ops(repair-bot): 主機白名單修復腳本 (Sprint 3)

110: sentry/harbor/gitea/gitea-runner/langfuse/alertmanager/signoz 188: openclaw/minio/signoz (docker compose) + redis/nginx/ollama (systemd) 安全設計: SSH command= 限制 + 嚴格白名單 + /var/log/awoooi-repair-bot.log 已部署: 110:/home/wooo/bin/ + 188:/home/ollama/bin/ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-05 11:11:55 +08:00
parent 7a6fa6359e
commit 77253a5d87
2 changed files with 152 additions and 0 deletions
--- a/scripts/repair-bot/repair-bot-110.sh
+++ b/scripts/repair-bot/repair-bot-110.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+# scripts/repair-bot/repair-bot-110.sh
+# 修復機器人白名單腳本 — 110 主機 (DevOps 金庫)
+# 2026-04-05 Claude Code: Sprint 3 Host Auto-Repair
+#
+# 安全設計:
+#   - SSH authorized_keys 的 command= 指向此腳本
+#   - 只允許執行 COMPOSE_DIRS 中定義的修復指令
+#   - 格式: repair:<component>
+#   - SSH key 洩漏也只能執行白名單內的 docker compose up -d
+#
+# 部署位置: /home/wooo/bin/repair-bot-110.sh (on 192.168.0.110)
+# 使用者: wooo
+
+LOG="/var/log/awoooi-repair-bot.log"
+log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG"; }
+
+# 白名單: component → compose dir
+declare -A COMPOSE_DIRS=(
+  ["sentry"]="/opt/sentry"
+  ["harbor"]="/home/wooo/harbor/harbor"
+  ["gitea"]="/home/wooo/gitea"
+  ["gitea-runner"]="/home/wooo/act-runner"
+  ["langfuse"]="/home/wooo/langfuse"
+  ["alertmanager"]="/home/wooo/monitoring"
+  ["signoz"]="/home/wooo/signoz/deploy/docker"
+)
+
+CMD="${SSH_ORIGINAL_COMMAND:-}"
+log "repair-bot-110 invoked: CMD=$CMD"
+
+if [[ "$CMD" =~ ^repair:([a-z0-9_-]+)$ ]]; then
+  COMPONENT="${BASH_REMATCH[1]}"
+  DIR="${COMPOSE_DIRS[$COMPONENT]}"
+
+  if [ -z "$DIR" ]; then
+    log "DENIED: unknown component '$COMPONENT'"
+    echo "REPAIR_DENIED:unknown_component:$COMPONENT"
+    exit 1
+  fi
+
+  if [ ! -d "$DIR" ]; then
+    log "DENIED: directory not found '$DIR'"
+    echo "REPAIR_DENIED:dir_not_found:$DIR"
+    exit 1
+  fi
+
+  log "EXECUTING: cd $DIR && docker compose up -d"
+  cd "$DIR" && docker compose up -d 2>&1 | tail -5
+  EXIT_CODE=$?
+
+  if [ $EXIT_CODE -eq 0 ]; then
+    log "REPAIR_OK: $COMPONENT"
+    echo "REPAIR_OK:$COMPONENT"
+  else
+    log "REPAIR_FAIL: $COMPONENT (exit $EXIT_CODE)"
+    echo "REPAIR_FAIL:$COMPONENT:exit_$EXIT_CODE"
+    exit 1
+  fi
+elif [ "$CMD" = "health" ]; then
+  # 健康檢查 — 允許連線測試
+  echo "REPAIR_BOT_HEALTHY:110"
+else
+  log "DENIED: invalid command '$CMD'"
+  echo "REPAIR_DENIED:invalid_command"
+  exit 1
+fi
--- a/scripts/repair-bot/repair-bot-188.sh
+++ b/scripts/repair-bot/repair-bot-188.sh
@@ -0,0 +1,85 @@
+#!/bin/bash
+# scripts/repair-bot/repair-bot-188.sh
+# 修復機器人白名單腳本 — 188 主機 (主服務主機)
+# 2026-04-05 Claude Code: Sprint 3 Host Auto-Repair
+#
+# 安全設計:
+#   - SSH authorized_keys 的 command= 指向此腳本
+#   - Docker Compose 類: docker compose up -d
+#   - Systemd 類: sudo systemctl restart
+#
+# 部署位置: /home/ollama/bin/repair-bot-188.sh (on 192.168.0.188)
+# 使用者: ollama
+
+LOG="/var/log/awoooi-repair-bot.log"
+log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG"; }
+
+# 白名單: component → 修復方式
+declare -A COMPOSE_DIRS=(
+  ["openclaw"]="/home/ollama/clawbot-v5"
+  ["minio"]="/home/ollama/minio"
+  ["signoz"]="/home/ollama/signoz/deploy/docker"
+)
+
+declare -A SYSTEMD_SERVICES=(
+  ["redis"]="redis-server"
+  ["nginx"]="nginx"
+  ["ollama"]="ollama"
+)
+
+CMD="${SSH_ORIGINAL_COMMAND:-}"
+log "repair-bot-188 invoked: CMD=$CMD"
+
+if [[ "$CMD" =~ ^repair:([a-z0-9_-]+)$ ]]; then
+  COMPONENT="${BASH_REMATCH[1]}"
+
+  # Docker Compose 類
+  DIR="${COMPOSE_DIRS[$COMPONENT]}"
+  if [ -n "$DIR" ]; then
+    if [ ! -d "$DIR" ]; then
+      log "DENIED: directory not found '$DIR'"
+      echo "REPAIR_DENIED:dir_not_found:$DIR"
+      exit 1
+    fi
+    log "EXECUTING: cd $DIR && docker compose up -d"
+    cd "$DIR" && docker compose up -d 2>&1 | tail -5
+    EXIT_CODE=$?
+    if [ $EXIT_CODE -eq 0 ]; then
+      log "REPAIR_OK: $COMPONENT"
+      echo "REPAIR_OK:$COMPONENT"
+    else
+      log "REPAIR_FAIL: $COMPONENT (exit $EXIT_CODE)"
+      echo "REPAIR_FAIL:$COMPONENT:exit_$EXIT_CODE"
+      exit 1
+    fi
+    exit 0
+  fi
+
+  # Systemd 類
+  SVC="${SYSTEMD_SERVICES[$COMPONENT]}"
+  if [ -n "$SVC" ]; then
+    log "EXECUTING: sudo systemctl restart $SVC"
+    sudo systemctl restart "$SVC" 2>&1
+    EXIT_CODE=$?
+    if [ $EXIT_CODE -eq 0 ]; then
+      log "REPAIR_OK: $COMPONENT"
+      echo "REPAIR_OK:$COMPONENT"
+    else
+      log "REPAIR_FAIL: $COMPONENT (exit $EXIT_CODE)"
+      echo "REPAIR_FAIL:$COMPONENT:exit_$EXIT_CODE"
+      exit 1
+    fi
+    exit 0
+  fi
+
+  log "DENIED: unknown component '$COMPONENT'"
+  echo "REPAIR_DENIED:unknown_component:$COMPONENT"
+  exit 1
+
+elif [ "$CMD" = "health" ]; then
+  echo "REPAIR_BOT_HEALTHY:188"
+else
+  log "DENIED: invalid command '$CMD'"
+  echo "REPAIR_DENIED:invalid_command"
+  exit 1
+fi