Create Dockerfile

Dockerfile

@@ -0,0 +1,505 @@
+# OpenClaw on Hugging Face Spaces
+
+FROM node:22-slim
+
+# 1. 基础依赖
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git openssh-client build-essential python3 python3-pip \
+    g++ make ca-certificates curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# 2. 安装 Hugging Face Hub
+RUN pip3 install --no-cache-dir huggingface_hub --break-system-packages
+
+# 3. Git 配置
+RUN update-ca-certificates && \
+    git config --global http.sslVerify false && \
+    git config --global url."https://github.com/".insteadOf ssh://git@github.com/
+
+# 4. 安装 OpenClaw
+RUN npm install -g openclaw@latest --unsafe-perm
+
+# 5. 环境变量预设 - 所有可配置的环境变量，使用 ${VAR:-default} 格式
+ENV \
+    # 基础配置
+    PORT=${PORT:-7860} \
+    NODE_ENV=${NODE_ENV:-production} \
+    HOME=${HOME:-/root} \
+    \
+    # OpenClaw 核心配置
+    OPENCLAW_GATEWAY_MODE=${OPENCLAW_GATEWAY_MODE:-local} \
+    OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN:-} \
+    \
+    # 模型配置
+    MODEL_PROVIDER=${MODEL_PROVIDER:-nvidia} \
+    MODEL_ID=${MODEL_ID:-moonshotai/kimi-k2.5} \
+    MODEL_CONTEXT_WINDOW=${MODEL_CONTEXT_WINDOW:-256000} \
+    MODEL_DISPLAY_NAME=${MODEL_DISPLAY_NAME:-"Kimi K2.5"} \
+    MODEL_MODE=${MODEL_MODE:-"replace"} \
+    \
+    # API 配置
+    API_BASE_URL=${API_BASE_URL:-https://integrate.api.nvidia.com/v1} \
+    API_TYPE=${API_TYPE:-openai-completions} \
+    OPENAI_API_KEY=${OPENAI_API_KEY:-} \
+    \
+    # 网关配置
+    GATEWAY_AUTH_MODE=${GATEWAY_AUTH_MODE:-token} \
+    GATEWAY_BIND=${GATEWAY_BIND:-lan} \
+    GATEWAY_TRUSTED_PROXIES=${GATEWAY_TRUSTED_PROXIES:-0.0.0.0/0,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16} \
+    GATEWAY_ALLOWED_ORIGINS=${GATEWAY_ALLOWED_ORIGINS:-https://control.example.com} \
+    \
+    # 控制UI配置
+    CONTROLUI_ALLOW_INSECURE_AUTH=${CONTROLUI_ALLOW_INSECURE_AUTH:-true} \
+    CONTROLUI_DANGEROUS_HOST_HEADER=${CONTROLUI_DANGEROUS_HOST_HEADER:-true} \
+    CONTROLUI_DANGEROUS_DISABLE_DEVICE_AUTH=${CONTROLUI_DANGEROUS_DISABLE_DEVICE_AUTH:-true} \
+    \
+    # Telegram 配置
+    TELEGRAM_ENABLED=${TELEGRAM_ENABLED:-false} \
+    TELEGRAM_BOT_TOKEN=${TELEGRAM_BOT_TOKEN:-} \
+    TELEGRAM_DM_POLICY=${TELEGRAM_DM_POLICY:-allowlist} \
+    TELEGRAM_ALLOW_FROM=${TELEGRAM_ALLOW_FROM:-} \
+    TELEGRAM_PROXY_HOST=${TELEGRAM_PROXY_HOST:-} \
+    \
+    # 备份配置
+    BACKUP_ENABLED=${BACKUP_ENABLED:-true} \
+    BACKUP_INTERVAL=${BACKUP_INTERVAL:-21600} \
+    BACKUP_RETENTION_DAYS=${BACKUP_RETENTION_DAYS:-5} \
+    HF_DATASET=${HF_DATASET:-} \
+    HF_TOKEN=${HF_TOKEN:-}
+
+# 6. 同步脚本 - 备份和恢复整个 .openclaw 目录
+RUN cat > /usr/local/bin/sync.py << 'SYNC_EOF'
+#!/usr/bin/env python3
+import os
+import sys
+import tarfile
+import shutil
+from huggingface_hub import HfApi, hf_hub_download
+from datetime import datetime, timedelta
+
+api = HfApi()
+repo_id = os.getenv("HF_DATASET", "")
+token = os.getenv("HF_TOKEN", "")
+retention_days = int(os.getenv("BACKUP_RETENTION_DAYS", "5"))
+
+OPENCLAW_DIR = "/root/.openclaw"
+BACKUP_DIR = "/tmp/openclaw_backups"
+
+def ensure_backup_dir():
+    """确保备份临时目录存在"""
+    os.makedirs(BACKUP_DIR, exist_ok=True)
+
+def restore():
+    """从 Hugging Face Dataset 恢复最新的 .openclaw 目录"""
+    if not repo_id or not token:
+        print("⚠️  HF_DATASET 或 HF_TOKEN 未设置，跳过恢复")
+        return False
+    
+    if not os.path.exists(OPENCLAW_DIR):
+        os.makedirs(OPENCLAW_DIR, mode=0o755, exist_ok=True)
+    
+    try:
+        # 列出数据集中的所有文件
+        files = api.list_repo_files(repo_id=repo_id, repo_type="dataset", token=token)
+        backup_files = [f for f in files if f.startswith("backup_") and f.endswith(".tar.gz")]
+        
+        if not backup_files:
+            print("ℹ️  没有找到备份文件")
+            return False
+        
+        # 按日期排序，获取最新的备份
+        backup_files.sort(reverse=True)
+        latest_backup = backup_files[0]
+        
+        print(f"📥 发现最新备份: {latest_backup}")
+        
+        # 下载备份文件
+        ensure_backup_dir()
+        local_backup_path = os.path.join(BACKUP_DIR, latest_backup)
+        
+        print(f"⬇️  下载备份文件...")
+        downloaded_path = hf_hub_download(
+            repo_id=repo_id,
+            filename=latest_backup,
+            repo_type="dataset",
+            token=token,
+            local_dir=BACKUP_DIR,
+            local_dir_use_symlinks=False
+        )
+        
+        # 创建临时恢复目录
+        restore_temp = os.path.join(BACKUP_DIR, "restore_temp")
+        if os.path.exists(restore_temp):
+            shutil.rmtree(restore_temp)
+        os.makedirs(restore_temp)
+        
+        # 解压备份文件
+        print(f"📦 解压备份文件...")
+        with tarfile.open(downloaded_path, "r:gz") as tar:
+            tar.extractall(path=restore_temp)
+        
+        # 检查解压后的内容
+        extracted_items = os.listdir(restore_temp)
+        print(f"解压内容: {extracted_items}")
+        
+        # 情况1: 解压后直接是 .openclaw 目录
+        if ".openclaw" in extracted_items:
+            source_dir = os.path.join(restore_temp, ".openclaw")
+        # 情况2: 解压后是目录内容（sessions, openclaw.json 等）
+        elif set(extracted_items) & {"sessions", "openclaw.json", "workspace"}:
+            source_dir = restore_temp
+        else:
+            print(f"❌ 无法识别的备份格式: {extracted_items}")
+            return False
+        
+        # 备份当前目录（如果需要）
+        if os.path.exists(OPENCLAW_DIR) and os.listdir(OPENCLAW_DIR):
+            backup_current = os.path.join(BACKUP_DIR, "current_before_restore")
+            if os.path.exists(backup_current):
+                shutil.rmtree(backup_current)
+            shutil.copytree(OPENCLAW_DIR, backup_current)
+            print(f"💾 已备份当前目录到: {backup_current}")
+        
+        # 清空并恢复目标目录
+        print(f"🔄 恢复数据到 {OPENCLAW_DIR}...")
+        if os.path.exists(OPENCLAW_DIR):
+            # 删除所有内容但不删除目录本身
+            for item in os.listdir(OPENCLAW_DIR):
+                item_path = os.path.join(OPENCLAW_DIR, item)
+                if os.path.isfile(item_path):
+                    os.remove(item_path)
+                elif os.path.isdir(item_path):
+                    shutil.rmtree(item_path)
+        
+        # 复制所有文件
+        for item in os.listdir(source_dir):
+            src = os.path.join(source_dir, item)
+            dst = os.path.join(OPENCLAW_DIR, item)
+            if os.path.isdir(src):
+                shutil.copytree(src, dst)
+            else:
+                shutil.copy2(src, dst)
+        
+        print(f"✅ 恢复完成！")
+        
+        # 清理临时文件
+        shutil.rmtree(restore_temp)
+        os.remove(downloaded_path)
+        
+        return True
+        
+    except Exception as e:
+        print(f"❌ 恢复失败: {e}")
+        return False
+
+def backup():
+    """备份整个 .openclaw 目录到 Hugging Face Dataset"""
+    if not repo_id or not token:
+        print("⚠️  HF_DATASET 或 HF_TOKEN 未设置，跳过备份")
+        return
+    
+    if not os.path.exists(OPENCLAW_DIR) or not os.listdir(OPENCLAW_DIR):
+        print("ℹ️  .openclaw 目录为空，跳过备份")
+        return
+    
+    try:
+        # 生成备份文件名
+        today = datetime.now().strftime("%Y-%m-%d")
+        backup_filename = f"backup_{today}.tar.gz"
+        backup_path = os.path.join(BACKUP_DIR, backup_filename)
+        
+        ensure_backup_dir()
+        
+        print(f"📦 创建备份: {backup_filename}")
+        
+        # 创建备份
+        with tarfile.open(backup_path, "w:gz") as tar:
+            tar.add(OPENCLAW_DIR, arcname=".openclaw")
+        
+        # 上传到 Hugging Face
+        print(f"⬆️  上传到 Hugging Face Dataset: {repo_id}")
+        api.upload_file(
+            path_or_fileobj=backup_path,
+            path_in_repo=backup_filename,
+            repo_id=repo_id,
+            repo_type="dataset",
+            token=token
+        )
+        
+        print(f"✅ 备份完成: {backup_filename}")
+        
+        # 清理旧备份（可选，保留最近 retention_days 天的备份）
+        try:
+            files = api.list_repo_files(repo_id=repo_id, repo_type="dataset", token=token)
+            backup_files = [f for f in files if f.startswith("backup_") and f.endswith(".tar.gz")]
+            backup_files.sort()
+            
+            # 如果备份文件数量超过保留天数，删除最旧的
+            while len(backup_files) > retention_days:
+                oldest = backup_files.pop(0)
+                print(f"🗑️  删除旧备份: {oldest}")
+                api.delete_file(
+                    path_in_repo=oldest,
+                    repo_id=repo_id,
+                    repo_type="dataset",
+                    token=token
+                )
+        except Exception as e:
+            print(f"⚠️  清理旧备份失败: {e}")
+        
+        # 删除本地临时文件
+        os.remove(backup_path)
+        
+    except Exception as e:
+        print(f"❌ 备份失败: {e}")
+
+def list_backups():
+    """列出所有可用的备份"""
+    if not repo_id or not token:
+        print("⚠️  HF_DATASET 或 HF_TOKEN 未设置")
+        return
+    
+    try:
+        files = api.list_repo_files(repo_id=repo_id, repo_type="dataset", token=token)
+        backup_files = [f for f in files if f.startswith("backup_") and f.endswith(".tar.gz")]
+        backup_files.sort(reverse=True)
+        
+        if backup_files:
+            print("📋 可用的备份:")
+            for i, f in enumerate(backup_files, 1):
+                print(f"  {i}. {f}")
+        else:
+            print("ℹ️  没有找到备份文件")
+            
+    except Exception as e:
+        print(f"❌ 列出备份��败: {e}")
+
+if __name__ == "__main__":
+    if len(sys.argv) > 1:
+        if sys.argv[1] == "backup":
+            backup()
+        elif sys.argv[1] == "restore":
+            restore()
+        elif sys.argv[1] == "list":
+            list_backups()
+        else:
+            print(f"未知命令: {sys.argv[1]}")
+            print("可用命令: backup, restore, list")
+    else:
+        # 默认执行恢复
+        restore()
+SYNC_EOF
+RUN chmod +x /usr/local/bin/sync.py
+
+# 7. Telegram API 替换脚本
+RUN cat > /usr/local/bin/patch-telegram-api << 'PATCH_EOF'
+#!/bin/bash
+
+# 如果设置了 TELEGRAM_PROXY_HOST，则替换所有 Telegram API 地址
+if [ -n "$TELEGRAM_PROXY_HOST" ]; then
+    echo "🔧 检测到 TELEGRAM_PROXY_HOST 设置: $TELEGRAM_PROXY_HOST"
+    echo "🔄 开始替换 OpenClaw 中的 Telegram API 地址..."
+    
+    OPENCLAW_DIR="/usr/local/lib/node_modules/openclaw"
+    
+    if [ -d "$OPENCLAW_DIR" ]; then
+        # 统计替换前的匹配数量
+        MATCH_COUNT=$(grep -r "api.telegram.org" "$OPENCLAW_DIR" 2>/dev/null | wc -l)
+        echo "📊 找到 $MATCH_COUNT 处需要替换的地址"
+        
+        # 执行替换（使用 sed -i 进行原地替换）
+        # 处理 .js 文件
+        find "$OPENCLAW_DIR" -type f -name "*.js" -exec sed -i "s|api\\.telegram\\.org|$TELEGRAM_PROXY_HOST|g" {} +
+        
+        # 再次检查是否还有未替换的（可能是其他格式）
+        REMAINING=$(grep -r "api.telegram.org" "$OPENCLAW_DIR" 2>/dev/null | wc -l)
+        
+        if [ "$REMAINING" -eq 0 ]; then
+            echo "✅ Telegram API 地址替换完成！"
+            echo "   原始地址: api.telegram.org"
+            echo "   新地址: $TELEGRAM_PROXY_HOST"
+        else
+            echo "⚠️  仍有 $REMAINING 处未替换，尝试二次替换..."
+            # 尝试更宽松的匹配（处理可能的转义或编码）
+            find "$OPENCLAW_DIR" -type f \( -name "*.js" -o -name "*.json" -o -name "*.ts" \) -exec sed -i "s|api.telegram.org|$TELEGRAM_PROXY_HOST|g" {} +
+            
+            FINAL_REMAINING=$(grep -r "api.telegram.org" "$OPENCLAW_DIR" 2>/dev/null | wc -l)
+            echo "📊 最终剩余未替换: $FINAL_REMAINING 处"
+        fi
+        
+        # 验证替换结果（显示几处示例）
+        echo "🔍 验证替换结果（前3处）:"
+        grep -r "$TELEGRAM_PROXY_HOST" "$OPENCLAW_DIR" 2>/dev/null | head -3 | sed 's|.*|   &|'
+    else
+        echo "❌ OpenClaw 目录不存在: $OPENCLAW_DIR"
+    fi
+else
+    echo "ℹ️  未设置 TELEGRAM_PROXY_HOST，跳过 Telegram API 替换"
+fi
+PATCH_EOF
+RUN chmod +x /usr/local/bin/patch-telegram-api
+
+# 8. 启动脚本
+RUN cat > /usr/local/bin/start-openclaw << 'START_EOF'
+#!/bin/bash
+set -e
+
+# 创建必要的目录
+mkdir -p /root/.openclaw
+mkdir -p /root/.openclaw/sessions
+mkdir -p /root/.openclaw/workspace
+
+echo "========================================"
+echo "OpenClaw Gateway Starting..."
+echo "========================================"
+
+# 尝试恢复数据（如果配置了备份）
+if [ -n "$HF_DATASET" ] && [ -n "$HF_TOKEN" ]; then
+    echo "🔄 尝试从 Hugging Face 恢复数据..."
+    python3 /usr/local/bin/sync.py restore || echo "⚠️  恢复失败，继续启动..."
+fi
+
+# 执行 Telegram API 地址替换（如果设置了代理）
+/usr/local/bin/patch-telegram-api
+
+# 准备 API 配置
+CLEAN_BASE="${API_BASE_URL}"
+CLEAN_BASE=$(echo "$CLEAN_BASE" | sed 's|/chat/completions||g' | sed 's|/v1/|/v1|g' | sed 's|/v1$|/v1|')
+
+# 生成令牌（如果没设置）
+if [ -z "$OPENCLAW_GATEWAY_TOKEN" ]; then
+    OPENCLAW_GATEWAY_TOKEN=$(openssl rand -hex 16)
+    echo "🔑 生成的网关令牌: $OPENCLAW_GATEWAY_TOKEN"
+fi
+
+# 转换可信代理列表为JSON数组
+TRUSTED_PROXIES_JSON=$(echo "$GATEWAY_TRUSTED_PROXIES" | tr ',' '\n' | awk '{ printf "\"%s\",", $0 }' | sed 's/,$//' | sed 's/^/[/' | sed 's/$/]/')
+
+# 转换允许的源列表为JSON数组
+ALLOWED_ORIGINS_JSON=$(echo "$GATEWAY_ALLOWED_ORIGINS" | tr ',' '\n' | awk '{ printf "\"%s\",", $0 }' | sed 's/,$//' | sed 's/^/[/' | sed 's/$/]/')
+
+# 转换Telegram允许列表为JSON数组
+if [ -n "$TELEGRAM_ALLOW_FROM" ]; then
+    # 规范化ID，添加tg:前缀（如果没有）
+    TELEGRAM_ALLOW_JSON=$(echo "$TELEGRAM_ALLOW_FROM" | tr ',' '\n' | while read id; do
+        id=$(echo "$id" | xargs)  # 去除空格
+        if [[ "$id" =~ ^[0-9]+$ ]]; then
+            echo "\"tg:$id\""
+        elif [[ "$id" =~ ^tg: ]]; then
+            echo "\"$id\""
+        elif [[ "$id" =~ ^@ ]]; then
+            echo "\"$id\""
+        else
+            echo "\"$id\""
+        fi
+    done | paste -sd ',' | sed 's/^/[/' | sed 's/$/]/')
+else
+    TELEGRAM_ALLOW_JSON="[]"
+fi
+
+# 创建 OpenClaw 配置（如果配置文件不存在）
+if [ ! -f "/root/.openclaw/openclaw.json" ]; then
+    echo "📝 创建 OpenClaw 配置文件..."
+    cat > /root/.openclaw/openclaw.json <<OPENCLAW_CONFIG
+{
+  "models": {
+    "mode": "${MODEL_MODE}",
+    "providers": {
+      "${MODEL_PROVIDER}": {
+        "baseUrl": "${CLEAN_BASE}",
+        "apiKey": "${OPENAI_API_KEY}",
+        "api": "${API_TYPE}",
+        "models": [{
+          "id": "${MODEL_ID}",
+          "name": "${MODEL_DISPLAY_NAME}",
+          "contextWindow": ${MODEL_CONTEXT_WINDOW}
+        }]
+      }
+    }
+  },
+  "agents": {
+    "defaults": {
+      "model": {
+        "primary": "${MODEL_PROVIDER}/${MODEL_ID}"
+      },
+      "workspace": "/root/.openclaw/workspace"
+    }
+  },
+  "gateway": {
+    "mode": "${OPENCLAW_GATEWAY_MODE}",
+    "bind": "${GATEWAY_BIND}",
+    "port": ${PORT},
+    "trustedProxies": ${TRUSTED_PROXIES_JSON},
+    "auth": {
+      "mode": "${GATEWAY_AUTH_MODE}",
+      "token": "${OPENCLAW_GATEWAY_TOKEN}"
+    },
+    "remote": {
+      "token": "${OPENCLAW_GATEWAY_TOKEN}"
+    },
+    "controlUi": {
+      "allowInsecureAuth": ${CONTROLUI_ALLOW_INSECURE_AUTH},
+      "dangerouslyAllowHostHeaderOriginFallback": ${CONTROLUI_DANGEROUS_HOST_HEADER},
+      "dangerouslyDisableDeviceAuth": ${CONTROLUI_DANGEROUS_DISABLE_DEVICE_AUTH},
+      "allowedOrigins": ${ALLOWED_ORIGINS_JSON}
+    }
+  },
+  "session": {
+    "store": "/root/.openclaw/sessions/sessions.json"
+  },
+  "channels": {
+    "telegram": {
+      "enabled": ${TELEGRAM_ENABLED},
+      "botToken": "${TELEGRAM_BOT_TOKEN}",
+      "dmPolicy": "${TELEGRAM_DM_POLICY}",
+      "allowFrom": ${TELEGRAM_ALLOW_JSON}
+    }
+  }
+}
+OPENCLAW_CONFIG
+else
+    echo "📁 使用现有的配置文件"
+fi
+
+echo "========================================"
+echo "📊 配置信息:"
+echo "  • 模型: ${MODEL_ID}"
+echo "  • Provider: ${MODEL_PROVIDER}"
+echo "  • 端口: ${PORT}"
+echo "  • 备份: ${BACKUP_ENABLED}"
+echo "  • Allowed Origins: ${GATEWAY_ALLOWED_ORIGINS}"
+echo "  • Telegram Enabled: ${TELEGRAM_ENABLED}"
+if [ "${TELEGRAM_ENABLED}" = "true" ]; then
+    echo "  • Telegram DM Policy: ${TELEGRAM_DM_POLICY}"
+    echo "  • Telegram Allow From: ${TELEGRAM_ALLOW_FROM}"
+    if [ -n "$TELEGRAM_PROXY_HOST" ]; then
+        echo "  • Telegram Proxy: ${TELEGRAM_PROXY_HOST}"
+    fi
+fi
+echo "========================================"
+
+# 后台备份循环（如果启用）
+if [ "${BACKUP_ENABLED}" = "true" ] && [ -n "$HF_DATASET" ] && [ -n "$HF_TOKEN" ]; then
+    echo "🔄 启动自动备份 (间隔: ${BACKUP_INTERVAL}秒)"
+    (
+    while true; do
+        sleep ${BACKUP_INTERVAL}
+        echo "⏰ 执行定时备份..."
+        python3 /usr/local/bin/sync.py backup || echo "⚠️  备份失败"
+    done
+    ) &
+fi
+
+# 运行诊断并启动网关
+echo "🔧 运行 OpenClaw 诊断..."
+openclaw doctor --fix || true
+
+echo "🚀 启动 OpenClaw Gateway..."
+echo "========================================"
+exec openclaw gateway run --port $PORT
+START_EOF
+RUN chmod +x /usr/local/bin/start-openclaw
+
+EXPOSE 7860
+
+CMD ["/usr/local/bin/start-openclaw"]