添加docker 部署agent

codes/agent/game-docker/init-ssl.sh

@@ -41,10 +41,14 @@ if [ -z "$SSL_EMAIL" ]; then
     exit 1
 fi
 
-if [ -z "$API_DOMAIN" ] || [ -z "$DLWEB_DOMAIN" ] || [ -z "$WX_DOMAIN" ]; then
-    log_error "请在 .env 中设置 API_DOMAIN, DLWEB_DOMAIN, WX_DOMAIN"
+# 从 ROOT_DOMAIN 自动推导子域名（如 .env 中未单独配置）
+if [ -z "$ROOT_DOMAIN" ]; then
+    log_error "请在 .env 中设置 ROOT_DOMAIN（父域名，如 example.com）"
     exit 1
 fi
+: ${API_DOMAIN:="api.${ROOT_DOMAIN}"}
+: ${DLWEB_DOMAIN:="dlapi.${ROOT_DOMAIN}"}
+: ${WX_DOMAIN:="wxapi.${ROOT_DOMAIN}"}
 
 DOMAINS=("$API_DOMAIN" "$DLWEB_DOMAIN" "$WX_DOMAIN")
 
@@ -54,6 +58,12 @@ if ! docker compose version &> /dev/null 2>&1; then
     COMPOSE_CMD="docker-compose"
 fi
 
+# 获取 Docker Compose 项目名（用于 volume 前缀）
+PROJECT_NAME="$($COMPOSE_CMD ps --format '{{.Project}}' 2>/dev/null | head -1)"
+if [ -z "$PROJECT_NAME" ]; then
+    PROJECT_NAME="$(basename "$SCRIPT_DIR")"
+fi
+
 # 解析参数
 STAGING_ARG=""
 DRY_RUN=""
@@ -89,25 +99,31 @@ for domain in "${DOMAINS[@]}"; do
 done
 
 # ============================================
-# Step 2: 将临时证书复制到 certbot volume
+# Step 2: 将临时证书写入 certbot-certs volume
 # ============================================
 log_info "Step 2: 初始化证书 volume..."
 
-# 确保容器和 volume 存在
-$COMPOSE_CMD up -d nginx 2>/dev/null || true
+# 先构建镜像并创建 volume（不启动 nginx，因为证书还没写入）
+$COMPOSE_CMD build nginx 2>/dev/null || true
+$COMPOSE_CMD up --no-start nginx 2>/dev/null || true
 
-# 将临时证书复制到 certbot-certs volume
+# 用临时 alpine 容器直接挂载 certbot-certs volume（读写）写入证书
+# nginx 挂载该卷为 :ro，不能通过 docker cp 写入，需绕过
+DUMMY_CERTS_ABS="$(cd "$(dirname "$0")" && pwd)/docker/nginx/dummy-certs"
 for domain in "${DOMAINS[@]}"; do
-    CERT_DIR="./docker/nginx/dummy-certs/$domain"
     LIVE_DIR="/etc/letsencrypt/live/$domain"
-
-    # 通过 nginx 容器操作 volume
-    docker exec youle-nginx sh -c "mkdir -p $LIVE_DIR" 2>/dev/null || true
-    docker cp "$CERT_DIR/fullchain.pem" "youle-nginx:$LIVE_DIR/fullchain.pem"
-    docker cp "$CERT_DIR/privkey.pem" "youle-nginx:$LIVE_DIR/privkey.pem"
+    log_info "  写入临时证书: $domain"
+    docker run --rm \
+        -v "${PROJECT_NAME}_certbot-certs:/etc/letsencrypt" \
+        -v "$DUMMY_CERTS_ABS/$domain:/src:ro" \
+        alpine sh -c "mkdir -p '$LIVE_DIR' && cp /src/fullchain.pem '$LIVE_DIR/' && cp /src/privkey.pem '$LIVE_DIR/'"
 done
 
-# 重新加载 Nginx 以使用临时证书
+# 启动 nginx（证书已就绪）
+$COMPOSE_CMD up -d nginx 2>/dev/null || true
+sleep 2
+
+# 重新加载 Nginx 以确认证书加载
 docker exec youle-nginx nginx -s reload 2>/dev/null || true
 log_info "  Nginx 已使用临时证书启动"
 
@@ -116,10 +132,25 @@ log_info "  Nginx 已使用临时证书启动"
 # ============================================
 log_info "Step 3: 申请 Let's Encrypt 证书..."
 
+# 清除 volume 中的 dummy 证书目录，避免 certbot 报 "live directory exists"
+log_info "  清理 volume 中的临时证书目录..."
+CLEAN_CMD="rm -rf"
+for domain in "${DOMAINS[@]}"; do
+    CLEAN_CMD="$CLEAN_CMD /etc/letsencrypt/live/$domain /etc/letsencrypt/live/${domain}-* /etc/letsencrypt/archive/$domain /etc/letsencrypt/renewal/$domain.conf"
+done
+docker run --rm \
+    -v "${PROJECT_NAME}_certbot-certs:/etc/letsencrypt" \
+    alpine sh -c "$CLEAN_CMD" 2>/dev/null || true
+
 for domain in "${DOMAINS[@]}"; do
     log_info "  正在为 $domain 申请证书..."
 
-    $COMPOSE_CMD run --rm certbot certonly \
+    docker run --rm \
+        -v "${PROJECT_NAME}_certbot-webroot:/var/www/certbot" \
+        -v "${PROJECT_NAME}_certbot-certs:/etc/letsencrypt" \
+        --entrypoint certbot \
+        certbot/certbot:latest \
+        certonly \
         --webroot \
         -w /var/www/certbot \
         --email "$SSL_EMAIL" \