From 220203b1332a19610323f408d4635f9d68ce5292 Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Sun, 12 Apr 2026 18:14:14 +0800
Subject: [PATCH] deploy: align console ingress and dns contract

---
 deploy_console_svc_plus.yml                   |  1 +
 roles/cloudflare_svc_plus_dns/tasks/main.yml  |  4 +++
 roles/vhosts/caddy/templates/Caddyfile.j2     |  2 ++
 .../vhosts/console_service/defaults/main.yml  | 26 +++++++++----------
 .../console_service/templates/Caddyfile.j2    |  2 +-
 .../console_service/templates/env.runtime.j2  |  4 +--
 vars/cloudflare_svc_plus_dns.yml              |  7 +++++
 7 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/deploy_console_svc_plus.yml b/deploy_console_svc_plus.yml
index b8383ce..292e3fe 100644
--- a/deploy_console_svc_plus.yml
+++ b/deploy_console_svc_plus.yml
@@ -4,6 +4,7 @@
   become: true
   roles:
     - roles/vhosts/docker
+    - roles/vhosts/caddy
     - roles/vhosts/console_service
 
 - name: Sync console DNS records when requested
diff --git a/roles/cloudflare_svc_plus_dns/tasks/main.yml b/roles/cloudflare_svc_plus_dns/tasks/main.yml
index f423e14..f1df307 100644
--- a/roles/cloudflare_svc_plus_dns/tasks/main.yml
+++ b/roles/cloudflare_svc_plus_dns/tasks/main.yml
@@ -8,6 +8,7 @@
     cloudflare_dns_records: >-
       {%- set records = [] -%}
       {%- set source_specs = cloudflare_dns_source_hosts | default(cloudflare_dns_default_source_hosts, true) -%}
+      {%- set static_records = cloudflare_dns_static_records | default([], true) -%}
       {%- set expanded_hosts = [] -%}
       {%- for spec in source_specs -%}
       {%-   for host in query('inventory_hostnames', spec) -%}
@@ -29,6 +30,9 @@
           }) -%}
       {%- endfor -%}
       {%- endfor -%}
+      {%- for static_record in static_records -%}
+      {%-   set _ = records.append(static_record) -%}
+      {%- endfor -%}
       {{ records | to_json | from_yaml }}
 
 - name: Reconcile svc.plus DNS via shared Cloudflare role
diff --git a/roles/vhosts/caddy/templates/Caddyfile.j2 b/roles/vhosts/caddy/templates/Caddyfile.j2
index 4057986..4d89af3 100644
--- a/roles/vhosts/caddy/templates/Caddyfile.j2
+++ b/roles/vhosts/caddy/templates/Caddyfile.j2
@@ -2,6 +2,8 @@
 	# debug
 }
 
+import /etc/caddy/conf.d/*.caddy
+
 ############################
 # portal.onwalk.net
 # Next.js yarn dev
diff --git a/roles/vhosts/console_service/defaults/main.yml b/roles/vhosts/console_service/defaults/main.yml
index 95c4e14..97fbe7c 100644
--- a/roles/vhosts/console_service/defaults/main.yml
+++ b/roles/vhosts/console_service/defaults/main.yml
@@ -6,8 +6,10 @@ console_service_project_name: "{{ lookup('ansible.builtin.env', 'CONSOLE_PROJECT
 console_service_server_name: console
 console_service_release_id: "{{ lookup('env', 'RELEASE_ID') | default(lookup('pipe', 'git -C ' ~ playbook_dir ~ ' rev-parse --short HEAD'), true) }}"
 console_service_hostname: "{{ inventory_hostname | default(ansible_facts['hostname']) | default('unknown-host', true) }}"
-console_service_domain: "{{ lookup('ansible.builtin.env', 'CONSOLE_DOMAIN') | default('console.svc.plus', true) }}"
-console_service_domain_slug: "{{ console_service_domain | replace('.', '-') }}"
+console_service_canonical_domain: "{{ lookup('ansible.builtin.vars', 'CANONICAL_DOMAIN', default=lookup('ansible.builtin.env', 'CANONICAL_DOMAIN') | default('console.svc.plus', true)) }}"
+console_service_served_domains: "{{ lookup('ansible.builtin.vars', 'SERVED_DOMAINS', default=lookup('ansible.builtin.env', 'SERVED_DOMAINS') | default(console_service_canonical_domain, true)) }}"
+console_service_domain: "{{ console_service_canonical_domain }}"
+console_service_domain_slug: "{{ console_service_canonical_domain | replace('.', '-') }}"
 console_service_caddy_conf_dir: /etc/caddy/conf.d
 console_service_caddy_fragment_name: "{{ console_service_server_name }}-{{ console_service_release_id }}-{{ console_service_hostname }}-{{ console_service_domain_slug }}.caddy"
 console_service_caddy_fragment_path: "{{ console_service_caddy_conf_dir }}/{{ console_service_caddy_fragment_name }}"
@@ -24,23 +26,21 @@ console_service_registry: "{{ lookup('ansible.builtin.env', 'CONSOLE_REGISTRY')
 console_service_registry_username: "{{ lookup('ansible.builtin.env', 'GHCR_USERNAME') | default('', true) }}"
 console_service_registry_password: "{{ lookup('ansible.builtin.env', 'GHCR_PASSWORD') | default('', true) }}"
 
-console_service_primary_domain: "{{ lookup('ansible.builtin.env', 'PRIMARY_DOMAIN') | default('cn-console.svc.plus', true) }}"
-console_service_secondary_domain: "{{ lookup('ansible.builtin.env', 'SECONDARY_DOMAIN') | default('cn-console.onwalk.net', true) }}"
-
 console_service_port: "{{ lookup('ansible.builtin.env', 'PORT') | default('3000', true) }}"
 console_service_node_env: production
 console_service_runtime_env: "{{ lookup('ansible.builtin.env', 'RUNTIME_ENV') | default('prod', true) }}"
 console_service_region: "{{ lookup('ansible.builtin.env', 'REGION') | default('cn', true) }}"
-console_service_app_base_url: "{{ lookup('ansible.builtin.env', 'APP_BASE_URL') | default('https://' ~ console_service_primary_domain, true) }}"
-console_service_next_public_app_base_url: "{{ lookup('ansible.builtin.env', 'NEXT_PUBLIC_APP_BASE_URL') | default(console_service_app_base_url, true) }}"
-console_service_next_public_site_url: "{{ lookup('ansible.builtin.env', 'NEXT_PUBLIC_SITE_URL') | default(console_service_app_base_url, true) }}"
-console_service_next_public_login_url: "{{ lookup('ansible.builtin.env', 'NEXT_PUBLIC_LOGIN_URL') | default(console_service_app_base_url ~ '/login', true) }}"
-console_service_next_public_docs_base_url: "{{ lookup('ansible.builtin.env', 'NEXT_PUBLIC_DOCS_BASE_URL') | default(console_service_app_base_url ~ '/docs', true) }}"
+console_service_public_base_url: "{{ lookup('ansible.builtin.env', 'APP_BASE_URL') | default('https://' ~ console_service_canonical_domain, true) }}"
+console_service_app_base_url: "{{ console_service_public_base_url }}"
+console_service_next_public_app_base_url: "{{ lookup('ansible.builtin.env', 'NEXT_PUBLIC_APP_BASE_URL') | default(console_service_public_base_url, true) }}"
+console_service_next_public_site_url: "{{ lookup('ansible.builtin.env', 'NEXT_PUBLIC_SITE_URL') | default(console_service_public_base_url, true) }}"
+console_service_next_public_login_url: "{{ lookup('ansible.builtin.env', 'NEXT_PUBLIC_LOGIN_URL') | default(console_service_public_base_url ~ '/login', true) }}"
+console_service_next_public_docs_base_url: "{{ lookup('ansible.builtin.env', 'NEXT_PUBLIC_DOCS_BASE_URL') | default(console_service_public_base_url ~ '/docs', true) }}"
 console_service_session_cookie_secure: "{{ lookup('ansible.builtin.env', 'SESSION_COOKIE_SECURE') | default('true', true) }}"
 console_service_next_public_session_cookie_secure: "{{ lookup('ansible.builtin.env', 'NEXT_PUBLIC_SESSION_COOKIE_SECURE') | default('true', true) }}"
-console_service_runtime_hostname: "{{ lookup('ansible.builtin.env', 'RUNTIME_HOSTNAME') | default(console_service_primary_domain, true) }}"
-console_service_next_runtime_hostname: "{{ lookup('ansible.builtin.env', 'NEXT_RUNTIME_HOSTNAME') | default(console_service_primary_domain, true) }}"
-console_service_deployment_hostname: "{{ lookup('ansible.builtin.env', 'DEPLOYMENT_HOSTNAME') | default(console_service_primary_domain, true) }}"
+console_service_runtime_hostname: "{{ lookup('ansible.builtin.env', 'RUNTIME_HOSTNAME') | default(console_service_canonical_domain, true) }}"
+console_service_next_runtime_hostname: "{{ lookup('ansible.builtin.env', 'NEXT_RUNTIME_HOSTNAME') | default(console_service_canonical_domain, true) }}"
+console_service_deployment_hostname: "{{ lookup('ansible.builtin.env', 'DEPLOYMENT_HOSTNAME') | default(console_service_hostname, true) }}"
 console_service_next_public_runtime_environment: "{{ lookup('ansible.builtin.env', 'NEXT_PUBLIC_RUNTIME_ENVIRONMENT') | default('prod', true) }}"
 console_service_next_public_runtime_region: "{{ lookup('ansible.builtin.env', 'NEXT_PUBLIC_RUNTIME_REGION') | default('cn', true) }}"
 console_service_account_service_url: "{{ lookup('ansible.builtin.env', 'ACCOUNT_SERVICE_URL') | default('https://accounts.svc.plus', true) }}"
diff --git a/roles/vhosts/console_service/templates/Caddyfile.j2 b/roles/vhosts/console_service/templates/Caddyfile.j2
index e4bcfee..eb974a4 100644
--- a/roles/vhosts/console_service/templates/Caddyfile.j2
+++ b/roles/vhosts/console_service/templates/Caddyfile.j2
@@ -1,4 +1,4 @@
-{{ console_service_domain }} {
+{{ '{$SERVED_DOMAINS}' }} {
   encode zstd gzip
 
   reverse_proxy 127.0.0.1:{{ console_service_port }} {
diff --git a/roles/vhosts/console_service/templates/env.runtime.j2 b/roles/vhosts/console_service/templates/env.runtime.j2
index c49dbb7..1c943d2 100644
--- a/roles/vhosts/console_service/templates/env.runtime.j2
+++ b/roles/vhosts/console_service/templates/env.runtime.j2
@@ -1,6 +1,6 @@
 FRONTEND_IMAGE={{ console_service_frontend_image }}
-PRIMARY_DOMAIN={{ console_service_domain }}
-SECONDARY_DOMAIN={{ console_service_domain }}
+CANONICAL_DOMAIN={{ console_service_canonical_domain }}
+SERVED_DOMAINS={{ console_service_served_domains }}
 NODE_ENV={{ console_service_node_env }}
 PORT={{ console_service_port }}
 RUNTIME_ENV={{ console_service_runtime_env }}
diff --git a/vars/cloudflare_svc_plus_dns.yml b/vars/cloudflare_svc_plus_dns.yml
index 4976f22..911b5bf 100644
--- a/vars/cloudflare_svc_plus_dns.yml
+++ b/vars/cloudflare_svc_plus_dns.yml
@@ -3,3 +3,10 @@ cloudflare_dns_default_source_hosts:
   - cn_front_host
   - jp_xhttp_contabo_host
   - tky_proxy_host
+
+cloudflare_dns_static_records:
+  - type: CNAME
+    name: www.svc.plus
+    content: console.svc.plus
+    ttl: 1
+    proxied: false