From 29cf27ac7f206958a97c3759480d31a7557d5813 Mon Sep 17 00:00:00 2001
From: Cat Tom <cattom@cattom.site>
Date: Thu, 12 Mar 2026 19:57:52 +0800
Subject: [PATCH] Edit action config & Commands.md

---
 .gitea/workflows/deploy.yaml                  |   1 +
 ...ds-for-Server-Operation-and-Maintenance.md | 235 ++++++++++--------
 2 files changed, 139 insertions(+), 97 deletions(-)

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 1331f34..3bf014a 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -11,5 +11,6 @@ jobs:
           host: "100.114.118.48"
           username: "root"
           key: ${{ secrets.SSH_PRIVATE_KEY }}
+          passphrase: ${{ secrets.SSH_PRIVATE_KEY_PASSPHRASE }}
           command_timeout: 3h
           script: bash /root/maria/script/action/blog.sh
\ No newline at end of file
diff --git a/docs/tech/Commands-for-Server-Operation-and-Maintenance.md b/docs/tech/Commands-for-Server-Operation-and-Maintenance.md
index b300601..81eef96 100644
--- a/docs/tech/Commands-for-Server-Operation-and-Maintenance.md
+++ b/docs/tech/Commands-for-Server-Operation-and-Maintenance.md
@@ -6,31 +6,51 @@ level: classified
 
 ## 初始化
 
-Maria:
+### Maria
+
+**推送 GitHub 私钥**:
 
 ```bash
-  git config --global credential.helper store && git clone https://github.com/cattomgithub/maria.git
+# 在 CatTomServer1 处执行
+rsync -avP /home/cattom/.ssh/cattomgithub [server_id]:/root/.ssh/
+# 指定用户名与 IP
+rsync -avP /home/cattom/.ssh/cattomgithub root@[server_ip]:/root/.ssh/
+# 指定端口、私钥、用户名和 IP
+rsync -avP -e 'ssh -p 25800 -i /home/cattom/.ssh/Maria' /home/cattom/.ssh/cattomgithub root@[server_ip]:/root/.ssh/
+```
 
-  cd maria/script && chmod +x *.sh && ./maria.sh
+**克隆 Maria 仓库**:
+
+```bash
+git config --global credential.helper store && git clone https://github.com/cattomgithub/maria.git
+
+cd maria/script && chmod +x *.sh && ./maria.sh
 ```
 
 ## 修改 SSH 配置
 
-首先，启动 SSH 服务:
+**启动 SSH 服务**:
 
 ```bash
-  sudo systemctl enable ssh && sudo systemctl restart ssh && sudo systemctl status ssh
+sudo systemctl enable ssh && sudo systemctl restart ssh && sudo systemctl status ssh
 ```
 
-接着，生成并配置 SSH 密钥。进入 CatTomServer3-1 的终端，然后执行:
+**配置 SSH 密钥**: 在 CatTomServer1 终端执行
 
 ```bash
-  ssh-keygen -m PEM -t rsa -b 4096 -C "[username]@[server_ip]" -f ~/.ssh/[server_name]
-
-  ssh-copy-id -p 25800 -i /home/cattom/.ssh/[server_name].pub root@[server_ip]
+# Maria
+ssh-copy-id -i /home/cattom/.ssh/Maria.pub root@[server_ip]
+# HomeLab
+ssh-copy-id -i /home/cattom/.ssh/CatTomServer.pub cattom@[server_ip]
+# 指定端口
+ssh-copy-id -p 25800 ...
 ```
 
-最后，修改 `/etc/ssh/sshd_config`:
+**修改 SSH 配置**:
+
+```bash
+sudo nano /etc/ssh/sshd_config
+```
 
 - Port 22 → **Port 25800**
 - PermitRootLogin **prohibit-password** (取消该行注释)
@@ -42,10 +62,10 @@ Maria:
 ## 恢复备份文件/目录 (可选)
 
 ```bash
-  cd /root || exit
-  wget -c https://cattom.oss-cn-shenzhen.aliyuncs.com/[server_name]/backup/[file_name].tar.gz
-  tar -zxvf [file_name].tar.gz
-  sudo rm [file_name].tar.gz
+cd /root || exit
+wget -c https://cattom.oss-cn-shenzhen.aliyuncs.com/[server_name]/backup/[file_name].tar.gz
+tar -zxvf [file_name].tar.gz
+sudo rm [file_name].tar.gz
 ```
 
 ## 安装业务程序 (按需安装)
@@ -57,19 +77,19 @@ Maria:
 请到 [Releases - traefik/traefik](https://github.com/traefik/traefik/releases/latest) 检查最新版本。
 
 ```bash
-  mkdir /root/traefik
-  cd /root/traefik || exit
+mkdir /root/traefik
+cd /root/traefik || exit
 
-  touch acme.json && chmod 600 acme.json
+touch acme.json && chmod 600 acme.json
 
-  wget -c [link]
-  tar -zxvf [file_name] && rm [file_name] LICENSE.md CHANGELOG.md && mv traefik /usr/local/bin/traefik
+wget -c [link]
+tar -zxvf [file_name] && rm [file_name] LICENSE.md CHANGELOG.md && mv traefik /usr/local/bin/traefik
 
-  ln -s /root/maria/config/traefik/static.yaml /root/traefik/static.yaml
-  ln -s /root/maria/config/${SERVER}/traefik.yaml /root/traefik/dynamic.yaml
-  
-  ln -s /root/maria/config/systemd/traefik.service /etc/systemd/system/traefik.service && sudo systemctl daemon-reload
-  sudo systemctl enable traefik.service && sudo systemctl restart traefik.service
+ln -s /root/maria/config/traefik/static.yaml /root/traefik/static.yaml
+ln -s /root/maria/config/${SERVER}/traefik.yaml /root/traefik/dynamic.yaml
+
+ln -s /root/maria/config/systemd/traefik.service /etc/systemd/system/traefik.service && sudo systemctl daemon-reload
+sudo systemctl enable traefik.service && sudo systemctl restart traefik.service
 ```
 
 ### 阿里云 CLI
@@ -77,20 +97,20 @@ Maria:
 **注意: 请到 [RAM 访问控制](https://ram.console.aliyun.com/) 按照业务需求生成 AccessKey.**
 
 ```bash
-  cd /root || exit
+cd /root || exit
 
-  /bin/bash -c "$(curl -fsSL https://aliyuncli.alicdn.com/install.sh)"
+/bin/bash -c "$(curl -fsSL https://aliyuncli.alicdn.com/install.sh)"
 
-  aliyun configure set --profile profile1 --mode AK --access-key-id [AccessKeyID] --access-key-secret [AccessKeySecret] --region "cn-shenzhen"
+aliyun configure set --profile profile1 --mode AK --access-key-id [AccessKeyID] --access-key-secret [AccessKeySecret] --region "cn-shenzhen"
 ```
 
 阿里云 CLI 现已集成 ossutil，示例:
 
 ```bash
-  # Example 1
-  aliyun ossutil sync /root/backup/ oss://cattom/${SERVER}/backup/ --force --update --delete -e oss-cn-shenzhen.aliyuncs.com
-  # Example 2
-  aliyun ossutil sync /root/blog/site oss://cattom-blog --force --update --delete --region cn-hongkong
+# Example 1
+aliyun ossutil sync /root/backup/ oss://cattom/${SERVER}/backup/ --force --update --delete -e oss-cn-shenzhen.aliyuncs.com
+# Example 2
+aliyun ossutil sync /root/blog/site oss://cattom-blog --force --update --delete --region cn-hongkong
 ```
 
 ### Flexget
@@ -98,34 +118,34 @@ Maria:
 安装 Flexget: 
 
 ```bash
-  cd /root || exit
-  sudo apt -y install python3 python3-full python3-pip python3.12-venv
-  python3 -m venv /root/flexget/
-  /root/flexget/bin/pip install --upgrade pip setuptools 
-  /root/flexget/bin/pip install flexget
+cd /root || exit
+sudo apt -y install python3 python3-full python3-pip python3.12-venv
+python3 -m venv /root/flexget/
+/root/flexget/bin/pip install --upgrade pip setuptools 
+/root/flexget/bin/pip install flexget
 ```
 
 测试配置并启动后台进程: 
 
 ```bash
-  sudo ln -s /root/maria/config/flexget/config.yml /root/flexget/config.yml
-  /root/flexget/bin/flexget -c /root/flexget/config.yml --test execute
-  /root/flexget/bin/flexget -c /root/flexget/config.yml daemon start -d --autoreload-config
+sudo ln -s /root/maria/config/flexget/config.yml /root/flexget/config.yml
+/root/flexget/bin/flexget -c /root/flexget/config.yml --test execute
+/root/flexget/bin/flexget -c /root/flexget/config.yml daemon start -d --autoreload-config
 ```
 
 设置开机自启动: 
 
 ```bash
-  (
-    crontab -u $(whoami) -l
-    echo "@reboot /root/flexget/bin/flexget -c /root/flexget/config.yml daemon start -d --autoreload-config"
-  ) | crontab -u $(whoami) -
+(
+  crontab -u $(whoami) -l
+  echo "@reboot /root/flexget/bin/flexget -c /root/flexget/config.yml daemon start -d --autoreload-config"
+) | crontab -u $(whoami) -
 ```
 
 配置 alias: 
 
 ```bash
-  echo 'alias flexget="/root/flexget/bin/flexget -c /root/flexget/config.yml"' >> /root/.bashrc
+echo 'alias flexget="/root/flexget/bin/flexget -c /root/flexget/config.yml"' >> /root/.bashrc
 ```
 
 ## 配置防火墙
@@ -157,44 +177,44 @@ Maria 非标端口开放表:
 [^1]: 服务器3的 Prometheus 处于容器内，而 Node Exporter 处于宿主机，必须保留该规则以保持二者连通。
 
 ```bash
-  # 重置防火墙
-  sudo ufw reset
-  # 添加默认条件
-  sudo ufw default allow outgoing # 默认允许所有数据出站
-  sudo ufw default deny incoming  # 默认禁止所有数据入站
+# 重置防火墙
+sudo ufw reset
+# 添加默认条件
+sudo ufw default allow outgoing # 默认允许所有数据出站
+sudo ufw default deny incoming  # 默认禁止所有数据入站
 ```
 
 ```bash
-  # SSH
-  sudo ufw allow 25800
-  # Web
-  sudo ufw allow 80 && sudo ufw allow 443
-  
-  # Example 1
-  sudo ufw allow 7100
-  # Example 2
-  sudo ufw allow from 127.0.0.1 to any port 18080
-  # Example 3
-  sudo ufw allow 6888/udp
+# SSH
+sudo ufw allow 25800
+# Web
+sudo ufw allow 80 && sudo ufw allow 443
+
+# Example 1
+sudo ufw allow 7100
+# Example 2
+sudo ufw allow from 127.0.0.1 to any port 18080
+# Example 3
+sudo ufw allow 6888/udp
 ```
 
 ```bash
-  # 启用日志
-  sudo ufw logging medium
-  # 列出端口开放情况
-  sudo ufw status numbered
-  # 启用防火墙
-  sudo ufw enable
+# 启用日志
+sudo ufw logging medium
+# 列出端口开放情况
+sudo ufw status numbered
+# 启用防火墙
+sudo ufw enable
 ```
 
 ## 加载 Docker 容器
 
 ```bash
-  sudo docker compose -f /root/maria/config/"${SERVER}"/docker-compose.yml pull
-  sudo docker compose -f /root/maria/config/"${SERVER}"/docker-compose.yml up -d --remove-orphans
-  sudo docker system prune -f
-  # 可选
-  sudo systemctl restart traefik
+sudo docker compose -f /root/maria/config/"${SERVER}"/docker-compose.yml pull
+sudo docker compose -f /root/maria/config/"${SERVER}"/docker-compose.yml up -d --remove-orphans
+sudo docker system prune -f
+# 可选
+sudo systemctl restart traefik
 ```
 
 ## 配置自动备份 (可选)
@@ -243,45 +263,66 @@ lsmod | grep bbr
 
 若出现 `tcp_bbr` 的输出，说明开启成功。
 
-## 配置 SSH Action
+## 配置 Actions
 
 ### GitHub Actions
 
-[cattomgithub/maria - Settings - Secrets - Actions](https://github.com/cattomgithub/maria/settings/secrets/actions)
+转至 [cattomgithub/maria - Settings - Secrets - Actions](https://github.com/cattomgithub/maria/settings/secrets/actions)
+
+修改以下配置项: 
 
 - SSH_HOSTS: foo,bar
 
-服务器需配置 GitHub Actions Key，进入 CatTomServer3-1 的终端，执行:
-
-```bash
-  ssh-copy-id -f -p 25800 -i /home/cattom/.ssh/maria-github-actions-key.pub [server_id]
-```
-
-[Ref: 用于 GitHub Actions 的 SSH](https://github.com/appleboy/ssh-action/blob/master/README.zh-cn.md)
+### Gitea Actions
 
 ## NFS 配置
 
 ```bash
-  # Install
-  sudo apt -y update && sudo apt -y install nfs-kernel-server nfs-common
-  # Modify firewall on host
-  sudo ufw allow from [client_ip] to any port nfs
-  # Create mount point on client
-  sudo mkdir -p [/path/on/client]
-  # Mount directories on client
-  sudo mount [host_ip]:[/path/on/host] [/path/on/client]
-  # Check stats on client
-  sudo df -h
-  # Mount the directories at boot
-  sudo echo "[host_ip]:[/path/on/host] [/path/on/client] nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0" >> /etc/fstab
-  #  Unmount NFS
-  sudo umount [/path/on/client]
+# Install
+sudo apt -y update && sudo apt -y install nfs-kernel-server nfs-common
+# Modify firewall on host
+sudo ufw allow from [client_ip] to any port nfs
+# Create mount point on client
+sudo mkdir -p [/path/on/client]
+# Mount directories on client
+sudo mount [host_ip]:[/path/on/host] [/path/on/client]
+# Check stats on client
+sudo df -h
+# Mount the directories at boot
+sudo echo "[host_ip]:[/path/on/host] [/path/on/client] nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0" >> /etc/fstab
+#  Unmount NFS
+sudo umount [/path/on/client]
 ```
 
 ## 进入 Docker 容器的终端
 
 ``` bash
-  sudo docker exec -it [container_name] /bin/bash
-  # Or
-  sudo docker exec -it [container_name] /bin/sh
+sudo docker exec -it [container_name] /bin/bash
+# Or
+sudo docker exec -it [container_name] /bin/sh
 ```
+
+## rsync 同步文件
+
+rsync 参数解释: 
+
+- `-a`: 归档模式，保留文件的权限、时间戳、软链接、属主和属组。
+- `-v`: 详细模式，输出同步过程中的文件名。
+- `-z`: 在传输时进行压缩。
+- `-P`: 等同于 `--partial` `--progress`。`--progress` 会显示每个文件的传输进度，`--partial` 允许断点续传。
+
+rsync 对路径末尾的斜杠敏感:
+
+- `/local/source/folder/` (有斜杠): 只同步文件夹里面的**内容**到目标目录。
+- `/local/source/folder` (无斜杠): 将 `folder` 这个**目录本身连同里面的内容**，整个放入目标目录中。
+
+``` bash
+# 将本地文件夹推送到远程服务器 (Push)
+rsync -avzP --delete /local/source/folder/ [server_id]:/remote/destination/folder/
+# 从远程服务器拉取文件夹到本地 (Pull)
+rsync -avzP --delete [server_id]:/local/source/folder/ /remote/destination/folder/
+```
+
+## 参考
+
+[用于 GitHub Actions 的 SSH](https://github.com/appleboy/ssh-action/blob/master/README.zh-cn.md)
\ No newline at end of file