feat(systemd-service-manager): 支持环境变量文件和用户组配置

- 添加了对 project.env、project.env.local、services/<name>.env、
  services/<name>.env.local、timers/<name>.env、timers/<name>.env.local
  等环境变量文件的支持
- 实现了环境变量的层级覆盖机制：<name>.env.local > <name>.env >
  project.env.local > project.env
- 支持在 service 和 timer 配置中设置 USER 和 GROUP 字段来指定运行用户
- 更新了单元文件渲染逻辑，在 Environment= 中注入环境变量
- 为 fnm 使用场景提供了推荐的环境变量配置方式

BREAKING CHANGE: 移除了原有的全局环境变量加载方式，
改为按需合并特定服务的环境变量文件。

Author: mudssky

scripts/bash/systemd-service-manager/README.md

@@ -28,6 +28,36 @@
 - `start` / `stop` / `restart` / `status` / `logs` 这类命令依赖目标 unit 已经先执行过 `install`。
 - `install` / `start` / `stop` / `restart` / `enable` / `disable` 这类 system scope 写操作在非 root 下会自动通过 `sudo` 重新执行脚本本身，因此不要求你手工把 `sudo` 写在命令前。
 
+## Environment support
+
+- `project.env` / `project.env.local` 中的变量会渲染到所有 service / timer task unit 的 `Environment=`。
+- `services/<name>.env` / `services/<name>.env.local` 会覆盖项目级变量，并只作用于对应 service。
+- `timers/<name>.env` / `timers/<name>.env.local` 会覆盖项目级变量，并只作用于对应 timer 生成的一次性 task service。
+- 优先级保持为：
+  - `<name>.env.local`
+  - `<name>.env`
+  - `project.env.local`
+  - `project.env`
+
+## fnm 推荐写法
+
+对于 `system` scope 的 Node / fnm 工具，推荐在 env 文件里提供稳定的 `PATH` 和 `HOME`，不要使用 `/run/user/.../fnm_multishells/...` 这类会话级临时路径。
+
+推荐把下面内容写到 `project.env.local` 或 `services/<name>.env.local`：
+
+```dotenv
+HOME=/home/administrator
+PATH=/home/administrator/.local/share/fnm/node-versions/v24.11.0/installation/bin:/usr/local/bin:/usr/bin:/bin
+```
+
+然后 `COMMAND` 可以直接写成：
+
+```dotenv
+COMMAND=zread browse --host 0.0.0.0 --port 19681
+```
+
+如果你更在意稳定性，也可以直接把 `COMMAND` 写成绝对路径，但一般优先推荐“稳定 PATH + 裸命令”这条线，可读性更好。
+
 ## Build
 
 ```bash

scripts/bash/systemd-service-manager/commands/install.sh

@@ -27,8 +27,11 @@ ssm_cmd_install() {
       ssm_require_safe_name "UNIT_PREFIX" "${UNIT_PREFIX}"
       source_file="$(ssm_service_config_path "${project_dir}" "${SSM_RESOLVED_TARGET_NAME}")"
       scope="${SSM_SERVICE_SCOPE}"
+      ssm_collect_env_entries_for_service "${project_dir}" "${SSM_RESOLVED_TARGET_NAME}"
+      local env_block
+      env_block="$(ssm_render_environment_lines)"
       local service_unit_file="${render_dir}/$(ssm_service_unit_name "${SSM_RESOLVED_TARGET_NAME}")"
-      ssm_render_service_unit "${source_file}" >"${service_unit_file}"
+      ssm_render_service_unit "${source_file}" "${env_block}" >"${service_unit_file}"
       ssm_verify_unit_file "${service_unit_file}" || ssm_die "systemd-analyze verify failed for ${service_unit_file}"
       if [[ "${SSM_CLI_DRY_RUN}" == "1" ]]; then
         printf '%s\n' "$(basename "${service_unit_file}")"
@@ -49,6 +52,9 @@ ssm_cmd_install() {
       ssm_require_safe_name "UNIT_PREFIX" "${UNIT_PREFIX}"
       source_file="$(ssm_timer_config_path "${project_dir}" "${SSM_RESOLVED_TARGET_NAME}")"
       scope="${SSM_TIMER_SCOPE}"
+      ssm_collect_env_entries_for_timer "${project_dir}" "${SSM_RESOLVED_TARGET_NAME}"
+      local env_block
+      env_block="$(ssm_render_environment_lines)"
       local schedule_block
       schedule_block="$(ssm_resolve_schedule "${SCHEDULE}")"
       local task_unit_name
@@ -69,7 +75,7 @@ ssm_cmd_install() {
         task_exec_command="${COMMAND}"
       fi
 
-      ssm_render_task_service_unit "${source_file}" "${task_exec_command}" >"${task_unit_file}"
+      ssm_render_task_service_unit "${source_file}" "${task_exec_command}" "${env_block}" >"${task_unit_file}"
       ssm_render_timer_unit "${source_file}" "${task_unit_name}" "${schedule_block}" >"${timer_unit_file}"
       ssm_verify_unit_file "${task_unit_file}" || ssm_die "systemd-analyze verify failed for ${task_unit_file}"
       ssm_verify_unit_file "${timer_unit_file}" || ssm_die "systemd-analyze verify failed for ${timer_unit_file}"

scripts/bash/systemd-service-manager/commands/list.sh

@@ -15,11 +15,12 @@ ssm_cmd_list() {
   if [[ "${SSM_DEBUG_DUMP_CONFIG:-}" == "1" ]]; then
     if [[ -f "$(ssm_service_config_path "${project_dir}" "api")" ]]; then
       ssm_parse_service_config "${project_dir}" "api"
+      ssm_collect_env_entries_for_service "${project_dir}" "api"
     fi
     printf 'project=%s\n' "${SSM_PROJECT_NAME}"
     printf 'scope=%s\n' "${SSM_SERVICE_SCOPE:-${DEFAULT_SCOPE:-system}}"
-    printf 'APP_PORT=%s\n' "${APP_PORT:-}"
-    printf 'APP_NAME=%s\n' "${APP_NAME:-}"
+    printf 'APP_PORT=%s\n' "$(ssm_get_env_entry_value "APP_PORT")"
+    printf 'APP_NAME=%s\n' "$(ssm_get_env_entry_value "APP_NAME")"
     return 0
   fi
 

scripts/bash/systemd-service-manager/lib/env.sh

@@ -67,8 +67,6 @@ ssm_load_project_config() {
   config_root="$(ssm_config_root "${project_dir}")"
 
   ssm_load_key_value_file "${config_root}/project.conf"
-  ssm_load_key_value_file "${config_root}/project.env"
-  ssm_load_key_value_file "${config_root}/project.env.local"
 
   SSM_PROJECT_NAME="${PROJECT_NAME:-}"
   UNIT_PREFIX="${UNIT_PREFIX:-${PROJECT_NAME:-project}}"
@@ -96,3 +94,139 @@ ssm_load_timer_env() {
   ssm_load_key_value_file "${config_root}/timers/${timer_name}.env"
   ssm_load_key_value_file "${config_root}/timers/${timer_name}.env.local"
 }
+
+# 从指定 key=value 文件中读取某个 key 的最后一个值，用于解析与环境变量同名的配置键。
+ssm_read_key_value_from_file() {
+  local file_path="$1"
+  local target_key="$2"
+  [[ -f "${file_path}" ]] || return 0
+
+  local line=""
+  local key=""
+  local value=""
+  local found=""
+
+  while IFS= read -r line || [[ -n "${line}" ]]; do
+    line="$(ssm_trim "${line}")"
+    [[ -z "${line}" || "${line}" == \#* ]] && continue
+    [[ "${line}" == *=* ]] || continue
+
+    key="$(ssm_trim "${line%%=*}")"
+    value="$(ssm_normalize_value "${line#*=}")"
+    if [[ "${key}" == "${target_key}" ]]; then
+      found="${value}"
+    fi
+  done < "${file_path}"
+
+  printf '%s' "${found}"
+}
+
+# 清空当前待渲染的环境变量集合。
+ssm_reset_env_entries() {
+  SSM_ENV_KEYS=()
+  SSM_ENV_VALUES=()
+}
+
+# 合并同名环境变量，后出现的值覆盖先前的值。
+ssm_upsert_env_entry() {
+  local key="$1"
+  local value="$2"
+  local index=0
+
+  while [[ "${index}" -lt "${#SSM_ENV_KEYS[@]}" ]]; do
+    if [[ "${SSM_ENV_KEYS[${index}]}" == "${key}" ]]; then
+      SSM_ENV_VALUES[${index}]="${value}"
+      return 0
+    fi
+    index=$((index + 1))
+  done
+
+  SSM_ENV_KEYS+=("${key}")
+  SSM_ENV_VALUES+=("${value}")
+}
+
+# 把 key=value 文件合并到待渲染的环境变量集合里。
+ssm_merge_env_file_into_entries() {
+  local file_path="$1"
+  [[ -f "${file_path}" ]] || return 0
+
+  local line=""
+  local key=""
+  local value=""
+
+  while IFS= read -r line || [[ -n "${line}" ]]; do
+    line="$(ssm_trim "${line}")"
+    [[ -z "${line}" || "${line}" == \#* ]] && continue
+    [[ "${line}" == *=* ]] || ssm_die "Invalid key-value line in ${file_path}: ${line}"
+
+    key="$(ssm_trim "${line%%=*}")"
+    value="$(ssm_normalize_value "${line#*=}")"
+
+    if [[ ! "${key}" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]]; then
+      ssm_die "Invalid config key in ${file_path}: ${key}"
+    fi
+
+    ssm_upsert_env_entry "${key}" "${value}"
+  done < "${file_path}"
+}
+
+# 按项目级 -> 项目 local -> service 级 -> service local 顺序收集 service 环境变量。
+ssm_collect_env_entries_for_service() {
+  local project_dir="$1"
+  local service_name="$2"
+  local config_root
+  config_root="$(ssm_config_root "${project_dir}")"
+
+  ssm_reset_env_entries
+  ssm_merge_env_file_into_entries "${config_root}/project.env"
+  ssm_merge_env_file_into_entries "${config_root}/project.env.local"
+  ssm_merge_env_file_into_entries "${config_root}/services/${service_name}.env"
+  ssm_merge_env_file_into_entries "${config_root}/services/${service_name}.env.local"
+}
+
+# 按项目级 -> 项目 local -> timer 级 -> timer local 顺序收集 timer 环境变量。
+ssm_collect_env_entries_for_timer() {
+  local project_dir="$1"
+  local timer_name="$2"
+  local config_root
+  config_root="$(ssm_config_root "${project_dir}")"
+
+  ssm_reset_env_entries
+  ssm_merge_env_file_into_entries "${config_root}/project.env"
+  ssm_merge_env_file_into_entries "${config_root}/project.env.local"
+  ssm_merge_env_file_into_entries "${config_root}/timers/${timer_name}.env"
+  ssm_merge_env_file_into_entries "${config_root}/timers/${timer_name}.env.local"
+}
+
+# 从当前已收集的环境变量集合里读取某个 key 的值，便于调试输出。
+ssm_get_env_entry_value() {
+  local target_key="$1"
+  local index=0
+
+  while [[ "${index}" -lt "${#SSM_ENV_KEYS[@]}" ]]; do
+    if [[ "${SSM_ENV_KEYS[${index}]}" == "${target_key}" ]]; then
+      printf '%s' "${SSM_ENV_VALUES[${index}]}"
+      return 0
+    fi
+    index=$((index + 1))
+  done
+}
+
+# 对 Environment= 值做最小转义，避免双引号和反斜杠破坏 unit 语法。
+ssm_escape_unit_env_value() {
+  local value="$1"
+  value="${value//\\/\\\\}"
+  value="${value//\"/\\\"}"
+  printf '%s' "${value}"
+}
+
+# 把当前环境变量集合渲染成 systemd Environment= 行。
+ssm_render_environment_lines() {
+  local index=0
+  while [[ "${index}" -lt "${#SSM_ENV_KEYS[@]}" ]]; do
+    printf 'Environment="%s=%s"\n' \
+      "${SSM_ENV_KEYS[${index}]}" \
+      "$(ssm_escape_unit_env_value "${SSM_ENV_VALUES[${index}]}")"
+    index=$((index + 1))
+  done
+}

scripts/bash/systemd-service-manager/lib/parser-service.sh

@@ -16,10 +16,19 @@ ssm_parse_service_config() {
 
   ssm_load_project_config "${project_dir}"
   ssm_load_key_value_file "${service_file}"
-  ssm_load_service_env "${project_dir}" "${service_name}"
 
   [[ -n "${COMMAND:-}" ]] || ssm_die "Missing COMMAND in ${service_file}"
 
   SSM_SERVICE_NAME="${service_name}"
   SSM_SERVICE_SCOPE="${SCOPE:-${DEFAULT_SCOPE:-system}}"
+  SSM_SERVICE_RUN_USER="$(ssm_read_key_value_from_file "${service_file}" "USER")"
+  SSM_SERVICE_RUN_GROUP="$(ssm_read_key_value_from_file "${service_file}" "GROUP")"
+
+  if [[ -z "${SSM_SERVICE_RUN_USER}" ]]; then
+    SSM_SERVICE_RUN_USER="${DEFAULT_USER:-}"
+  fi
+
+  if [[ -z "${SSM_SERVICE_RUN_GROUP}" ]]; then
+    SSM_SERVICE_RUN_GROUP="${DEFAULT_GROUP:-}"
+  fi
 }

scripts/bash/systemd-service-manager/lib/parser-timer.sh

@@ -16,7 +16,6 @@ ssm_parse_timer_config() {
 
   ssm_load_project_config "${project_dir}"
   ssm_load_key_value_file "${timer_file}"
-  ssm_load_timer_env "${project_dir}" "${timer_name}"
 
   [[ -n "${TARGET_TYPE:-}" ]] || ssm_die "Missing TARGET_TYPE in ${timer_file}"
   [[ -n "${SCHEDULE:-}" ]] || ssm_die "Missing SCHEDULE in ${timer_file}"
@@ -34,4 +33,14 @@ ssm_parse_timer_config() {
 
   SSM_TIMER_NAME="${timer_name}"
   SSM_TIMER_SCOPE="${SCOPE:-${DEFAULT_SCOPE:-system}}"
+  SSM_TIMER_RUN_USER="$(ssm_read_key_value_from_file "${timer_file}" "USER")"
+  SSM_TIMER_RUN_GROUP="$(ssm_read_key_value_from_file "${timer_file}" "GROUP")"
+
+  if [[ -z "${SSM_TIMER_RUN_USER}" ]]; then
+    SSM_TIMER_RUN_USER="${DEFAULT_USER:-}"
+  fi
+
+  if [[ -z "${SSM_TIMER_RUN_GROUP}" ]]; then
+    SSM_TIMER_RUN_GROUP="${DEFAULT_GROUP:-}"
+  fi
 }

scripts/bash/systemd-service-manager/lib/render-service.sh

@@ -8,6 +8,7 @@ SSM_RENDER_SERVICE_LOADED=1
 # 渲染常驻 service unit，保持最小字段集合和统一 managed header。
 ssm_render_service_unit() {
   local source_file="$1"
+  local env_block="${2:-}"
   cat <<EOF
 # Managed by systemd-service-manager
 # Source: ${source_file}
@@ -19,9 +20,10 @@ ${WANTS:+Wants=${WANTS}}
 [Service]
 Type=simple
 WorkingDirectory=${WORKDIR:-${DEFAULT_WORKDIR:-/tmp}}
+${env_block}
 ExecStart=${COMMAND}
-${USER:+User=${USER}}
-${GROUP:+Group=${GROUP}}
+${SSM_SERVICE_RUN_USER:+User=${SSM_SERVICE_RUN_USER}}
+${SSM_SERVICE_RUN_GROUP:+Group=${SSM_SERVICE_RUN_GROUP}}
 Restart=${RESTART:-on-failure}
 RestartSec=${RESTART_SEC:-5s}
 
@@ -34,6 +36,7 @@ EOF
 ssm_render_task_service_unit() {
   local source_file="$1"
   local exec_command="$2"
+  local env_block="${3:-}"
   cat <<EOF
 # Managed by systemd-service-manager
 # Source: ${source_file}
@@ -43,8 +46,9 @@ Description=${DESCRIPTION:-${SSM_TIMER_NAME}}
 [Service]
 Type=oneshot
 WorkingDirectory=${WORKDIR:-${DEFAULT_WORKDIR:-/tmp}}
+${env_block}
 ExecStart=${exec_command}
-${USER:+User=${USER}}
-${GROUP:+Group=${GROUP}}
+${SSM_TIMER_RUN_USER:+User=${SSM_TIMER_RUN_USER}}
+${SSM_TIMER_RUN_GROUP:+Group=${SSM_TIMER_RUN_GROUP}}
 EOF
 }