first commit

deploy/.env.example

@@ -0,0 +1,218 @@
+# =============================================================================
+# Sub2API Docker Environment Configuration
+# =============================================================================
+# Copy this file to .env and modify as needed:
+#   cp .env.example .env
+#   nano .env
+#
+# Then start with: docker-compose up -d
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Server Configuration
+# -----------------------------------------------------------------------------
+# Bind address for host port mapping
+BIND_HOST=0.0.0.0
+
+# Server port (exposed on host)
+SERVER_PORT=8080
+
+# Server mode: release or debug
+SERVER_MODE=release
+
+# 运行模式: standard (默认) 或 simple (内部自用)
+# standard: 完整 SaaS 功能，包含计费/余额校验；simple: 隐藏 SaaS 功能并跳过计费/余额校验
+RUN_MODE=standard
+
+# Timezone
+TZ=Asia/Shanghai
+
+# -----------------------------------------------------------------------------
+# PostgreSQL Configuration (REQUIRED)
+# -----------------------------------------------------------------------------
+POSTGRES_USER=sub2api
+POSTGRES_PASSWORD=change_this_secure_password
+POSTGRES_DB=sub2api
+
+# -----------------------------------------------------------------------------
+# Redis Configuration
+# -----------------------------------------------------------------------------
+# Leave empty for no password (default for local development)
+REDIS_PASSWORD=
+REDIS_DB=0
+
+# -----------------------------------------------------------------------------
+# Admin Account
+# -----------------------------------------------------------------------------
+# Email for the admin account
+ADMIN_EMAIL=admin@sub2api.local
+
+# Password for admin account
+# Leave empty to auto-generate (will be shown in logs on first run)
+ADMIN_PASSWORD=
+
+# -----------------------------------------------------------------------------
+# JWT Configuration
+# -----------------------------------------------------------------------------
+# IMPORTANT: Set a fixed JWT_SECRET to prevent login sessions from being
+# invalidated after container restarts. If left empty, a random secret will
+# be generated on each startup, causing all users to be logged out.
+# Generate a secure secret: openssl rand -hex 32
+JWT_SECRET=
+JWT_EXPIRE_HOUR=24
+
+# -----------------------------------------------------------------------------
+# Configuration File (Optional)
+# -----------------------------------------------------------------------------
+# Path to custom config file (relative to docker-compose.yml directory)
+# Copy config.example.yaml to config.yaml and modify as needed
+# Leave unset to use default ./config.yaml
+#CONFIG_FILE=./config.yaml
+
+# -----------------------------------------------------------------------------
+# Rate Limiting (Optional)
+# 速率限制（可选）
+# -----------------------------------------------------------------------------
+# Cooldown time (in minutes) when upstream returns 529 (overloaded)
+# 上游返回 529（过载）时的冷却时间（分钟）
+RATE_LIMIT_OVERLOAD_COOLDOWN_MINUTES=10
+
+# -----------------------------------------------------------------------------
+# Gateway Scheduling (Optional)
+# 调度缓存与受控回源配置（缓存就绪且命中时不读 DB）
+# -----------------------------------------------------------------------------
+# 粘性会话最大排队长度
+GATEWAY_SCHEDULING_STICKY_SESSION_MAX_WAITING=3
+# 粘性会话等待超时（时间段，例如 45s）
+GATEWAY_SCHEDULING_STICKY_SESSION_WAIT_TIMEOUT=120s
+# 兜底排队等待超时（时间段，例如 30s）
+GATEWAY_SCHEDULING_FALLBACK_WAIT_TIMEOUT=30s
+# 兜底最大排队长度
+GATEWAY_SCHEDULING_FALLBACK_MAX_WAITING=100
+# 启用调度批量负载计算
+GATEWAY_SCHEDULING_LOAD_BATCH_ENABLED=true
+# 并发槽位清理周期（时间段，例如 30s）
+GATEWAY_SCHEDULING_SLOT_CLEANUP_INTERVAL=30s
+# 是否允许受控回源到 DB（默认 true，保持现有行为）
+GATEWAY_SCHEDULING_DB_FALLBACK_ENABLED=true
+# 受控回源超时（秒），0 表示不额外收紧超时
+GATEWAY_SCHEDULING_DB_FALLBACK_TIMEOUT_SECONDS=0
+# 受控回源限流（实例级 QPS），0 表示不限制
+GATEWAY_SCHEDULING_DB_FALLBACK_MAX_QPS=0
+# outbox 轮询周期（秒）
+GATEWAY_SCHEDULING_OUTBOX_POLL_INTERVAL_SECONDS=1
+# outbox 滞后告警阈值（秒）
+GATEWAY_SCHEDULING_OUTBOX_LAG_WARN_SECONDS=5
+# outbox 触发强制重建阈值（秒）
+GATEWAY_SCHEDULING_OUTBOX_LAG_REBUILD_SECONDS=10
+# outbox 连续滞后触发次数
+GATEWAY_SCHEDULING_OUTBOX_LAG_REBUILD_FAILURES=3
+# outbox 积压触发重建阈值（行数）
+GATEWAY_SCHEDULING_OUTBOX_BACKLOG_REBUILD_ROWS=10000
+# 全量重建周期（秒）
+GATEWAY_SCHEDULING_FULL_REBUILD_INTERVAL_SECONDS=300
+
+# -----------------------------------------------------------------------------
+# Dashboard Aggregation (Optional)
+# -----------------------------------------------------------------------------
+# Enable aggregation job
+# 启用仪表盘预聚合
+DASHBOARD_AGGREGATION_ENABLED=true
+# Refresh interval (seconds)
+# 刷新间隔（秒）
+DASHBOARD_AGGREGATION_INTERVAL_SECONDS=60
+# Lookback window (seconds)
+# 回看窗口（秒）
+DASHBOARD_AGGREGATION_LOOKBACK_SECONDS=120
+# Allow manual backfill
+# 允许手动回填
+DASHBOARD_AGGREGATION_BACKFILL_ENABLED=false
+# Backfill max range (days)
+# 回填最大跨度（天）
+DASHBOARD_AGGREGATION_BACKFILL_MAX_DAYS=31
+# Recompute recent N days on startup
+# 启动时重算最近 N 天
+DASHBOARD_AGGREGATION_RECOMPUTE_DAYS=2
+# Retention windows (days)
+# 保留窗口（天）
+DASHBOARD_AGGREGATION_RETENTION_USAGE_LOGS_DAYS=90
+DASHBOARD_AGGREGATION_RETENTION_HOURLY_DAYS=180
+DASHBOARD_AGGREGATION_RETENTION_DAILY_DAYS=730
+
+# -----------------------------------------------------------------------------
+# Security Configuration
+# -----------------------------------------------------------------------------
+# URL Allowlist Configuration
+# 启用 URL 白名单验证（false 则跳过白名单检查，仅做基本格式校验）
+SECURITY_URL_ALLOWLIST_ENABLED=false
+
+# 关闭白名单时，是否允许 http:// URL（默认 false，只允许 https://）
+# ⚠️ 警告：允许 HTTP 存在安全风险（明文传输），仅建议在开发/测试环境或可信内网中使用
+# Allow insecure HTTP URLs when allowlist is disabled (default: false, requires https)
+# ⚠️ WARNING: Allowing HTTP has security risks (plaintext transmission)
+#             Only recommended for dev/test environments or trusted networks
+SECURITY_URL_ALLOWLIST_ALLOW_INSECURE_HTTP=true
+
+# 是否允许本地/私有 IP 地址用于上游/定价/CRS（仅在可信网络中使用）
+# Allow localhost/private IPs for upstream/pricing/CRS (use only in trusted networks)
+SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS=true
+
+# -----------------------------------------------------------------------------
+# Gemini OAuth (OPTIONAL, required only for Gemini OAuth accounts)
+# -----------------------------------------------------------------------------
+# Sub2API supports TWO Gemini OAuth modes:
+#
+# 1. Code Assist OAuth (需要 GCP project_id)
+#    - Uses: cloudcode-pa.googleapis.com (Code Assist API)
+#    - Auto scopes: cloud-platform + userinfo.email + userinfo.profile
+#    - OAuth Client: Can use built-in Gemini CLI client (留空即可)
+#    - Requires: Google Cloud Platform project with Code Assist enabled
+#
+# 2. AI Studio OAuth (不需要 project_id)
+#    - Uses: generativelanguage.googleapis.com (AI Studio API)
+#    - Default scopes: generative-language
+#    - OAuth Client: Requires your own OAuth 2.0 Client (内置 Gemini CLI client 不能申请 generative-language scope)
+#    - Requires: Create OAuth 2.0 Client in GCP Console + OAuth consent screen
+#    - Setup Guide: https://ai.google.dev/gemini-api/docs/oauth
+#    - ⚠️ IMPORTANT: OAuth Client 必须发布为正式版本 (Production)
+#      Testing 模式限制: 只能添加 100 个测试用户, refresh token 7 天后过期
+#      发布步骤: GCP Console → OAuth consent screen → PUBLISH APP
+#
+# Configuration:
+# Leave empty to use the built-in Gemini CLI OAuth client (Code Assist OAuth only).
+# To enable AI Studio OAuth, set your own OAuth client ID/secret here.
+GEMINI_OAUTH_CLIENT_ID=
+GEMINI_OAUTH_CLIENT_SECRET=
+# Optional; leave empty to auto-select scopes based on oauth_type
+GEMINI_OAUTH_SCOPES=
+
+# -----------------------------------------------------------------------------
+# Gemini Quota Policy (OPTIONAL, local simulation)
+# -----------------------------------------------------------------------------
+# JSON overrides for local quota simulation (Code Assist only).
+# Example:
+# GEMINI_QUOTA_POLICY={"tiers":{"LEGACY":{"pro_rpd":50,"flash_rpd":1500,"cooldown_minutes":30},"PRO":{"pro_rpd":1500,"flash_rpd":4000,"cooldown_minutes":5},"ULTRA":{"pro_rpd":2000,"flash_rpd":0,"cooldown_minutes":5}}}
+GEMINI_QUOTA_POLICY=
+
+# -----------------------------------------------------------------------------
+# Ops Monitoring Configuration (运维监控配置)
+# -----------------------------------------------------------------------------
+# Enable ops monitoring features (background jobs and APIs)
+# 是否启用运维监控功能（后台任务和接口）
+# Set to false to hide ops menu in sidebar and disable all ops features
+# 设置为 false 可在左侧栏隐藏运维监控菜单并禁用所有运维监控功能
+OPS_ENABLED=true
+
+# -----------------------------------------------------------------------------
+# Update Configuration (在线更新配置)
+# -----------------------------------------------------------------------------
+# Proxy URL for accessing GitHub (used for online updates and pricing data)
+# 用于访问 GitHub 的代理地址（用于在线更新和定价数据获取）
+# Supports: http, https, socks5, socks5h
+# Examples:
+#   HTTP proxy: http://127.0.0.1:7890
+#   SOCKS5 proxy: socks5://127.0.0.1:1080
+#   With authentication: http://user:pass@proxy.example.com:8080
+# Leave empty for direct connection (recommended for overseas servers)
+# 留空表示直连（适用于海外服务器）
+UPDATE_PROXY_URL=