fix(ops): align openclaw systemd project and redact token
Some checks failed
Ansible Lint / lint (push) Has been cancelled
Some checks failed
Ansible Lint / lint (push) Has been cancelled
This commit is contained in:
Your Name
@@ -75,7 +75,7 @@ services:
|
|||||||
# CORS (容器內使用 service name + localhost 開發端口)
|
# CORS (容器內使用 service name + localhost 開發端口)
|
||||||
CORS_ORIGINS: '["http://localhost:3000","http://localhost:3001","http://localhost:3002","http://localhost:3003","http://web:3000"]'
|
CORS_ORIGINS: '["http://localhost:3000","http://localhost:3001","http://localhost:3002","http://localhost:3003","http://web:3000"]'
|
||||||
# Telegram Gateway (Phase 5.5)
|
# Telegram Gateway (Phase 5.5)
|
||||||
OPENCLAW_TG_BOT_TOKEN: "8569720657:AAHdvKf_P2ms-QKFTyqTLtLiqEggz8cpjMk"
|
OPENCLAW_TG_BOT_TOKEN: "${OPENCLAW_TG_BOT_TOKEN:-}"
|
||||||
OPENCLAW_TG_CHAT_ID: "5619078117"
|
OPENCLAW_TG_CHAT_ID: "5619078117"
|
||||||
OPENCLAW_TG_USER_WHITELIST: "5619078117"
|
OPENCLAW_TG_USER_WHITELIST: "5619078117"
|
||||||
# External Services (使用 host.docker.internal 存取宿主機服務)
|
# External Services (使用 host.docker.internal 存取宿主機服務)
|
||||||
|
|||||||
@@ -1,3 +1,33 @@
|
|||||||
|
## 2026-05-18 | T39 188 OpenClaw systemd 與 Telegram token hygiene 盤點
|
||||||
|
|
||||||
|
**背景**:T38 後接著清理告警鏈路周邊技術債。Live 盤點確認:
|
||||||
|
- 188 `clawbot.service` restart counter 已超過 95k;unit 內 `COMPOSE_PROJECT_NAME=clawbot`,但現有 `openclaw` / `litellm` containers 的 compose project label 是 `clawbot-v5`,所以 systemd 每輪 `docker compose up -d` 都想另建同名 container 並撞名。
|
||||||
|
- `momo-telegram-bot` 每 10 秒 long-polling,`httpx` INFO log 會把 Telegram bot URL 寫進 container log;這仍是 runtime 風險。
|
||||||
|
- AWOOOI repo 根目錄 `docker-compose.yml` 仍有一筆真實 Telegram token-like 值硬編碼在 `OPENCLAW_TG_BOT_TOKEN`,已視為紅燈處理;token 需要後續輪換。
|
||||||
|
|
||||||
|
**修正**:
|
||||||
|
- `docker-compose.yml`:移除硬編碼 `OPENCLAW_TG_BOT_TOKEN`,改為 `${OPENCLAW_TG_BOT_TOKEN:-}`,避免 repo 再攜帶真實 bot token。
|
||||||
|
- `infra/ansible/playbooks/188-ai-web.yml`:
|
||||||
|
- 新增 `/etc/systemd/system/clawbot.service.d/10-compose-project.conf` 的版本化管理。
|
||||||
|
- drop-in 會清空舊 Environment,改設 `COMPOSE_PROJECT_NAME=clawbot-v5`,並把 `RestartSec` 拉到 30 秒。
|
||||||
|
- 將 `clawbot.service` 納入 188 Ansible `openclaw` tag 的 systemd 管理。
|
||||||
|
|
||||||
|
**驗證 / 阻塞**:
|
||||||
|
- `ruby -e 'require "yaml"; YAML.load_file("infra/ansible/playbooks/188-ai-web.yml"); puts "yaml ok"'`:pass。
|
||||||
|
- `git diff --check`:pass。
|
||||||
|
- 188 runtime hotfix 尚未落地:`ollama` 帳號沒有 passwordless sudo,既有 inventory 內 sudo password 無法通過;已停止重試,避免對 production root 操作製造風險。
|
||||||
|
- `momo-telegram-bot` log redaction 尚未落地:`/home/ollama/momo-pro` 不是 git repo,需回到 momo-pro source of truth 或用正式 Ansible 管理後再改 `run_telegram_bot.py` / logging config。
|
||||||
|
|
||||||
|
**目前整體進度**:
|
||||||
|
- Alertmanager 低風險自動修復主線:約 98%。
|
||||||
|
- 完整 AI 自動化管理產品化:約 99%。
|
||||||
|
- 告警詳情/歷史/主卡/前端 deep-link 可追溯:約 99%。
|
||||||
|
- Telegram approval / reject callback 閉環:約 96%。
|
||||||
|
- Truth-chain 對「自動修復成功但驗證降級」的判讀:約 99%。
|
||||||
|
- 188 OpenClaw runtime hygiene:約 60%(repo/Ansible 修正完成,host root 套用待有效 sudo)。
|
||||||
|
- Token hygiene:約 55%(AWOOI repo 明文已移除;歷史與 MOMO runtime log 仍需輪換/收斂)。
|
||||||
|
- 待完成:用有效 sudo/Ansible vault 套用 `openclaw` tag、修 momo-pro Telegram bot logging、輪換曾暴露的 Telegram bot token、清理 remote URL credential hygiene。
|
||||||
|
|
||||||
## 2026-05-18 | T38 Truth-chain 對齊 Auto-repair 與 Telegram 詳情救援
|
## 2026-05-18 | T38 Truth-chain 對齊 Auto-repair 與 Telegram 詳情救援
|
||||||
|
|
||||||
**背景**:接續 T37 針對 Telegram 截圖追查「批准後仍 blocked/manual_required、詳情/歷史 400、無法判斷是否真的 AI 自動修復」。Live 盤點確認:
|
**背景**:接續 T37 針對 Telegram 截圖追查「批准後仍 blocked/manual_required、詳情/歷史 400、無法判斷是否真的 AI 自動修復」。Live 盤點確認:
|
||||||
|
|||||||
@@ -45,6 +45,43 @@
|
|||||||
- litellm
|
- litellm
|
||||||
tags: docker
|
tags: docker
|
||||||
|
|
||||||
|
- name: "OpenClaw | 確認 systemd drop-in 目錄存在"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /etc/systemd/system/clawbot.service.d
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
tags:
|
||||||
|
- docker
|
||||||
|
- openclaw
|
||||||
|
|
||||||
|
- name: "OpenClaw | 固定 systemd compose project 為既有 clawbot-v5"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: /etc/systemd/system/clawbot.service.d/10-compose-project.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
content: |
|
||||||
|
[Service]
|
||||||
|
Environment=
|
||||||
|
Environment=COMPOSE_PROJECT_NAME=clawbot-v5
|
||||||
|
RestartSec=30
|
||||||
|
notify: Reload systemd
|
||||||
|
tags:
|
||||||
|
- docker
|
||||||
|
- openclaw
|
||||||
|
|
||||||
|
- name: "OpenClaw | 啟用 clawbot.service 並套用 daemon_reload"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: clawbot.service
|
||||||
|
state: started
|
||||||
|
enabled: true
|
||||||
|
daemon_reload: true
|
||||||
|
tags:
|
||||||
|
- docker
|
||||||
|
- openclaw
|
||||||
|
|
||||||
# ========================================================================
|
# ========================================================================
|
||||||
# 備份排程
|
# 備份排程
|
||||||
# ========================================================================
|
# ========================================================================
|
||||||
@@ -199,3 +236,8 @@
|
|||||||
msg: "⚠️ VIP 192.168.0.200 不在 188 (MASTER 可能已 failover 到 110)"
|
msg: "⚠️ VIP 192.168.0.200 不在 188 (MASTER 可能已 failover 到 110)"
|
||||||
when: vip_check.rc != 0
|
when: vip_check.rc != 0
|
||||||
tags: keepalived
|
tags: keepalived
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: Reload systemd
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
|||||||
Reference in New Issue
Block a user