feat: add public_access control to xworkspace-console

2026-06-12 15:31:24 +08:00 · 2026-06-12 15:31:24 +08:00 · f424327cfb
commit f424327cfb
parent affd6827b0
2 changed files with 43 additions and 1 deletions
--- a/docs/setup-ai-workspace-all-in-one.md
+++ b/docs/setup-ai-workspace-all-in-one.md
@ -62,7 +62,12 @@ ansible-playbook -i inventory.ini setup-ai-workspace-all-in-one.yml \

 ### 细粒度服务暴露开关 (支持针对性覆盖)

-1. **XWorkmate Bridge 公网访问控制**
+1. **XWorkspace Console (底层主工作区门户) 公网访问控制**
+   - **默认值：** `true` (standard 下) / `false` (strict 下)
+   - **参数：** `-e "xworkspace_console_public_access=false"`
+   - **作用：** 设为 true 时，会自动将本地 17000 端口通过 Caddy 反向代理到绑定的 `workspace.svc.plus` 域名提供公网访问。设为 false 时则销毁对应代理文件，只能进服务器内网/XRDP访问。
+
+2. **XWorkmate Bridge 公网访问控制**
   - **默认值：** `true` (standard 下) / `false` (strict 下)
   - **参数：** `-e "xworkmate_bridge_public_access=false"`
   - **作用：** 设为 false 时，会彻底删除该服务在 Caddy `/etc/caddy/conf.d` 中的 `.caddy` 文件，使其失去从外界 HTTPS 进入内部 8787 端口的路径。
--- a/setup-xworkspace-console.yaml
+++ b/setup-xworkspace-console.yaml
@ -5,6 +5,8 @@
  gather_facts: true
  vars:
    xworkspace_console_user: ubuntu
+    xworkspace_console_public_access: "{{ true if ai_workspace_security_level | default('standard') != 'strict' else false }}"
+    xworkspace_console_domain: workspace.svc.plus
    xworkspace_console_home: /home/ubuntu
    xworkspace_console_root: /home/ubuntu/xworkspace
    xworkspace_console_portal_dir: /home/ubuntu/xworkspace/portal
@ -943,3 +945,38 @@
              "external": true
            }
          ]
+
+    - name: Ensure Caddy fragment directory exists
+      ansible.builtin.file:
+        path: /etc/caddy/conf.d
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"
+
+    - name: Deploy xworkspace-console public Caddy site
+      ansible.builtin.copy:
+        dest: "/etc/caddy/conf.d/{{ xworkspace_console_domain }}.caddy"
+        owner: root
+        group: root
+        mode: "0644"
+        content: |
+          {{ xworkspace_console_domain }} {
+              reverse_proxy 127.0.0.1:{{ xworkspace_console_portal_port }}
+          }
+      when: xworkspace_console_public_access | bool
+      register: xworkspace_caddy_deploy
+
+    - name: Remove xworkspace-console public Caddy site when disabled
+      ansible.builtin.file:
+        path: "/etc/caddy/conf.d/{{ xworkspace_console_domain }}.caddy"
+        state: absent
+      when: not (xworkspace_console_public_access | bool)
+      register: xworkspace_caddy_remove
+
+    - name: Reload Caddy if xworkspace-console proxy changed
+      ansible.builtin.service:
+        name: caddy
+        state: reloaded
+      when: (xworkspace_caddy_deploy.changed or xworkspace_caddy_remove.changed) and not ansible_check_mode
+      failed_when: false