* docs: add Alibaba Cloud (阿里云) deployment guide
Adds docs/deployment/cloud/aliyun.md with:
- ECS single-machine deployment using the existing Docker Compose stack
- ACK (Kubernetes) reference manifest and multi-replica caveats
- Image acceleration setup via Alibaba Cloud Container Registry
- ICP filing (备案) overview for mainland China public hosting
- Common pitfalls and references to existing Docker / install-guide docs
Docs-only slice for #1025. Live ROS templates, one-click scripts, and
verification screenshots are out of scope here and tracked as follow-up
work in the issue.
* docs: fix ACK manifest reachability and OD_ALLOWED_ORIGINS alias
Address PerishCode review on PR #3275:
- The daemon defaults to OD_BIND_HOST=127.0.0.1 (apps/daemon/src/server.ts),
so the readinessProbe and ClusterIP Service in the previous manifest could
never reach the Pod. Add OD_BIND_HOST=0.0.0.0 + OD_API_TOKEN (required by
the bound-API-token guard for non-loopback binds) and a kubectl secret step.
- The daemon reads OD_ALLOWED_ORIGINS, not OPEN_DESIGN_ALLOWED_ORIGINS.
OPEN_DESIGN_* names are Compose-only aliases mapped in deploy/docker-compose.yml.
Use OD_ALLOWED_ORIGINS for the direct-container ACK path and call out both
names in the network-exposure section and the pitfalls table.
Also adds an Ingress / Bearer-token note for operators fronting the
Service externally.
* docs: document OD_API_TOKEN bearer-token forwarding in Nginx block
PerishCode follow-up review on PR #3275:
The Path A Nginx block as written would 401 every UI call except the
three open probes (/api/health, /api/version, /api/daemon/status). Same
root cause as the ACK fix in 9d5f6ec — the auth model affects both paths,
not just direct-container deployments.
Verified against source:
- deploy/scripts/install.sh:386 always writes a generated OD_API_TOKEN
into deploy/.env (no opt-out flag).
- deploy/docker-compose.yml:18 requires OD_API_TOKEN (Compose ? syntax)
and binds OD_BIND_HOST=0.0.0.0, so the daemon-side bearer middleware
is always active for the Compose path.
- apps/daemon/src/server.ts:3777 keys the loopback short-circuit on
isLoopbackPeerAddress(req.socket?.remoteAddress) — the TCP peer, not
X-Forwarded-For — so a reverse-proxied request from a Docker bridge
IP never gets the localhost bypass.
Adds proxy_set_header Authorization to the Nginx block, a paragraph
explaining where OD_API_TOKEN comes from, and updates the pitfalls row
that previously only mentioned CORS to also list the missing-bearer
cause.