Upload 6 files

Dockerfile

@@ -0,0 +1,65 @@
+# Use a lightweight Debian base for a simplified Linux environment
+FROM debian:bookworm-slim
+
+# Set environment variables to avoid interactive prompts during installation
+ENV DEBIAN_FRONTEND=noninteractive
+ENV HOME=/home/user
+ENV PATH=$HOME/.local/bin:$PATH
+
+# Install essential system packages and build tools
+# - sudo: Required for root privileges
+# - build-essential, cmake: Required for compiling software like OpenClaw
+# - curl, wget, git: Basic tools for downloading and version control
+# - vim, nano: Text editors
+# - nginx, netcat-openbsd: Required for Auth Proxy
+RUN apt-get update && apt-get install -y \
+    curl \
+    wget \
+    git \
+    sudo \
+    vim \
+    nano \
+    unzip \
+    procps \
+    net-tools \
+    nginx \
+    netcat-openbsd \
+    build-essential \
+    cmake \
+    pkg-config \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Install ttyd (Web Terminal)
+RUN wget https://github.com/tsl0922/ttyd/releases/download/1.7.7/ttyd.x86_64 -O /usr/bin/ttyd \
+    && chmod +x /usr/bin/ttyd
+
+# Install oauth2-proxy
+RUN wget https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v7.6.0/oauth2-proxy-v7.6.0.linux-amd64.tar.gz \
+    && tar -xzf oauth2-proxy-v7.6.0.linux-amd64.tar.gz \
+    && mv oauth2-proxy-v7.6.0.linux-amd64/oauth2-proxy /usr/bin/oauth2-proxy \
+    && chmod +x /usr/bin/oauth2-proxy \
+    && rm -rf oauth2-proxy-v7.6.0.linux-amd64*
+
+# Create a non-root user 'user' (UID 1000) for security and Hugging Face compatibility
+# Grant sudo privileges without password for easy administration
+RUN useradd -m -u 1000 user && \
+    echo 'user ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+
+# Set working directory to user's home
+WORKDIR $HOME
+
+# Copy configuration files
+COPY --chown=user:user nginx.conf /etc/nginx/nginx.conf
+COPY --chown=user:user oauth2-proxy-github.cfg $HOME/oauth2-proxy-github.cfg
+COPY --chown=user:user sign_in.html /var/www/html/theme/sign_in.html
+COPY --chown=user:user start.sh $HOME/start.sh
+RUN chmod +x $HOME/start.sh
+
+# Switch to the non-root user
+USER user
+
+# Expose port 7860 (Standard for Hugging Face Spaces)
+EXPOSE 7860
+
+# Start via entrypoint script
+CMD ["./start.sh"]

README.md

@@ -1,11 +1,118 @@
----
-title: VPS Linux OpenClaw 01
-emoji: 🌖
-colorFrom: pink
-colorTo: green
-sdk: docker
-pinned: false
-license: mit
----
-
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+---
+title: VPS Linux
+emoji: 🐨
+colorFrom: red
+colorTo: green
+sdk: docker
+pinned: false
+license: mit
+---
+
+# Simplified Linux VPS on Hugging Face Spaces
+
+This project provides a simplified Linux VPS on Hugging Face Spaces with:
+
+- Debian Bookworm Slim base
+- Browser terminal powered by `ttyd`
+- GitHub OAuth authentication via `nginx + oauth2-proxy`
+- Simple allowlist control
+
+Users can access the Linux terminal only after successful GitHub login.
+
+## 🚀 Quick Start
+
+### 1) Create a Hugging Face Space
+
+1. Log in to Hugging Face.
+2. Click your avatar in the top right corner and choose **New Space**.
+3. Enter a Space name (for example: `my-linux-vps`).
+4. Select **SDK: Docker**.
+5. Select **Docker Template: Blank**.
+6. Click **Create Space**.
+
+### 2) Upload project files
+
+Upload all files from this folder to your Space repository.
+
+### 3) Configure Variables and Secrets
+
+In **Space Settings -> Variables and Secrets**, add:
+
+**Variables**
+
+- `SPACE_PUBLIC_URL=https://<your-space-name>.hf.space`
+- `ALLOWED_USERS=user1@gmail.com,github_username_1` (Supports GitHub email addresses or usernames)
+
+**Secrets**
+
+- `GITHUB_CLIENT_ID=<github oauth app client id>`
+- `GITHUB_CLIENT_SECRET=<github oauth app client secret>`
+- `OAUTH2_PROXY_COOKIE_SECRET=<32-byte-base64-secret>`
+
+Requirements:
+
+- Secret values must be plain text (no quotes, no leading/trailing spaces).
+- `SPACE_PUBLIC_URL` must not include a trailing slash.
+
+### 4) Configure GitHub OAuth callback
+
+In your GitHub OAuth App, set callback URL to:
+
+`https://<your-space-name>.hf.space/oauth2/callback`
+
+`SPACE_PUBLIC_URL` and callback domain must match exactly.
+During login consent, the app requests `user:email` scope only.
+
+### 5) Access the VPS
+
+1. Wait until the Space status is **Running**.
+2. Open the **App** tab.
+3. Sign in with GitHub.
+4. After successful authentication, the web terminal will be available.
+
+## 🛠️ Features
+
+- **Base system**: Debian Bookworm Slim
+- **Privileges**: default `user` has passwordless sudo
+- **Toolchain**: `git`, `curl`, `wget`, `vim`, `nano`, `build-essential`, `cmake`
+- **Web terminal**: `ttyd`
+- **Authentication**: `nginx + oauth2-proxy` (GitHub only)
+- **Allowlist**: supports GitHub email addresses and GitHub usernames in `ALLOWED_USERS`
+
+## 🎮 How to Build OpenClaw
+
+OpenClaw needs extra dependencies. Hugging Face Spaces has no native display, so GUI execution usually fails unless you set up VNC/X11 manually.
+
+### Install dependencies
+
+```bash
+sudo apt-get update
+sudo apt-get install -y \
+    libsdl2-dev \
+    libsdl2-image-dev \
+    libsdl2-mixer-dev \
+    libsdl2-ttf-dev \
+    libxml2-dev \
+    zlib1g-dev
+```
+
+### Clone and compile
+
+```bash
+git clone https://github.com/pjasicek/OpenClaw.git
+cd OpenClaw
+mkdir build && cd build
+cmake ..
+make -j$(nproc)
+```
+
+## Notes
+
+- Running `./OpenClaw` may fail with `Could not initialize SDL: No available video device`.
+- After Space restart, files outside `/data` may be lost. Save important data in `/data` (if persistent storage is enabled) or sync with Git.
+- **Troubleshooting 500 Errors**: If you encounter a 500 error during login, ensure you have removed any legacy `OAUTH2_PROXY_GITHUB_ORG` variables from Space Settings, revoke the GitHub App authorization, and clear your browser cookies.
+
+## ⚠️ Security Warning
+
+- This VPS has elevated privileges. Do not store sensitive keys inside it.
+- Public Spaces are accessible unless protected. This project protects terminal access with GitHub OAuth and allowlist rules.

nginx.conf

@@ -0,0 +1,68 @@
+worker_processes auto;
+pid /tmp/nginx.pid;
+
+events {
+    worker_connections 768;
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    types_hash_max_size 2048;
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    access_log /dev/stdout;
+    error_log /dev/stderr;
+
+    client_body_temp_path /tmp/client_body;
+    proxy_temp_path /tmp/proxy;
+    fastcgi_temp_path /tmp/fastcgi;
+    uwsgi_temp_path /tmp/uwsgi;
+    scgi_temp_path /tmp/scgi;
+
+    server {
+        listen 7860;
+        server_name localhost;
+
+        # Custom sign-in page
+        location = /signin {
+            root /var/www/html/theme;
+            try_files /sign_in.html =404;
+        }
+
+        # OAuth2 Proxy endpoints
+        location /oauth2/ {
+            proxy_pass http://127.0.0.1:4180;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Scheme $scheme;
+            proxy_set_header X-Auth-Request-Redirect $request_uri;
+        }
+
+        location = /oauth2/auth {
+            internal;
+            proxy_pass http://127.0.0.1:4180;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Scheme $scheme;
+            proxy_set_header Content-Length "";
+            proxy_pass_request_body off;
+        }
+
+        # Main application (ttyd) protected by auth_request
+        location / {
+            auth_request /oauth2/auth;
+            error_page 401 = /signin;
+
+            proxy_pass http://127.0.0.1:7681;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+    }
+}

oauth2-proxy-github.cfg

@@ -0,0 +1,12 @@
+http_address = "127.0.0.1:4180"
+provider = "github"
+email_domains = ["*"]
+cookie_secure = true
+cookie_httponly = true
+cookie_refresh = "1h"
+cookie_expire = "168h"
+reverse_proxy = true
+set_xauthrequest = true
+skip_provider_button = true
+upstreams = ["http://127.0.0.1:7681"]
+request_logging = true

sign_in.html

@@ -0,0 +1,104 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>Sign In - VPS Linux</title>
+    <style>
+        :root {
+            /* 页面背景色 - 极深黑 */
+            --bg-color: #050505;
+            /* 卡片背景色 - 稍浅的黑 */
+            --card-bg: #0f0f0f;
+            /* 标题颜色 - 纯白 */
+            --title-color: #ffffff;
+            /* 副标题颜色 - 灰色 */
+            --subtitle-color: #888888;
+            /* 边框颜色 - 极淡灰 */
+            --border-color: #222222;
+            /* 按钮背景 - 深灰 */
+            --button-bg: #1c1c1c;
+            /* 按钮文字 - 浅灰 */
+            --button-text: #e1e1e1;
+            /* 按钮悬停 - 稍亮灰 */
+            --button-hover: #2a2a2a;
+        }
+
+        body {
+            background-color: var(--bg-color);
+            color: var(--title-color);
+            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            height: 100vh;
+            margin: 0;
+        }
+
+        .login-container {
+            background-color: var(--card-bg);
+            border: 1px solid var(--border-color);
+            border-radius: 12px;
+            padding: 48px 40px;
+            width: 100%;
+            max-width: 360px;
+            text-align: center;
+            /* 柔和阴影 */
+            box-shadow: 0 4px 24px rgba(0, 0, 0, 0.4);
+        }
+
+        .logo {
+            width: 64px;
+            height: 64px;
+            margin: 0 auto 24px;
+            /* 红色实心机器人 SVG */
+            background-image: url('data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64"><path fill="%23ff595e" d="M32 6C18.745 6 8 16.745 8 30c0 8.837 4.785 16.685 12.049 21.146-.688 2.375-2.049 4.354-2.049 4.354s4.5.5 8.5-2.5c1.616.323 3.298.5 5 .5 13.255 0 24-10.745 24-24S45.255 6 32 6zm-8 22c-2.209 0-4-1.791-4-4s1.791-4 4-4 4 1.791 4 4-1.791 4-4 4zm16 0c-2.209 0-4-1.791-4-4s1.791-4 4-4 4 1.791 4 4-1.791 4-4 4z"/><circle cx="24" cy="28" r="2" fill="%23333"/><circle cx="40" cy="28" r="2" fill="%23333"/></svg>');
+            background-repeat: no-repeat;
+            background-position: center;
+            background-size: contain;
+        }
+
+        h1 {
+            font-size: 24px;
+            font-weight: 600;
+            margin: 0 0 12px;
+            color: var(--title-color);
+        }
+
+        p {
+            color: var(--subtitle-color);
+            margin: 0 0 32px;
+            font-size: 14px;
+            line-height: 1.5;
+        }
+
+        .btn {
+            display: block;
+            width: 100%;
+            padding: 14px;
+            border-radius: 8px;
+            border: none;
+            background-color: var(--button-bg);
+            color: var(--button-text);
+            font-size: 14px;
+            font-weight: 600;
+            text-decoration: none;
+            box-sizing: border-box;
+            cursor: pointer;
+            transition: background-color 0.2s ease;
+        }
+
+        .btn:hover {
+            background-color: var(--button-hover);
+        }
+    </style>
+</head>
+<body>
+    <div class="login-container">
+        <div class="logo"></div>
+        <h1>Welcome Back</h1>
+        <p>Sign in to access your VPS Linux environment</p>
+        <a class="btn" href="/oauth2/start?rd=/">Sign in with GitHub</a>
+    </div>
+</body>
+</html>

start.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+set -e
+set -x
+
+# 1. 强制清理遗留的组织校验变量（避免500错误）
+unset OAUTH2_PROXY_GITHUB_ORG OAUTH2_PROXY_GITHUB_ORGS
+unset OAUTH2_PROXY_GITHUB_TEAM OAUTH2_PROXY_GITHUB_TEAMS
+unset OAUTH2_PROXY_GITHUB_REPO OAUTH2_PROXY_GITHUB_REPOS
+unset OAUTH2_PROXY_ALLOWED_GROUPS
+
+# 2. 检查必要变量
+if [ -z "$ALLOWED_USERS" ]; then
+    echo "Error: ALLOWED_USERS is required."
+    exit 1
+fi
+
+if [ -z "$GITHUB_CLIENT_ID" ] || [ -z "$GITHUB_CLIENT_SECRET" ] || [ -z "$OAUTH2_PROXY_COOKIE_SECRET" ]; then
+    echo "Error: GitHub Secrets (CLIENT_ID, CLIENT_SECRET, COOKIE_SECRET) are required."
+    exit 1
+fi
+
+if [ -z "$SPACE_PUBLIC_URL" ]; then
+    echo "Error: SPACE_PUBLIC_URL is required."
+    exit 1
+fi
+
+# 3. 变量清洗
+trim_secret() {
+    printf "%s" "$1" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' | tr -d '\r' | sed 's/^"//;s/"$//'
+}
+GITHUB_CLIENT_ID=$(trim_secret "$GITHUB_CLIENT_ID")
+GITHUB_CLIENT_SECRET=$(trim_secret "$GITHUB_CLIENT_SECRET")
+OAUTH2_PROXY_COOKIE_SECRET=$(trim_secret "$OAUTH2_PROXY_COOKIE_SECRET")
+SPACE_PUBLIC_URL=$(echo "$SPACE_PUBLIC_URL" | sed "s/[[:space:]]//g" | sed "s/\`//g")
+SPACE_PUBLIC_URL="${SPACE_PUBLIC_URL%/}"
+
+# 4. 生成白名单文件
+AUTH_FILE="/tmp/authenticated_emails.txt"
+> "$AUTH_FILE"
+declare -a GITHUB_USERS
+IFS=',' read -ra USERS <<< "$ALLOWED_USERS"
+for USER_ITEM in "${USERS[@]}"; do
+    USER_ITEM=$(echo "$USER_ITEM" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+    [ -z "$USER_ITEM" ] && continue
+    
+    # 区分邮箱与用户名
+    if [[ "$USER_ITEM" == *"@"* ]]; then
+        echo "$USER_ITEM" | tr '[:upper:]' '[:lower:]' >> "$AUTH_FILE"
+    else
+        GITHUB_USERS+=("$(echo "$USER_ITEM" | tr '[:upper:]' '[:lower:]')")
+    fi
+done
+
+# 5. 启动 ttyd
+echo "Starting ttyd..."
+ttyd -p 7681 -i 127.0.0.1 -W bash &
+
+# 6. 启动 oauth2-proxy (GitHub)
+echo "Starting oauth2-proxy..."
+GITHUB_CMD=(oauth2-proxy \
+    --config=$HOME/oauth2-proxy-github.cfg \
+    --client-id="$GITHUB_CLIENT_ID" \
+    --client-secret="$GITHUB_CLIENT_SECRET" \
+    --cookie-secret="$OAUTH2_PROXY_COOKIE_SECRET" \
+    --cookie-name="_oauth2_proxy_github" \
+    --scope="user:email" \
+    --show-debug-on-error=true \
+    --redirect-url="$SPACE_PUBLIC_URL/oauth2/callback")
+
+# 按需挂载白名单
+if [ -s "$AUTH_FILE" ]; then
+    GITHUB_CMD+=("--authenticated-emails-file=$AUTH_FILE")
+fi
+for GH_USER in "${GITHUB_USERS[@]}"; do
+    GITHUB_CMD+=("--github-user=$GH_USER")
+done
+
+"${GITHUB_CMD[@]}" 2>&1 &
+
+# 7. 等待服务就绪
+for i in {1..30}; do
+    if nc -z 127.0.0.1 4180 && nc -z 127.0.0.1 7681; then
+        echo "Services ready."
+        break
+    fi
+    sleep 1
+done
+
+# 8. 启动 Nginx
+echo "Starting Nginx..."
+nginx -g "daemon off;"