#!/bin/bash # 开启调试模式,日志会显示在 Hugging Face 的 Logs 面板 set -x # ========================================================= # 1. 彻底解决权限与配置问题 # ========================================================= # 强制将 HOME 设为 /tmp,绕过 /home/user 的权限限制 export HOME="/tmp" export OC_CONF_DIR="/tmp/.openclaw" mkdir -p "$OC_CONF_DIR" # 生成一个固定的内部 Token,用于 CLI 和 Gateway 通讯 export OPENCLAW_GATEWAY_TOKEN="vps-access-token-2026" # 【核心修复】:创建符合新版规范且权限正确的配置文件 cat < "$OC_CONF_DIR/openclaw.json" { "gateway": { "bind": "loopback", "port": 18789, "auth": { "token": "$OPENCLAW_GATEWAY_TOKEN" } } } EOF # 必须设置 600 权限,否则新版 OpenClaw 会报安全错误并拒绝启动 chmod 600 "$OC_CONF_DIR/openclaw.json" # 告诉 OpenClaw 显式使用这个配置文件 export OPENCLAW_CONFIG_PATH="$OC_CONF_DIR/openclaw.json" # ========================================================= # 2. 鉴权参数准备 (oauth2-proxy) # ========================================================= AUTH_FILE="/tmp/authenticated_emails.txt" touch "$AUTH_FILE" if [ -z "$OAUTH2_PROXY_COOKIE_SECRET" ]; then export OAUTH2_PROXY_COOKIE_SECRET=$(head -c 32 /dev/urandom | base64 | tr -d '+/' | head -c 32) fi # 解析 ALLOWED_USERS GITHUB_USERS="" if [ -n "$ALLOWED_USERS" ]; then > "$AUTH_FILE" IFS=',' read -ra ADDR <<< "$ALLOWED_USERS" for user in "${ADDR[@]}"; do user=$(echo "$user" | xargs) if [[ "$user" == *"@"* ]]; then echo "$user" >> "$AUTH_FILE" else GITHUB_USERS="${GITHUB_USERS:+$GITHUB_USERS,}$user" fi done fi # ========================================================= # 3. 启动后台服务 # ========================================================= # 启动 Web 终端 ttyd -p 7681 -W bash > /tmp/ttyd.log 2>&1 & # 启动 OpenClaw Gateway (使用 run 模式适配容器) echo "Starting OpenClaw Gateway..." nohup openclaw gateway run --config "$OPENCLAW_CONFIG_PATH" > /tmp/openclaw-gateway.log 2>&1 & OPENCLAW_PID=$! # ========================================================= # 4. 智能识别 Provider # ========================================================= if [ -z "$OAUTH2_PROXY_PROVIDER" ]; then if [ -n "$GOOGLE_CLIENT_ID" ]; then export OAUTH2_PROXY_PROVIDER="google" export OAUTH2_PROXY_CLIENT_ID="$GOOGLE_CLIENT_ID" export OAUTH2_PROXY_CLIENT_SECRET="$GOOGLE_CLIENT_SECRET" elif [ -n "$GITHUB_CLIENT_ID" ] || [[ "$OAUTH2_PROXY_CLIENT_ID" == Ov2* ]]; then export OAUTH2_PROXY_PROVIDER="github" [ -n "$GITHUB_CLIENT_ID" ] && export OAUTH2_PROXY_CLIENT_ID="$GITHUB_CLIENT_ID" [ -n "$GITHUB_CLIENT_SECRET" ] && export OAUTH2_PROXY_CLIENT_SECRET="$GITHUB_CLIENT_SECRET" else export OAUTH2_PROXY_PROVIDER="github" fi fi SPACE_DOMAIN="darkfire514-vps-linux.hf.space" REDIRECT_URL="https://$SPACE_DOMAIN/oauth2/callback" # 启动 oauth2-proxy nohup oauth2-proxy \ --provider="$OAUTH2_PROXY_PROVIDER" \ --client-id="$OAUTH2_PROXY_CLIENT_ID" \ --client-secret="$OAUTH2_PROXY_CLIENT_SECRET" \ --cookie-secret="$OAUTH2_PROXY_COOKIE_SECRET" \ --redirect-url="$REDIRECT_URL" \ --email-domain="*" \ --upstream="http://127.0.0.1:7681" \ --http-address="0.0.0.0:4180" \ --authenticated-emails-file="$AUTH_FILE" \ --reverse-proxy="true" \ --cookie-secure="true" \ --proxy-websockets="true" \ --custom-templates-dir="/var/www/html/theme" \ ${GITHUB_USERS:+--github-user="$GITHUB_USERS"} > /tmp/oauth2-proxy.log 2>&1 & # ========================================================= # 5. 启动 Nginx # ========================================================= echo "正在等待服务就绪..." sleep 5 echo "Starting Nginx..." exec nginx -g "daemon off;"