初始化：Astro 站点 + Sveltia CMS 后台 + 部署配置

2026-06-11 17:18:51 +08:00
commit 53092b52db
37 changed files with 7586 additions and 0 deletions
--- a/deploy/deploy.sh
+++ b/deploy/deploy.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+# 本地构建并上传到服务器。用法： ./deploy/deploy.sh
+set -euo pipefail
+
+REMOTE_USER="${REMOTE_USER:-root}"
+REMOTE_HOST="${REMOTE_HOST:-shizhui.xyz}"
+REMOTE_DIR="${REMOTE_DIR:-/var/www/shizhui}"
+
+echo "==> 构建站点"
+npm run build
+
+echo "==> 上传到 ${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_DIR}"
+rsync -avz --delete dist/ "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_DIR}/"
+
+echo "==> 完成"
--- a/deploy/gitea-app.ini
+++ b/deploy/gitea-app.ini
@@ -0,0 +1,60 @@
+; Gitea 配置 —— 自托管于 git.shizhui.xyz
+; 数据库使用 SQLite（轻量，适合单人/小团队，2G 内存服务器友好）
+
+APP_NAME = ShiZhui Git
+RUN_USER = git
+RUN_MODE = prod
+WORK_PATH = /var/lib/gitea
+
+[server]
+PROTOCOL = http
+HTTP_ADDR = 127.0.0.1
+HTTP_PORT = 3000
+; 对外通过 Nginx 反代到 https://git.shizhui.xyz
+DOMAIN = git.shizhui.xyz
+ROOT_URL = https://git.shizhui.xyz/
+SSH_DOMAIN = git.shizhui.xyz
+; SSH 暂用 22 端口的系统 sshd 之外，Gitea 内置 SSH 关闭，走 HTTPS 即可
+DISABLE_SSH = false
+SSH_PORT = 22
+START_SSH_SERVER = false
+LFS_START_SERVER = true
+OFFLINE_MODE = true
+
+[database]
+DB_TYPE = sqlite3
+PATH = /var/lib/gitea/data/gitea.db
+LOG_SQL = false
+
+[repository]
+ROOT = /var/lib/gitea/data/gitea-repositories
+DEFAULT_BRANCH = main
+
+[security]
+INSTALL_LOCK = true
+; SECRET_KEY / INTERNAL_TOKEN 将在安装脚本中生成注入
+
+[service]
+; 关闭开放注册：仅管理员可创建用户（展示站点，维护人员受控）
+DISABLE_REGISTRATION = true
+REQUIRE_SIGNIN_VIEW = false
+DEFAULT_KEEP_EMAIL_PRIVATE = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+ENABLE_NOTIFY_MAIL = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[session]
+PROVIDER = file
+COOKIE_SECURE = true
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = /var/lib/gitea/log
+
+[actions]
+; 启用 Gitea Actions（用于自动构建部署）
+ENABLED = true
--- a/deploy/gitea.service
+++ b/deploy/gitea.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+
+[Service]
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/var/lib/gitea/
+ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
+# 资源限制（2G 内存服务器，适度约束）
+LimitNOFILE=524288
+
+[Install]
+WantedBy=multi-user.target
--- a/deploy/nginx-gitea.conf
+++ b/deploy/nginx-gitea.conf
@@ -0,0 +1,40 @@
+# Nginx 反向代理 —— Gitea @ git.shizhui.xyz
+# 证书由 certbot (DNS-01) 签发，已包含 git.shizhui.xyz
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name git.shizhui.xyz;
+
+    location ^~ /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+        default_type "text/plain";
+        try_files $uri =404;
+    }
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name git.shizhui.xyz;
+
+    ssl_certificate /etc/letsencrypt/live/shizhui.xyz/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/shizhui.xyz/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_session_cache shared:SSL:10m;
+
+    # 允许上传较大的仓库/附件
+    client_max_body_size 512M;
+
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
--- a/deploy/nginx-shizhui.conf
+++ b/deploy/nginx-shizhui.conf
@@ -0,0 +1,63 @@
+# Nginx 配置 —— shizhui.xyz 静态站点
+# 放到服务器 /etc/nginx/sites-available/shizhui 并软链到 sites-enabled
+# 证书由 certbot (DNS-01) 签发：/etc/letsencrypt/live/shizhui.xyz/
+
+# HTTP：保留 ACME 验证路径，其余跳转 HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name shizhui.xyz www.shizhui.xyz;
+
+    # Let's Encrypt ACME 验证（webroot，备用）
+    location ^~ /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+        default_type "text/plain";
+        try_files $uri =404;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# HTTPS 主站
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name shizhui.xyz www.shizhui.xyz;
+
+    ssl_certificate /etc/letsencrypt/live/shizhui.xyz/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/shizhui.xyz/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1d;
+
+    root /var/www/shizhui;
+    index index.html;
+
+    # 安全响应头
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    # gzip 压缩
+    gzip on;
+    gzip_types text/css application/javascript application/json image/svg+xml application/xml;
+    gzip_min_length 1024;
+
+    # 静态资源缓存（带 hash 的构建产物可长缓存）
+    location /_astro/ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # Astro 构建生成的是目录式路由（/blog/ -> /blog/index.html）
+    location / {
+        try_files $uri $uri/ $uri.html =404;
+    }
+
+    error_page 404 /404.html;
+}