chore: adapt cloud run + stunnel client config

.gitignore

@@ -1,3 +1,5 @@
+.env
+
 models/
 pg_jieba/
 hf_cache/

Makefile

@@ -19,6 +19,13 @@ REPLICATION_MODE ?= pgsync
 DB_ADMIN_USER ?= $(DB_USER)
 DB_ADMIN_PASS ?= $(DB_PASS)
 
+GCP_PROJECT ?=
+GCP_REGION ?= asia-northeast1
+CLOUD_RUN_SERVICE ?= accounts-svc-plus
+CLOUD_RUN_SERVICE_YAML ?= deploy/gcp/cloud-run/service.yaml
+CLOUD_RUN_STUNNEL_CONF ?= deploy/gcp/cloud-run/stunnel.conf
+CLOUD_RUN_IMAGE ?= $(GCP_REGION)-docker.pkg.dev/$(GCP_PROJECT)/cloud-run-source-deploy/accounts.svc.plus/accounts-svc-plus:latest
+
 SCHEMA_FILE := ./sql/schema.sql
 PGLOGICAL_INIT_FILE := ./sql/schema_pglogical_init.sql
 PGLOGICAL_PATCH_FILE := ./sql/schema_pglogical_patch.sql
@@ -40,7 +47,8 @@ export PATH := /usr/local/go/bin:$(PATH)
 
 .PHONY: all init build clean start stop restart dev test help \
 	init-db-core init-db-replication init-db-pglogical \
-	reinit-pglogical account-sync-push account-sync-pull account-sync-mirror create-db-user db-reset
+	reinit-pglogical account-sync-push account-sync-pull account-sync-mirror create-db-user db-reset \
+	cloudrun-build cloudrun-deploy cloudrun-stunnel
 
 all: build
 
@@ -59,6 +67,9 @@ help:
 	@echo "make reinit-pglogical   重新初始化 pglogical schema"
 	@echo "make dev                热重载开发模式"
 	@echo "make clean              清理构建产物"
+	@echo "make cloudrun-build     构建并推送 Cloud Run 镜像"
+	@echo "make cloudrun-deploy    部署 Cloud Run Service"
+	@echo "make cloudrun-stunnel   更新 Cloud Run stunnel 配置 secret"
 
 # =========================================
 # 🧰 初始化
@@ -292,3 +303,32 @@ test:
 
 clean:
 	rm -f $(APP_NAME) *.pid *.log
+
+# =========================================
+# ☁️ GCP Cloud Run
+# =========================================
+
+cloudrun-build:
+	@if [ -z "$(GCP_PROJECT)" ]; then \
+		echo "❌ GCP_PROJECT 不能为空"; \
+		exit 1; \
+	fi
+	@gcloud builds submit --tag "$(CLOUD_RUN_IMAGE)" .
+
+cloudrun-deploy:
+	@if [ -z "$(GCP_PROJECT)" ]; then \
+		echo "❌ GCP_PROJECT 不能为空"; \
+		exit 1; \
+	fi
+	@gcloud run services replace "$(CLOUD_RUN_SERVICE_YAML)" --region "$(GCP_REGION)" --project "$(GCP_PROJECT)"
+
+cloudrun-stunnel:
+	@if [ -z "$(GCP_PROJECT)" ]; then \
+		echo "❌ GCP_PROJECT 不能为空"; \
+		exit 1; \
+	fi
+	@if [ ! -f "$(CLOUD_RUN_STUNNEL_CONF)" ]; then \
+		echo "❌ 未找到 stunnel 配置: $(CLOUD_RUN_STUNNEL_CONF)"; \
+		exit 1; \
+	fi
+	@gcloud secrets versions add stunnel-config --data-file "$(CLOUD_RUN_STUNNEL_CONF)" --project "$(GCP_PROJECT)"

config/account.cloudrun.yaml

@@ -0,0 +1,85 @@
+mode: "server-agent"
+
+log:
+  level: info
+
+server:
+  addr: ":8080"
+  readTimeout: 15s
+  writeTimeout: 15s
+  publicUrl: "https://accounts.svc.plus"
+  allowedOrigins:
+    - "https://dev.svc.plus"
+    - "https://dev-homepage.svc.plus"
+    - "https://www.svc.plus"
+    - "https://global-homepage.svc.plus"
+    - "https://accounts.svc.plus"
+    - "https://localhost:8443"
+    - "http://localhost:8080"
+    - "http://127.0.0.1:8080"
+    - "http://localhost:3001"
+    - "http://127.0.0.1:3001"
+    - "http://localhost:3000"
+    - "http://127.0.0.1:3000"
+  tls:
+    enabled: false
+    certFile: ""
+    keyFile: ""
+    caFile: ""
+    clientCAFile: ""
+    redirectHttp: false
+
+store:
+  driver: "postgres"
+  dsn: "postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}?sslmode=disable"
+  maxOpenConns: 30
+  maxIdleConns: 10
+
+session:
+  ttl: 24h
+  cache: "redis"
+  redis:
+    addr: "127.0.0.1:6379"
+    password: ""
+
+smtp:
+  host: "smtp.example.com"
+  port: 587
+  username: "apikey"
+  p: "s"
+  from: "XControl Account <no-reply@example.com>"
+  replyTo: ""
+  timeout: 10s
+  tls:
+    mode: "auto"
+    insecureSkipVerify: false
+
+xray:
+  sync:
+    enabled: false
+    interval: 5m
+    outputPath: "/usr/local/etc/xray/config.json"
+    templatePath: "account/config/xray.config.template.json"
+    validateCommand: []
+    restartCommand:
+      - "systemctl"
+      - "restart"
+      - "xray.service"
+
+agent:
+  id: "account-primary"
+  controllerUrl: "http://127.0.0.1:8080"
+  apiToken: "replace-with-agent-token"
+  httpTimeout: 15s
+  statusInterval: 1m
+  syncInterval: 5m
+  tls:
+    insecureSkipVerify: false
+
+agents:
+  credentials:
+    - id: "account-primary"
+      name: "Account Server (local agent)"
+      token: "replace-with-agent-token"
+      groups:
+        - "default"

deploy/gcp/cloud-run/service.yaml

@@ -25,6 +25,8 @@ spec:
         - name: http1
           containerPort: 8080
         env:
+        - name: CONFIG_TEMPLATE
+          value: "/app/config/account.cloudrun.yaml"
         - name: PGADMIN_PASSWORD
           value: admin_password
         - name: DB_PASSWORD
@@ -35,7 +37,7 @@ spec:
         - name: DB_HOST
           value: "127.0.0.1"
         - name: DB_PORT
-          value: "5432"
+          value: "15432"
         - name: DB_USER
           value: postgres
         - name: DB_NAME

deploy/gcp/cloud-run/stunnel.conf

@@ -0,0 +1,12 @@
+; Stunnel configuration for Cloud Run (client mode)
+pid = /var/run/stunnel/stunnel-account-db-client.pid
+output = /var/run/stunnel/stunnel-account-db-client.log
+foreground = yes
+
+[postgres-client]
+client = yes
+accept = 127.0.0.1:15432
+connect = postgresql.onwalk.net:443
+verify = 2
+CAfile = /etc/ssl/certs/ca-certificates.crt
+checkHost = postgresql.onwalk.net

entrypoint.sh

@@ -2,11 +2,16 @@
 set -euo pipefail
 
 CONFIG_FILE="${CONFIG_PATH:-/etc/xcontrol/account.yaml}"
-DEFAULT_CONFIG="/etc/xcontrol/account.yaml"
+CONFIG_TEMPLATE="${CONFIG_TEMPLATE:-/app/config/account.yaml}"
 mkdir -p "$(dirname "${CONFIG_FILE}")"
 
 if [ ! -f "${CONFIG_FILE}" ]; then
-  cp "${DEFAULT_CONFIG}" "${CONFIG_FILE}"
+  if [ -f "${CONFIG_TEMPLATE}" ]; then
+    envsubst < "${CONFIG_TEMPLATE}" > "${CONFIG_FILE}"
+  else
+    echo "missing config template: ${CONFIG_TEMPLATE}" >&2
+    exit 1
+  fi
 fi
 
 if [ -n "${PORT:-}" ]; then
@@ -26,4 +31,4 @@ if [ -n "${PORT:-}" ]; then
   CONFIG_FILE="${tmp_cfg}"
 fi
 
-exec /usr/local/bin/accountsvc --config "${CONFIG_FILE}" "$@"
+exec /usr/local/bin/account --config "${CONFIG_FILE}" "$@"