Add QNAP NAS compose deployment

- Add docker-compose-Nas.yaml for QNAP/威联通 deployment with NAS persistent data paths, API aliasing, and health checks tailored for NAS firmware.

- Parameterize NAS ports, data root, database credentials, proxy variables, CORS, session security, TRUST_PROXY, migrations, and seed settings.

- Include an optional frpc profile in the NAS compose file so port 4002 can be exposed through the existing frpc/frpc.toml workflow.

- Document NAS startup, health checks, public HTTPS settings, proxy settings, and frpc commands in README.

- Update Docker deployment documentation with the NAS compose workflow and the reminder to expose only 4002 publicly.

docker-compose-Nas.yaml

@@ -0,0 +1,115 @@
+# XXX QNAP/NAS deployment compose. Designed for Container Station or docker compose on a NAS.
+# XXX Edit /share paths, proxy variables, SESSION_SECRET, and frpc/frpc.toml before public deployment.
+
+services:
+  tuwen_db:
+    image: postgres:16-alpine
+    container_name: tuwen_db
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB:-surclaw}
+      POSTGRES_USER: ${POSTGRES_USER:-surclaw}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-surclaw_dev_password}
+    volumes:
+      # XXX NAS persistent database directory. Change this path if your QNAP share is different.
+      - ${NAS_DATA_ROOT:-/share/Container/tuwen_system_v2/data}/postgres:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER:-surclaw} -d $${POSTGRES_DB:-surclaw}"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+
+  tuwen_api:
+    build:
+      # XXX Keep relative context for QNAP, otherwise Container Station may fail to resolve absolute paths.
+      context: .
+      dockerfile: Dockerfile.server
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-localhost,127.0.0.1,192.168.31.0/24,tuwen_db,tuwen_api,tuwen_web,api,db,web}
+    container_name: tuwen_api
+    restart: unless-stopped
+    networks:
+      default:
+        aliases:
+          # XXX nginx.conf proxies /api to http://api:3100, so NAS service keeps this alias.
+          - api
+    depends_on:
+      tuwen_db:
+        condition: service_healthy
+    ports:
+      # XXX Optional host API port for NAS diagnostics; public users should enter through web:4002/NPM.
+      - "${NAS_API_PORT:-4102}:3100"
+    volumes:
+      # XXX NAS persistent upload directory for signatures, videos, keyframes, and template images.
+      - ${NAS_DATA_ROOT:-/share/Container/tuwen_system_v2/data}/uploads:/app/uploads
+    environment:
+      NODE_ENV: production
+      API_PORT: 3100
+      API_BODY_LIMIT: ${API_BODY_LIMIT:-100mb}
+      DATABASE_URL: postgresql://${POSTGRES_USER:-surclaw}:${POSTGRES_PASSWORD:-surclaw_dev_password}@tuwen_db:5432/${POSTGRES_DB:-surclaw}?schema=public
+      CORS_ORIGIN: ${CORS_ORIGIN:-http://192.168.31.5:4002,https://sstwbg.example.com}
+      # XXX Replace in NAS .env or Container Station variables before real deployment.
+      SESSION_SECRET: ${SESSION_SECRET:-change-me-in-production}
+      # XXX For public HTTPS through Nginx Proxy Manager, set SESSION_COOKIE_SECURE=true and TRUST_PROXY=true.
+      SESSION_COOKIE_SECURE: ${SESSION_COOKIE_SECURE:-false}
+      TRUST_PROXY: ${TRUST_PROXY:-false}
+      FILE_STORAGE_DIR: /app/uploads
+      RUN_DB_MIGRATIONS: ${RUN_DB_MIGRATIONS:-true}
+      RUN_DB_SEED: ${RUN_DB_SEED:-true}
+      DOCKER_STARTUP_RETRIES: ${DOCKER_STARTUP_RETRIES:-30}
+      DOCKER_STARTUP_RETRY_DELAY: ${DOCKER_STARTUP_RETRY_DELAY:-2}
+      HTTP_PROXY: ${HTTP_PROXY:-}
+      HTTPS_PROXY: ${HTTPS_PROXY:-}
+      http_proxy: ${HTTP_PROXY:-}
+      https_proxy: ${HTTPS_PROXY:-}
+      NO_PROXY: ${NO_PROXY:-localhost,127.0.0.1,192.168.31.0/24,tuwen_db,tuwen_api,tuwen_web,api,db,web}
+    healthcheck:
+      # XXX Use 127.0.0.1 instead of localhost to avoid IPv6 resolution issues on some NAS firmware.
+      test: ["CMD-SHELL", "node -e \"fetch('http://127.0.0.1:3100/api/health').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))\""]
+      interval: 10s
+      timeout: 5s
+      retries: 12
+      start_period: 20s
+
+  tuwen_web:
+    build:
+      # XXX Keep relative context for QNAP.
+      context: .
+      dockerfile: Dockerfile
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-localhost,127.0.0.1,192.168.31.0/24,tuwen_db,tuwen_api,tuwen_web,api,db,web}
+    container_name: tuwen_web
+    restart: unless-stopped
+    depends_on:
+      tuwen_api:
+        condition: service_healthy
+    ports:
+      - "${NAS_WEB_PORT:-4002}:80"
+      # XXX Local self-signed HTTPS demo only. Public HTTPS should be handled by Nginx Proxy Manager.
+      - "${NAS_HTTPS_DEMO_PORT:-4443}:443"
+    environment:
+      APP_URL: ${APP_URL:-http://192.168.31.5:4002}
+    healthcheck:
+      test: ["CMD-SHELL", "wget -q --spider http://127.0.0.1/ || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 6
+
+  frpc:
+    # XXX Optional public tunnel client. Edit frpc/frpc.toml before enabling this profile.
+    image: snowdreamtech/frpc:latest
+    container_name: tuwen_frpc
+    restart: unless-stopped
+    network_mode: host
+    command: ["-c", "/etc/frp/frpc.toml"]
+    volumes:
+      - ./frpc/frpc.toml:/etc/frp/frpc.toml:ro
+    depends_on:
+      tuwen_web:
+        condition: service_healthy
+    profiles:
+      - frpc