_DIR} already exists.${NC}"
+    read -p "Overwrite? (y/N) " -n 1 -r
+    echo
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+        rm -rf "${INSTALL_DIR}"
+        git clone -b "${VERSION}" "${REPO_URL}" "${INSTALL_DIR}"
+    else
+        echo -e "${BLUE}Updating existing repo...${NC}"
+        cd "${INSTALL_DIR}"
+        git fetch origin
+        git checkout "${VERSION}" || echo -e "${RED}Version ${VERSION} not found${NC}"
+        git pull origin "${VERSION}"
+    fi
+else
+    git clone -b "${VERSION}" "${REPO_URL}" "${INSTALL_DIR}"
+fi
+
+cd "${INSTALL_DIR}"
+
+# Run Bootstrap
+if [ -f "./bootstrap" ]; then
+    echo -e "${BLUE}Running bootstrap...${NC}"
+    ./bootstrap
+else
+    echo -e "${RED}bootstrap script not found!${NC}"
+fi
+
+echo -e "${GREEN}Installation successful!${NC}"
+echo -e "Next steps:"
+echo -e "  cd ${INSTALL_DIR}"
+echo -e "  ./configure # Generate config"
+echo -e "  ./deploy.yml # Install"