Spaces:
Paused
Paused
| # 开启调试模式,日志会显示在 Hugging Face 的 Logs 面板 | |
| set -x | |
| # ========================================================= | |
| # 1. 彻底解决权限与配置问题 | |
| # ========================================================= | |
| # 强制将 HOME 设为 /tmp,绕过 /home/user 的权限限制 | |
| export HOME="/tmp" | |
| export OC_CONF_DIR="/tmp/.openclaw" | |
| mkdir -p "$OC_CONF_DIR" | |
| # 生成一个固定的内部 Token,用于 CLI 和 Gateway 通讯 | |
| export OPENCLAW_GATEWAY_TOKEN="vps-access-token-2026" | |
| # 【核心修复】:创建符合新版规范且权限正确的配置文件 | |
| cat <<EOF > "$OC_CONF_DIR/openclaw.json" | |
| { | |
| "gateway": { | |
| "bind": "loopback", | |
| "port": 18789, | |
| "auth": { | |
| "token": "$OPENCLAW_GATEWAY_TOKEN" | |
| } | |
| } | |
| } | |
| EOF | |
| # 必须设置 600 权限,否则新版 OpenClaw 会报安全错误并拒绝启动 | |
| chmod 600 "$OC_CONF_DIR/openclaw.json" | |
| # 告诉 OpenClaw 显式使用这个配置文件 | |
| export OPENCLAW_CONFIG_PATH="$OC_CONF_DIR/openclaw.json" | |
| # ========================================================= | |
| # 2. 鉴权参数准备 (oauth2-proxy) | |
| # ========================================================= | |
| AUTH_FILE="/tmp/authenticated_emails.txt" | |
| touch "$AUTH_FILE" | |
| if [ -z "$OAUTH2_PROXY_COOKIE_SECRET" ]; then | |
| export OAUTH2_PROXY_COOKIE_SECRET=$(head -c 32 /dev/urandom | base64 | tr -d '+/' | head -c 32) | |
| fi | |
| # 解析 ALLOWED_USERS | |
| GITHUB_USERS="" | |
| if [ -n "$ALLOWED_USERS" ]; then | |
| > "$AUTH_FILE" | |
| IFS=',' read -ra ADDR <<< "$ALLOWED_USERS" | |
| for user in "${ADDR[@]}"; do | |
| user=$(echo "$user" | xargs) | |
| if [[ "$user" == *"@"* ]]; then | |
| echo "$user" >> "$AUTH_FILE" | |
| else | |
| GITHUB_USERS="${GITHUB_USERS:+$GITHUB_USERS,}$user" | |
| fi | |
| done | |
| fi | |
| # ========================================================= | |
| # 3. 启动后台服务 | |
| # ========================================================= | |
| # 启动 Web 终端 | |
| ttyd -p 7681 -W bash > /tmp/ttyd.log 2>&1 & | |
| # 启动 OpenClaw Gateway (使用 run 模式适配容器) | |
| echo "Starting OpenClaw Gateway..." | |
| nohup openclaw gateway run --config "$OPENCLAW_CONFIG_PATH" > /tmp/openclaw-gateway.log 2>&1 & | |
| OPENCLAW_PID=$! | |
| # ========================================================= | |
| # 4. 智能识别 Provider | |
| # ========================================================= | |
| if [ -z "$OAUTH2_PROXY_PROVIDER" ]; then | |
| if [ -n "$GOOGLE_CLIENT_ID" ]; then | |
| export OAUTH2_PROXY_PROVIDER="google" | |
| export OAUTH2_PROXY_CLIENT_ID="$GOOGLE_CLIENT_ID" | |
| export OAUTH2_PROXY_CLIENT_SECRET="$GOOGLE_CLIENT_SECRET" | |
| elif [ -n "$GITHUB_CLIENT_ID" ] || [[ "$OAUTH2_PROXY_CLIENT_ID" == Ov2* ]]; then | |
| export OAUTH2_PROXY_PROVIDER="github" | |
| [ -n "$GITHUB_CLIENT_ID" ] && export OAUTH2_PROXY_CLIENT_ID="$GITHUB_CLIENT_ID" | |
| [ -n "$GITHUB_CLIENT_SECRET" ] && export OAUTH2_PROXY_CLIENT_SECRET="$GITHUB_CLIENT_SECRET" | |
| else | |
| export OAUTH2_PROXY_PROVIDER="github" | |
| fi | |
| fi | |
| SPACE_DOMAIN="darkfire514-vps-linux.hf.space" | |
| REDIRECT_URL="https://$SPACE_DOMAIN/oauth2/callback" | |
| # 启动 oauth2-proxy | |
| nohup oauth2-proxy \ | |
| --provider="$OAUTH2_PROXY_PROVIDER" \ | |
| --client-id="$OAUTH2_PROXY_CLIENT_ID" \ | |
| --client-secret="$OAUTH2_PROXY_CLIENT_SECRET" \ | |
| --cookie-secret="$OAUTH2_PROXY_COOKIE_SECRET" \ | |
| --redirect-url="$REDIRECT_URL" \ | |
| --email-domain="*" \ | |
| --upstream="http://127.0.0.1:7681" \ | |
| --http-address="0.0.0.0:4180" \ | |
| --authenticated-emails-file="$AUTH_FILE" \ | |
| --reverse-proxy="true" \ | |
| --cookie-secure="true" \ | |
| --proxy-websockets="true" \ | |
| --custom-templates-dir="/var/www/html/theme" \ | |
| ${GITHUB_USERS:+--github-user="$GITHUB_USERS"} > /tmp/oauth2-proxy.log 2>&1 & | |
| # ========================================================= | |
| # 5. 启动 Nginx | |
| # ========================================================= | |
| echo "正在等待服务就绪..." | |
| sleep 5 | |
| echo "Starting Nginx..." | |
| exec nginx -g "daemon off;" |